The Mac Security Blog
With the many recent fake antiviruses targeting Mac users, Intego has decided to offer a special discount on VirusBarrier X6, the company’s anti-malware and network protection program, so you can boost your Mac’s protection on this Memorial Day weekend.
Only VirusBarrier X6 provides comprehensive protection from malware and network threats. VirusBarrier X6 is the only antivirus program for Mac that includes full anti-malware protection together with firewall, network protection, anti-phishing, anti-spyware features and more.
Just go to Intego’s Buy now page, choose a copy of VirusBarrier X6, or VirusBarrier X6 Dual Protection, and click on Continue Order. On the next page, enter the following coupon code:FAKEAV-20. This offer is valid through Tuesday, May 31, 2011.
Protect yourself and your Mac from fake antiviruses, and the many other dangers of the Internet, with VirusBarrier X6.
You can get an overview of VirusBarrier X6 in this video:
We keep a close watch on articles that discuss Mac security issues, malware, and related subjects. In most cases, when it’s the Mac press or the general tech press that discusses these questions, articles are balanced, informed and correct. However, comments to articles on websites and blogs range from lucid and cogent to weird and ill-informed.
So, when we spotted an article today on the Huffington Post, discussing the latest variant of the MacDefender malware, we glanced quickly at the comments, expecting to see the usual range of opinions. We were very surprised when we noticed that a user who is listed as “HUFFPOST COMMUNITY MODERATOR” posted the following:
Now, there are two possibilities here. The first is that the user is shilling for the creators of this malware. As we have pointed out – and as other security companies and media have shown, and as Apple has even said – these fake antiviruses are indeed a real threat. They don’t do anything but take your credit card numbers. The comment posted by this person is not only wrong, but highly dangerous, given their credibility as a moderator on the Huffington Post web site.
The second possibility – one that we cannot exclude – is that his account was hacked, and the comment was, indeed, posted by the creators of the fake antiviruses.
In either case, users should be very careful about taking seriously comments they read on websites, blogs and forums. While some users posting in such venues may know something about computer security, most don’t. (There are certainly a number of very good comments in the thread we link to; but there are also many that are useless.)
Trust us, this is no conspiracy. If all the major computer security companies are warning against this, and if Apple has even published a tech note about it, it is clearly a serious threat. The comment we illustrate above is exactly what the makers of these fake antiviruses want you to believe. We sincerely hope that the moderator’s account was hacked, because someone with what seems to be credibility on a website posting such information is very, very dangerous. These fake comments about the fake antiviruses may appear on other websites, so ignore them if you see them.
With yet another version of the Mac Defender fake antivirus discovered, one may wonder who is behind this rash of attacks targeting Mac users.
Microsoft published an analysis of the malware and the URLs it uses and suggests it is created by the “Winwebsec” gang. The noted the similarity between web pages used to collect credit card numbers. And, they also said,
In addition to using similar UIs, we noticed that they even share the same payment gateway (this is the site where users are duped into giving the criminals their credit card information). Simply changing the file name from “buy.php” to “mac.php” causes the ‘branding’ to change from the Windows version to the Mac version…
Journalist Brian Krebs, in an article on his Krebs on Security blog, claims that ChronoPay, “Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business,” is involved in this scamware. He examined domain name registrations, and traced them back to ChronoPay, noting that this company was the “core processor for trafficconverter.biz, the rogue anti-virus affiliate program that was designed to be the beneficiary of the first strain of the Conficker worm, a menacing contagion that still infects millions of PCs worldwide.” In addition, this company seems to be behind “a scam site that targeted filesharing users and stole victims’ money by bullying them into paying a ‘pre-trial settlement’ to cover a ‘Copyright holder fine.’”
As we have often pointed out, malware is not written by script kiddies looking to see how many computers they can infect just for fun, but by efficient criminal organizations creating malware with the express goal of scamming people. While more information may be found linking specific companies to such malware, they remain hard to prosecute.
INTEGO SECURITY MEMO – New Mac Defender Variant, MacGuard, Doesn’t Require Password for Installation
Malware: OSX/MacDefender.F and OSX/MacDefender.G
Risk: Medium; effective SEO poisoning has led many Mac users to this type of malware, and no administrator password is required to install this new variant.
Description: On May 2, 2011, Intego discovered the MAC Defender fake antivirus, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results). Since then, several variants have appeared: MacDefender, MacProtector and MacSecurity, all of which are the same application using different names. The goal of this fake antivirus software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Macs.
Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts. The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.
If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.
Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.
The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application’s Resources folder. (The IP address is hidden using a simple form of steganography.) Intego VirusBarrier X6’s Anti-Spyware feature detects this operation:
Intego considers that the risk for this new variant to be medium, in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant.
For further information about this fake antivirus and how it functions, see Intego’s Security Memo of May 2, 2011 describing the initial variant, Mac Defender.
Means of protection: the first thing to do is make sure that when seeing a web page that looks like a Finder window, and purports to be scanning your Mac, you know that this is bogus. Leave the page, and quit your web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it. Next, users should uncheck the “Open ‘safe’ files after downloading” option in Safari’s General preferences.
Intego VirusBarrier X6 protects users from this malware with malware definitions dated May 25, 2011 or later. VirusBarrier X6’s real-time scanner will detect the file when it is downloaded, and its Web Threats protection blocks web pages containing this malicious code. VirusBarrier Express and VirusBarrier Plus, available exclusively from the Mac App Store, detect this malware with malware definitions dated May 25, 2011 or later, but these programs do not have a real-time scanner, due to limitations imposed by the Mac App Store; users should scan their Macs after they have updated to the latest malware definitions.
Apple has published a technical note regarding the MacDefender (and MacProcter and MacSecurity) fake antivirus, called How to avoid or remove Mac Defender malware. This document explains how to find and remove the fake antivirus, and Apple states that “In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”
Apple is to be commended for publishing this document, but we have two comments to make. First, this document only discusses how to remove current variants of the malware; future variants may install items in different locations, and under different names, so it will need to be updated. Second, Apple’s malware check feature is only available in Mac OS X 10.6 Snow Leopard, so users of Mac OS X 10.4 and 10.5 won’t have the protection they need.
Intego first discovered the Mac Defender fake antivirus on May 2, 2011. The company has since discovered other variants, and published a video of an early variant. Intego is monitoring the situation closely in case other variants are discovered.
Google has released an update to its Chrome browser, patching four vulnerabilities, two of which are rated critical. The new version, 11.0.696.71, is available via the web browser’s internal update mechanism, and is updated automatically when you launch the program.