Heads Up/Warning Mac Defender

Apple recently published an article - How to avoid or remove Mac Defender malware:

http://support.apple.com/kb/HT4650

-mvimp

Yep, but you never know.

AFAIK redirection downloads the payload. In this case Little Snitch http://www.obdev.at/products/littlesnitch/index.html would protect against this, IF, the user understands ANY unrequested redirection is suspicious, and inhibits the redirection Snitch informs of.

I use Little Snitch and it has never said a word when I have visited a couple of these sites (on purpose). I'm fairly certain that they use port 80 which is wide open for all my browsers. I'm not familiar with any way to restrict redirections in Snitch, but I'll have to check that out.

It isn't a redirect. It is the result of SEO poisoning, in which search services like Google provides are tricked into ranking malicious web pages as popular ones in search results. You can search this site using the phrase "SEO poisoning" to find several posts that go into the details of how this exploit works.

I know everybody says that's what it is and I think I have read through most of the details, but none of them explained what I observed. For instance, during the hunt for MacGuard last week, I was given a Google URL, which would have been the SEO poison site, saw the image and within seconds found myself at one of the known download sites where the download began. Was that not a JavaScript redirect? I then hit the back button on my browser and was soon sent to a completely different IP where a second download commenced.

Makes sense. (Can't see method to config LS to detect redirects.) A contiguous port 80 wouldn't be detected by LS, (I think?) However, I thought the redirect downloaded a 'pointer' to get the .zip via manipulating the Browser? In this case, I believe, LS would ask permission.

It doesn't matter if it's an SEO, the link redirected to contains the payload??

Interesting read: http://www.reedcorner.net/news.php/?p=82

What exactly do you mean by a Google URL? Did it begin with http://www.google.com/ or something else? If so, did you do anything at all after that page loaded? What image did you see?

Message was edited by: R C-R (fighting the ASC formatting)

R C-R wrote:

What exactly do you mean by a Google URL? Did it begin with http://www.google.com/ or something else? If so, did you do anything at all after that page loaded? What image did you see?

Yes it did. I have it documented and was going to put it here, but turns out it's active at the present time, so I sent it to mailinator with Subject: MacGuard. I checked and it did not arrive, so I resent it to the alternate address and that hasn't arrived either. (There are two other messages waiting there, however.) If it doesn't I'll post a partial URL that I've verified won't work.

The image is a bare hard drive being erased with a pink and grey pencil eraser.

I used Firefox this time and NoScripts stops the redirect. More about that later.

Here's a screenshot showing a partial URL and the source of the image:

The image site antiqueamulets.com (66.147.242.166) belongs to bluehost.com and has some interesting registration info here http://www.whois.net/whois/antiqueamulets.com

NoScript is blocking one or more scripts from this site. Google's script(s) have been allowed.

www.whitecanyon.com (198.171.144.170) belongs to whitec.securesites.net

Registrant:

WhiteCanyon Inc.

ATTN WHITECANYON.COM

care of Network Solutions

PO Box 459

Drums, PA. US

I received this a tip a few moments ago from a ClamXav user in Maui who apparently stumbled across a MacGuard site while browsing the PJ Media site. A few minutes later the webmaster had posted this note speculating that the redirects were coming from an ad -- < Edited by Host >

. In addition to passing on removal information he seems to have done some code sleuthing in the response to a comment at the bottom of the page.

A few weeks ago this Intego blog posting, How SEO Poisoning Works and Why You Should Care, referred readers to this highly technical analysis of how Google image search results were being exploited by malware:

Thousands of Hacked Sites Seriously Poison Google Image Search Results

Summary sentence:

The attack uses cloaking to feed keyword-rich pages with hot-linked images to search engine bots and return a malicious JavaScript that redirects to fake AV sites to visitors that come from search engines.

See the article for technical details.

As I'm sure you know normally you arrive at pages like this from a Google image search; after clicking on an image in the search results page the image loads in the foreground & the page it comes from loads in the background.

I'm not sure if this is technically a redirect or what, but just like with other 'poisoned' Google searches, the user has to click on one of the results of a search to go to the malicious page. Several articles about SEO poisoning say Google image searches are a favorite target, since it is easier to get a high ranking in them than in other searches.

It is a pity that the PJ Media "sticky" is saying that unchecking the 'open safe' option in Safari will "prevent the malicious page from actually installing anything on your machine," instead of making it clear that it will be downloaded even without that option on, & that a user still has to install it.

WARNING: I tried reloading the PJ Media URL posted here several times & it did eventually result in the MacDefender page loading & the anti-malware.zip package being downloaded. Sophos immediately identified it as 'OSX/FakeAVZp-C' & quarantined it. According to my browser history the URL for the page is in the oddsiti.com domain.

EDIT: The whois info for oddsiti.com is in part:

netname: DIGITALONE-NET

descr: DigitalOne AG Colocation and Dedicated Servers

remarks: --------------------------------------------------

remarks: Please, send abuse reports to abuse@digitalone.com

remarks: --------------------------------------------------

country: US

admin-c: DA440-RIPE

tech-c: DA440-RIPE

status: ASSIGNED PA

mnt-by: MNT-TRI

source: RIPE # Filtered

role: DigitalOne AG

address: 12100 Sunrise Valley Drive

address: Reston, VA 20191, United States

abuse-mailbox: abuse@digitalone.com

admin-c: SO1294-RIPE

tech-c: SO1294-RIPE

nic-hdl: DA440-RIPE

mnt-by: MNT-TRI

source: RIPE # Filtered

% Information related to xxx.xxx.xxx.xxx (removed by R C-R)

route: xxx.xxx.xxx.xxx (removed by R C-R)

descr: True Records Inc.

remarks: ------------------------------------------------------

remarks: Routing, peering and security: noc@truerec.com

remarks: Spam reports and abuse: abuse@truerec.com

remarks: ------------------------------------------------------

origin: AS47328

mnt-by: MNT-MBNET

source: RIPE # Filtered

R C-R wrote:

WARNING: I tried reloading the PJ Media URL posted here several times & it did eventually result in the MacDefender page loading & the anti-malware.zip package being downloaded.

My apologies to anybody who was surprised by accessing this link. I was under the impression that the webmaster had disabled the problem or that the malware site had gone cold, because I wasn't seeing it. I now realize that it was because I was using Safari with Safari Adblock installed, so I wasn't seeing any of the ads.