Rogue AV targeting Mac users - MACDefender

SonicWALL UTM found reports of a new Rogue AV application called MACDefender targeting Apple's Mac OS X users.

As seen in the past, Rogue AV cyber-criminals are known to take advantage of latest news stories that interests large user base by poisoning Google search results. When an unsuspecting user clicks on these search results it leads them to download of Fake AV malware as seen in the past: Valentines Day, Wikileaks and Holiday Shopping Deals.

This is the first instance where we saw SEO poisoning techniques being used to target both Windows and Mac OS X users alike. Search terms like "Osama bin laden" or even simple terms like "piranhas" on Google web or image search were returning poisoned results clicking on which would execute a malicious JavaScript leading to the download of Fake AV malware. For Mac OS X Safari users, the malicious payload that gets downloaded is called BestMacAntivirus2011.mpkg.zip as oppose to BestAntivirus2011.zip for windows users.

Following are the screenshots showing MACDefender infection if the user runs the file:

If the user attempts to clean the infections it will prompt the user to buy the software and enter a Serial Number which were easy to find inside the payload itself as seen below:

Besides displaying Fake infection alerts, it also opens pornographic websites in the browser randomly from a predetermined list.

SonicWALL Gateway AntiVirus provides protection against this Rogue AV malware via the following signatures:

• GAV: MacDefender.A (Trojan)