OSX_FAKEDEF.M

 Analysis by: Erika Bianca Mendoza

 PLATFORM:

Mac OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This is a FAKEAV variant that targets Mac operating systems.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

Upon execution, OSX_FAKEDEF.M prompts the installation of a MacDefender application.

Once installed, it displays a fake scanner and fake virus notifications.

If the user attempts to remove the supposed infection, it asks the user to buy the registered version first.

It then redirects to certain websites to get the payment and user information such as credit card details.

It may open certain adult websites.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It installs a fake antivirus/antispyware software. It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.

  TECHNICAL DETAILS

File Size:

284,100 bytes

File Type:

Mach-O

Memory Resident:

No

Initial Samples Received Date:

04 May 2011

Payload:

Steals information, Connects to URLs/IPs

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Rogue Antivirus Routine

This Trojan installs a fake antivirus/antispyware software.

It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.

NOTES:

Upon execution, it prompts the installation of MacDefender application:

Once installed, it displays a fake scanner and fake virus notifications:

If the user attempts to remove the supposed infection, it asks the user to buy the registered version first:

It then redirects to any of the following websites to get the payment and confidential user information such as credit card details:

  • http://{BLOCKED}.{BLOCKED}.214.54/i.php?affid={number}
  • http://{BLOCKED}.{BLOCKED}.214.54/mac.php?affid={number}
  • http://{BLOCKED}.{BLOCKED}.214.53/i.php?affid={number}
  • http://{BLOCKED}.{BLOCKED}.214.53/mac.php?affid={number}

As of this writing, the said sites are inaccessible.

It may open the following adult websites:

  • http://{BLOCKED}y.porn.com
  • http://{BLOCKED}agra-now.net
  • http://{BLOCKED}h.com
  • http://www.{BLOCKED}y.com
  • http://www.{BLOCKED}n.com
  • http://www.{BLOCKED}smgalleries.com

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI OPR PATTERN File:

8.185.00

VSAPI OPR PATTERN Date:

28 May 2011

NOTES:

  1. Terminating Malware Process
    Go to Applications>Utilities>Activity Monitor and terminate the process related to MacDefender using the "Quit Process" button.
  2. Remove Autostart Entry
    Go to System Preferences>Accounts>Login Items
    Select the checkbox for "MacDefender"
    Click button to delete selected items
  3. Restart your computer.
  4. Scan your computer with your Trend Micro product to delete files detected as OSX_FAKEDEF.M If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.