Heads Up/Warning Mac Defender

Great job, we think you should change your password out of caution. You did no install it so you there is little risk but since you are doing task as the administrator, you have greater risk of compromise in general. So, I would think today is a good day to change it.

I am doing research and have version OSX/MacDefender.A OSX/MacDefender.D and OSX/MacDefender.F. http://goo.gl/Y1Opn

You can visit my site and contact me, I would like to get a copy of what you got and collect forensic data.

Thanks

Oh, and the post above is correct, they are all normal services. So you are good. 😉

drStrangeP0rk wrote:

... we think you should change your password out of caution. You did no install it so you there is little risk but since you are doing task as the administrator, you have greater risk of compromise in general.

It never hurts to change your account password from time to time on general principles. But regarding this trojan, note that it does not have access to it. The malware is installed using Apple's Installer.app. It is that app that asks for an admin name & password to authenticate the install, even if you are logged into an admin account.

If you don't authenticate, Installer.app won't install anything.

No. I I do not use OSX with admistration priviliages. I changed my login passwords and i will keep an eye on my depit cards.

Also the clamXav shows that I have a bunch of windows viruses (worms and trojans) at the virus vault. But the virus vault looks empty in finder so I cannot delete them. I remember that I had a problem with them but i do not know how I ended up like this.

@drStrangeP0rk I have sent you a message in your site with the location where I got the virus (if it is still there)

You are correct it will not install anything but they criminals who created this are changing it and trying anyway to get it on people computers. I think that the Blackhole RAT is the next one down the pipe, so this can be a teaching moment. Keep in mind, it is very easy to create a fake auth window.

These class diagrams show some of the changes.

OSX/macDefender.A- IP and SN in plain text, did not have webkit and directed user to site to steal card. Used MPKG so that Apple cannot update XProtect plist.http://goo.gl/hKO7r

OSX/MacDefender.D- IP is encoded, SN still in plain text, webkit included and the purchase was handled within the app to seem. Still used MPKG (omitted details for security) D and A opened if you deselect "Open Safe..." in Safari. IFPkgFlagRelocatable set to YES http://goo.gl/k2los

OSX/MacDefender.F- IP and SN is encoded webkit included and the purchase was handled within the app to seem. Still used MPKG (omitted details for security) Delivered as zip, hoping for user interaction. If you check out the NSObject URL master you will see that it has a backup IP, either incase the first is taken down or to do a double steal. (other interesting stuff omitted details for security.) http://goo.gl/TSBaD

We need to get our fellow Mac users using all the GREAT SECURITY BUILT INTO MAC OSX along with common sense. Which this user did perfectly.

jsd2 wrote

Safari proceeded to download the malware Zip file automatically, with no further input from me. FireFox did not download anything and instead asked me if I wanted to save the zip file.

Most Firefox users who came across this malware trying to download, likely just canceled the download and went right on surfing.

Windows users get driveby downloads all the time, Mac users have been immune because the bad guys haven't been targeting the platform until now.

Safari is going to need a downloads warning just like Firefox, should have had it many years ago.

The Blackhole remote administration tool still relies on a social engineering exploit (or direct access to the Mac) to install the client side app. Also, unless steps are taken to install a startup or login item it loses control on a restart, & even with those steps in place, it would not run on a safe boot. While it can spoof a legitimate authentication window, it can't fool a careful user that clicks on the "Details" arrow (which currently doesn't work).

Snow Leopard's "XProtect" trojan alert is very limited in what it can detect, but it is basically a second alert layer piggybacked on the quarantine feature. The quarantine attribute is passed on to executable files extracted from .pkg files (& from ".mpkg" metapackages as the packages are unpacked), so users still get the 'downloaded from the Internet' warning unless they have authenticated at installation time. However, these features only work on apps that support it (like Safari, Mail, & iChat), so if a user is foolish enough to use say a bit torrent client for downloads, they are on their own.

I'm not sure what you wrote about the MacDefender variants has to do with compromising user passwords. Could you explain a bit more abut that?

Anyway, as you say, users that are careful & apply common sense should be OK.

If you have not done so already, would you please upload versions D and F as well as any future versions you obtain to http://www.virustotal.com and if you see that clamav did not identify it upload it again to http://cgi.clamav.net/sendvirus.cgi .

I think we are in the same place, I think this can be a great teaching moment, currently all that OSX/MacDefender does is steal your Credit Card. Think about all the flags and still users tend to hit ok, without even reading them. So yes they are on their own, but think of all the cues users did not see, the italic font use in MacDefender, color scheme, application packaging, windows centric icons, the about window has a PC as the background, etc and still users gladly gave up their credit card.

When it come to auth, I really do not want to talk openly talk, you understand social engineering so again your imagination may run wild with all the bad things criminals can do. It is not a far step to get a user pwd for a criminal. I have not seen this yet. The fact that people gladly give up CC is one thing but I am trying to re-enforce the idea that your admin password is very important.

OSX/MacDefender.f shows some use of CopyPasteSupportTextField (Most likely to stop users from pasting SN in.) and URLMaster:NSObject which contains a BackUP IP (Version A and D did not, so the criminals are changing their product as users change their behavior). How hard is it for a Mac App to get what is on the users clipboard. What are the chances it will contain confidential information?

