English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

More fakeAV for MAC. This time it’s massive

Vicente Diaz
Kaspersky Lab Expert
Posted May 12, 13:37  GMT
Tags: Apple MacOS, Rogue Security Solutions, Non-Windows Malware
0.7
 

When my colleague Fabio wrote about a Rogueware campaign targeting MAC users, I investigated a bit into the origin of these campaigns. It was interesting how different researchers were getting those samples through searching images on Google. However, different searches always arrive at the same result, leading to the question: How many search terms have been poisoned?

That was an interesting question. But the answer came reading another very interesting research from Unmask Parasites. I recommend you read the post, but in essence it explains how thousands of sites have been infected with a very effective schema that allows the criminals to poison image search results. Could it be that this schema was connected to the fakeAV for MAC?

I contacted the author of the post and he was very nice and helped me in conducting my own research (kudos for Unmask Parasites). Here are the results:

When connecting to an infected site, there is a redirection that is only effective when using a search engine such as Google as referrer in the parameters:

hxxp://kdsqXXXXe.ce.ms/in.cgi?2&seoref=www.google.com&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2FmatcXXXXnt.com.do%2F&default_keyword=default

After that you get malicious HTML with obfuscated Javascript code in it; in this case exploiting HPC URLHelp Center URL Validation Vulnerability (CVE-2010-1885). If the exploit is successful, you will be redirected to download a .jar file posing as a videogame:

kniXXXXng.info/games/mario.jar

Finally, the .jar file tries to download an .avi file from another server:

216.XXX.XXX.202/pub/new.avi

This file is detected as Trojan.Win32.Delf.arsr. However the interesting thing is what happens when you start the infection chain with a MAC user agent. In this case the schema is different: you get HTML with an obfuscated Javascript with the following result.

Bingo! Here we have our FakeAV campaign. The HTML poses as the result of an antivirus running on a Finder interface. Clicking “Remove All” will download a zip file with a random name from the same server. These files are variants of the fakeAV binaries that my colleague Fabio explained in his post.

In this case the infection is social engineering, as you need to click the button and install the downloaded file. However from previous experience we know how effective this method is. Be careful, this time the campaign is massive and the criminals could change the infection method to launch an exploit, as they are doing in Windows. Protect your MAC, the good times are gone!


1 comments

Dmitry Bestuzhev

2011 May 12, 17:18
0
 

Thanks and just the day before yesterday I saw the same campaign but now using a fake Avast AV domain - Avas5 something to be exact.

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog