Analysis by: MarfelTi
 Modified by: Erika Bianca Mendoza

ALIASES:

Kaspersky: ARC:Tar ARC:[./MacSecurity.app/Contents/MacOS/MacSecurity]:Fat ; Sophos: OSX/FakeAV-A

 PLATFORM:

Mac OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This malware is noteworthy due to the increased potential for damage that it possesses. Specifically, it targets MAC OS.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It installs a fake antivirus/antispyware software. It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.

  TECHNICAL DETAILS

File Size: Varies
File Type: Mach-O
Memory Resident: No
Initial Samples Received Date: 06 May 2011
Payload: Displays fake alerts

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

This malware arrives via the following means:

  • blackhat SEO

Rogue Antivirus Routine

This Trojan installs a fake antivirus/antispyware software.

It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.

NOTES:

It displays the following graphical user interface (GUI):

  SOLUTION

Minimum Scan Engine: 8.900
VSAPI OPR PATTERN File: 8.141.00
VSAPI OPR PATTERN Date: 07 May 2011

NOTES:

  1. Terminating Malware Process
    Go to Applications>Utilities> Activity Monitor and terminate the process related to Mac Security using the "Quit Process" button.
  2. Remove Autostart Entry
    Go to System Preferences -> Accounts -> Login Items
    Select the checkbox for "Mac Security"
    Click button to delete selected items
  3. Restart your computer.
  4. Scan your computer with your Trend Micro product to delete files detected as OSX_FAKEAV.A If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.