It is just hard for advanced users to understand how a user can fall prey to these kinds of attacks. So really good social engineering, a pinch of marketing drum beat to reinforce a way of thinking and you get users falling prey to something that at best real threat is LOW.

One note: You can check your chrome setting here ---> Select "Clear Auto-Opening" settings in chrome://settings/advanced, it would not prevent direct SEO attacks links to downloads but will help with users who are big clickers

Since most of these kinds of attacks, the user must interact, it should just be a teaching moment. In terms of BlackHole Rat, you again are correct, we been telling client to just disable JAVA if they do not use it or review and restrict Java in JavaPreferences.app. Again, just for a teaching moment.

Know this, if criminals make money off this kind of attack then it will grow, we are trying to nip it, get in front and be proactive instead of reactive. So, seems like we are in the same place.

😎

Virus total has all that I have, done as soon as I got it but will also add ClamAV for future. The version OSX/MacDefender.F.

I have three, I think we need to get a better system for variants for the Mac since an app has tons of contents and the changes can be within the resources. So the executable may indicate on variant but if the resource is scanned first AV will report another. I a agreed upon release today but think apple can always do it better then most. I think the shame is criminals know how to reuse code better then the good guys.

Oh, also block 199.30.139.110 and 199.30.112 AS174, I would block 199.30.136.0/21. They are using domain names like MacBookProtector macBookdefender macbooksecurity, MSTool,MSTool-kit.

Seems registered to sergii.marnedov()gmail.com, seems fake but you may have better resources at your disposal. 😎

drStrangeP0rk wrote:

Oh, also block 199.30.139.110 and 199.30.112 AS174, I would block 199.30.136.0/21. They are using domain names like MacBookProtector macBookdefender macbooksecurity, MSTool,MSTool-kit.

Seems registered to sergii.marnedov()gmail.com, seems fake but you may have better resources at your disposal.

If you read the other threads on this, they are all over the IP map, been doing this sort of whack a mole game to Windows users for years now.

It's most Windows users run anti-malware that catchs this thing as it's completed it's download.

Yes, they always bounce around, especially the criminals who operate on the Russian Business Network and that network block handled by DmitryFilin (whose AS/IP range escapes me now) has a mix of servers with illegal content(Pirated movies), stollen software and open servers and is home to many spammers. It is as you say whack a mole. AS174 has Tor servers within 199.30.136.0/21 so it becomes difficult but they make mistakes sometimes. This is a small ISP but their contact information seems to be completely fake or operating outside of the US but it is above my pay grade. So, it may be worth a look of check by people with law enforcement.

The first version had an IP hard coded and then in the last OSX/MacDefender.F, the URLMaster has a Backup IP. There is tons of information I got from the installer that relates to the developer, including machine, seed, xcode, language, localization all which can help.

We should also try to get a handle on the IP addresses that it connects to and where it is downloaded from. You can post this at my site. magmatic.com (Contact) put Downloaded from IP/Address or Connected to IP/Address.

As I learn more I will be posting, hopefully have my evolution info-graphic and report finalized soon.

Also note about ClamAV, it is seeing two different versions as the same Trojan, Trojan.MacOSX.MacDefender.C but they are different. The good news is it detect all version I have so no worries for users but it gets to the issue of how we need to create a common way to tag these so we can all be talking the same language. (I saw a article about that this was agreed upon recently.)

OSX/MacDefender.D (315 Kb) does not hide SN but hides IP, includes web kit KSMS has 4 in it.

OSX/MacDefender.F (344 kb) Hides both sn and ip, has backup URL, webkit, KSMS file has 6 in it.

Again, this may help you Apple...

drStrangeP0rk wrote:

Also note about ClamAV, it is seeing two different versions as the same Trojan, Trojan.MacOSX.MacDefender.C but they are different. The good news is it detect all version I have so no worries for users but it gets to the issue of how we need to create a common way to tag these so we can all be talking the same language. (I saw a article about that this was agreed upon recently.)

The person responsible for writing OSX signatures for clamav is well aware of this. I don't understand why he should be concerned with identifying a specific strain as long as it's being caught. The lead time between when a version is first introduced to the time it takes for a user to submit it, signature written and submitted for approval, posted and distributed to users who often only update their databases once a day or less makes identification as malware far more important in my mind than determining exactly what strain it might be. I know that as long as it's not producing false alarms, the clamav folks are completely satisfied. They won't even accept malware that is already being identified as such no matter what the MD5/SHA1 is.

Please point me to the article on what was agreed if you can find it again and I'll get it to the right folks for comment.

Again, this may help you Apple...

You do know that Apple is probably not reading any of this, right?

drStrangeP0rk wrote:

The good news is it detect all version I have so no worries for users but it gets to the issue of how we need to create a common way to tag these so we can all be talking the same language. (I saw a article about that this was agreed upon recently.)

There are no standards for naming malware. Each company making anti-virus detection & removal software uses whatever conventions it sees fit to use, in part to best support its software.

Where did you see an article saying there was any agreement about naming malware variants & who was agreeing to what?