MacDefender Fun

I created an account to play around with the MacDefender malware and when I first looked into installing it, you have to really want it to install it as it requires you to push buttons in the installer app such as continue and install. So basically, this was a social engineering attack to get people to install as people do not know what to do when there is a virus and if they see a dialog saying this will get rid of it, they trust it.
The way it gets installed is it shows a pixelated page (linked below that you shouldn’t click) that looks like the finder mixed with a bunch bad designed graphics of virus software and downloads a ZIP file containing the installer package which if your browser is set to “Open “safe” files after downloading” (safe is in quotes for a reason), then it’ll uncompress the zip and open the installer package for you which is the point where you run it. Due to them making it so it doesn’t require an administrator password to install, it’ll install on an admin account easily as they will have access to the Applications folder (which installing malware into the Applications folder isn’t a good idea…). Once installed, it’ll open the downloader which they made to trick Apple’s Anti Malware protection as it doesn’t have any of the same strings as the malware itself and once it finishes downloading, it can open using a flaw in OS X I knew about and reported to apple (they denied it as a flaw).
I gave it a try and recorded the packets and a video of it working for your enjoyment. Note that it thinks QuickTime Player is a virus (what a joke).

Screenshot of the page with the installer.
Untitled

Downloads the downloader.
http://188.120.243.141/7a6147334f6e4925147a73bbad364d98ed34220fd14a020f

Downloads the virus.
http://86.55.210.117/mac/soft.php?affid=37001

What is this?
http://178.17.162.117/i.php?v=1012&affid=37001&data=000000000000100080000016CBCB66A76D6DA31AF64A42EFB0877ED77B188B9B020620

Page to give them your credit card.
http://91.213.217.79/mac.php?v=1012&affid=37001&data=000000000000100080000016CBCB66A76D6DA31AF64A42EFB0877ED77B188B9B020620

Recommendation, do not try this at home.

Did some disassembling of it and found some things: http://dl.dropbox.com/u/610721/MacDefender.zip

1: His username is pga.

2: He doesn’t know about ditto for unzipping files compressed with the Finder.

3: It opens random porn sites.

4: It force quits random applications and says that it crashed saying that this may be due to the fact that you received a virus (which is somewhat true, it’s malware).

5: It does something with your Cookies and may actually steal them.

6: They have an email address (support@macbooksecurity.com) and a domain (macbooksecurity.com) which the non mail. domain has a smtp server that is for sending emails from what I see and also mentions the domain saturn.mxserver.ro. The domain macbooksecurity.com whois (http://who.is/whois/macbooksecurity.com/) says it belongs to someone named Vlad Kireev and has the email as VladKireev@yahoo.com which could be fake, so it means almost nothing.

7: They have a phone number of 1-800-959-40-31 (obviously he doesn’t know how to format us numbers as it should be 1-800-959-4031).

8: It may send them information on your computer, as I noticed a few files of dmem.txt, hwuuid.txt, proc.txt which the following is what each contains.
dmem: contains the disks device location and the path of each disk (I knew something like this would exist, why I changed permissions to them to not have read access).
hwuuid: Looks to be a Unique ID of your machine, I am unsure how they could use this, but it is there.
proc: Contains each process running on your computer.

9: It stores a cookie for the domain 91.213.217.79 with the name of pf_visit and the value of the time which is 1307049618.

10: It’s bundle ID is com.amle.spav

11: It keeps the “viruses” it detected blow:
PackagePath
/Applications/QuickTime Player.app
Path/Applications/QuickTime Player.app/Contents/Resources/QTPlayerXHelper
VirusType
3

Thoughts about this malware.

1: The guy who made it was smart to use IP Addresses for all of this as it is possible to block domains by the DNS level.

2: Now that he has loads of credit card numbers, he’ll use them to buy more IP Addresses and blocking would be gone again.

3: By making a downloader and using the flaw I knew about in OS X to start the malware, that’s clever as it by passes OS X’s string search for the malware.

4: This guy must have no life to take the time to write something as poor as this.

5: Mac people are not as security aware as we should be. To install this virus, you have to click the continue button and want to install the malware for it to install.

My tips to stay Malware free.

1: If anything pops up saying you have a virus, never click anything and do the following.
Go to the dock and hover over your web browser (Safari, Firefox, Chrome, etc). Hold down option as you right-click (control-click). Choose the item called Force Quit while still holding down Option. If it is still there, and looks like what appears on http://support.apple.com/kb/HT3662, push the move to trash button.

2: If you get an email or message (on Tiwtter, Facebook, AIM, MSN, ect…) saying something about something with a link, do not click the link. This is what they call Social Engineering and it is very effective in getting data from government and businesses computers. Example of possible social engineering that you could receive and that I received “holy c*** cnn proof that osama is alive right now :O http://bit.ly/liAYDJ” and if you visit http://bit.ly/liAYDJ+, you can see it really goes to http://expiredlogin.twitter.w2c.ru/relogin.php and that to this day (6/3/11) got 2,999 visits which probably is just a phishing attack, but I still will never click the link as I know that it is possible to have malware or phishing on it.

3: Do not visit porn sites. Porn sites is the number 1 reason PC users gets malware nowadays and because they have such a thing as root kits (the ability to link into the things virus scanners uses and say that it doesn’t exists) they are undetectable and there fore will stay on their computer as long as it wants.

4: Do not pirate software. The first malware for the Mac came in a DMG from a torrent of iWork, because it was installed with iWork, the users had no idea about it and gave it full root access to their computer.

5: Do not pirate music or movies. Back in the day of Limewire, people got tricked into downloading malware as they thought it was the song they wanted. People can also hide malware in PDF’s, MP3’s, ect… So keep an eye on that as there may be one day when you play a song you pirated and you get infected.

6: Do not open attachments in email unless you know you were suppose to receive it as it is possible for the attachment to contain malware in it. Beware that people can send emails as you and as your friends if they have a SMTP server, so emails from your friends may not be your friend at all. Emails can have html in it and load an image which tracks your IP address when you open them (may not be a concern, but it is possible). Emails are a huge target for security flaws and once they find them, they will spam a email that contains the flaw.
If you do not wish to be tracked by images, go into preferences under mail and in the viewing pane, uncheck display remote images in HTML messages.

7: Use No Script for FireFox or Not Script for chrome to block javascript as there is flaws being found every day and if you need javascript and trust the site your visiting, you can enable it.

8: Do not be crazy like me and download a virus on purpose to see how it works and what it does.

Hope these things help you to be more safe and think before you click. If you have got the malware, all you have to do to remove it is visit this site and follow the instructions http://support.apple.com/kb/HT4650.

NOTE: I only did this for fun, in no way do I intend to do anything illegal, if it is illegal to disassemble malware.

1 Comment

  1. "Note that it thinks QuickTime Player is a virus (what a joke)."

    Hehe, yeah, it only "thinks" that. 😛

Leave a Reply

Your email address will not be published.

*

© 2017 Mr. Gecko's Weblog

Theme by Anders NorenUp ↑