MAC Defender Fake Antivirus Program
INTEGO SECURITY MEMO – May 2, 2011 MAC Defender Fake Antivirus Program Targets Mac Users
Quote from Intego: Description: Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results).
When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen:
General File Information
Added Mac Protector - May 11, Thanks to anonymous donation
Malware: OSX/MacDefender.Aand Mac protector.A
Distribution: Web browsing Low; in the wild, but not very widespread for now
Download
Download -MacDefender.mpkg as a password protected archive (contact me if you need the password) - thanks to anonymous for the donation.
Download -MacProtector.mpkg as a password protected archive (contact me if you need the password) - thanks to anonymous for the donation.
Automated Scans
MAC PROTECTOR
File name:MacProtector
Submission date:2011-05-09 19:49:55 (UTC)
Result:14 /43 (32.6%)
http://www.virustotal.com/file-scan/report.html?id=2e9a751efb38ff8e971a9dd4c629bd5066c9fb802a0d821ef5c250e0b1c43382-1304970595
ClamAV 0.97.0.0 2011.05.09 Trojan.OSX.MacDefender.C
Emsisoft 5.1.0.5 2011.05.09 Hoax.Mac.MacProtector!IK
F-Secure 9.0.16440.0 2011.05.09 Rogue:OSX/FakeMacDef.F
Fortinet 4.2.257.0 2011.05.09 OSX/MacProtector.A
Ikarus T3.1.1.103.0 2011.05.09 Hoax.Mac.MacProtector
Kaspersky 9.0.0.837 2011.05.09 Hoax.Mac.MacProtector.a
Microsoft 1.6802 2011.05.09 Rogue:MacOS_X/FakeMacdef
NOD32 6107 2011.05.09 OSX/AdWare.MacDefender.E
PCTools 7.0.3.5 2011.05.09 RogueAntiSpyware.MacProtector
Sophos 4.65.0 2011.05.09 OSX/FakeAV-A
Symantec 20101.3.2.89 2011.05.09 MacProtector
TrendMicro 9.200.0.1012 2011.05.09 OSX_FAKEAV.A
TrendMicro-HouseCall 9.200.0.1012 2011.05.09 OSX_FAKEAV.A
VirusBuster 13.6.345.0 2011.05.09 FraudTool.OSX.Defma.G
Additional information
Show all
MD5 : 1f8e9cd3f0717a85b96f350e4f4a539a
Submission date:2011-05-09 19:49:55 (UTC)
Result:14 /43 (32.6%)
http://www.virustotal.com/file-scan/report.html?id=2e9a751efb38ff8e971a9dd4c629bd5066c9fb802a0d821ef5c250e0b1c43382-1304970595
ClamAV 0.97.0.0 2011.05.09 Trojan.OSX.MacDefender.C
Emsisoft 5.1.0.5 2011.05.09 Hoax.Mac.MacProtector!IK
F-Secure 9.0.16440.0 2011.05.09 Rogue:OSX/FakeMacDef.F
Fortinet 4.2.257.0 2011.05.09 OSX/MacProtector.A
Ikarus T3.1.1.103.0 2011.05.09 Hoax.Mac.MacProtector
Kaspersky 9.0.0.837 2011.05.09 Hoax.Mac.MacProtector.a
Microsoft 1.6802 2011.05.09 Rogue:MacOS_X/FakeMacdef
NOD32 6107 2011.05.09 OSX/AdWare.MacDefender.E
PCTools 7.0.3.5 2011.05.09 RogueAntiSpyware.MacProtector
Sophos 4.65.0 2011.05.09 OSX/FakeAV-A
Symantec 20101.3.2.89 2011.05.09 MacProtector
TrendMicro 9.200.0.1012 2011.05.09 OSX_FAKEAV.A
TrendMicro-HouseCall 9.200.0.1012 2011.05.09 OSX_FAKEAV.A
VirusBuster 13.6.345.0 2011.05.09 FraudTool.OSX.Defma.G
Additional information
Show all
MD5 : 1f8e9cd3f0717a85b96f350e4f4a539a
MAC DEFENDER
Archive.pax
Current status:
9 /41 (22.0%)
AntiVir 7.11.7.150 2011.05.04 MACOS/FakeAV.A
BitDefender 7.2 2011.05.04 MAC.OSX.Trojan.FakeAlert.A
ClamAV 0.97.0.0 2011.05.04 Trojan.OSX.MacDefender
DrWeb 5.0.2.03300 2011.05.05 Trojan.Fakealert.20856
F-Secure 9.0.16440.0 2011.05.04 Rogue:OSX/FakeMacDef.A
GData 22 2011.05.05 MAC.OSX.Trojan.FakeAlert.A
Kaspersky 9.0.0.837 2011.05.05 not-a-virus:FraudTool.OSX.Defma.a
Microsoft 1.6802 2011.05.04 Rogue:MacOS_X/FakeMacdef
Sophos 4.64.0 2011.05.05 OSX/FakeAV-DMP
MD5 : c0c866fde6336764da0def483f635dc9
SHA1 : a61f2cb78bbb0472d95d2b967e3eda5f786e07ac
http://www.virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304457284
MacDefender
Submission date:
2011-05-03 21:14:44 (UTC)
Result:6 /41 (14.6%)
DrWeb 5.0.2.03300 2011.05.03 Trojan.Fakealert.20856
Kaspersky 9.0.0.837 2011.05.03 not-a-virus:FraudTool.OSX.Defma.a
Microsoft 1.6802 2011.05.03 Rogue:MacOS_X/FakeMacdef
PCTools 7.0.3.5 2011.05.03 MACDefender
Sophos 4.64.0 2011.05.03 OSX/FakeAV-DMP
Symantec 20101.3.2.89 2011.05.03 MACDefender
MD5 : 2f357b6037a957be9fbd35a49fb3ab72
SHA1 : fb6f092624d48fe9a496c50f615b424b27cf3515
Good post. My friends referred me your blog. Looks like everyone knows about it, just not me, until now. Going to read your other posts. Thank you for sharing with us. Take care.
ReplyDeleteHow do you get rid of it?? Is it a virus then??
ReplyDeletehttp://mashable.com/2011/05/25/mac-defender-malware-fix/
ReplyDelete“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” Apple stated on its support page. “The update will also help protect users by providing an explicit warning if they download this malware.”
Apple also posted instructions on how to avoid installing the Mac Defender malware as well as how to remove it from an affected computer. http://support.apple.com/kb/HT4650
Hello, thanks for posting this information, I was trying to find information on this topic –this was very helpful.
ReplyDelete