Rogue AV targeting Mac users – MACDefender (May 4, 2011)

By

SonicWALL UTM found reports of a new Rogue AV application called MACDefender targeting Apple’s Mac OS X users.

As seen in the past, Rogue AV cyber-criminals are known to take advantage of latest news stories that interests large user base by poisoning Google search results. When an unsuspecting user clicks on these search results it leads them to download of Fake AV malware as seen in the past: Valentines Day, Wikileaks and Holiday Shopping Deals.

This is the first instance where we saw SEO poisoning techniques being used to target both Windows and Mac OS X users alike. Search terms like “Osama bin laden” or even simple terms like “piranhas” on Google web or image search were returning poisoned results clicking on which would execute a malicious JavaScript leading to the download of Fake AV malware. For Mac OS X Safari users, the malicious payload that gets downloaded is called BestMacAntivirus2011.mpkg.zip as oppose to BestAntivirus2011.zip for windows users.

Following are the screenshots showing MACDefender infection if the user runs the file:

screenshot

screenshot

screenshot

screenshot

If the user attempts to clean the infections it will prompt the user to buy the software and enter a Serial Number which were easy to find inside the payload itself as seen below:

screenshot

screenshot

Besides displaying Fake infection alerts, it also opens pornographic websites in the browser randomly from a predetermined list.

screenshot

SonicWALL Gateway AntiVirus provides protection against this Rogue AV malware via the following signatures:

  • GAV: MacDefender.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.