Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    The current wave of Mac OS X FAKEAV infections follows a three-step process. To those familiar with Windows-based FAKEAV variants, the pattern in this infection chain will be quite familiar.

    1. Displays a “scanning page” from poisoned Google searches.
    2. Prompts the user to download a .ZIP file that contains a .PKG installer. This installer installs a downloader.
    3. The downloader downloads another .ZIP file that contains the actual FAKEAV .APP file.

    In step 2, the downloaded installer package (.PKG file) contains two notable files:

    • The downloader binary
    • A .PNG file

    The downloader binary is responsible for downloading (and executing) the final FAKEAV payload. Interestingly, an important part of the download URL—the IP address—is stored not within the downloader binary. Instead, the host IP address is stored at the end of the above-mentioned .PNG file.

    The data appended at the end of the .PNG file is encrypted using a simple cipher, the encryption key to which can be found in the downloader binary. When decrypted, the data looks like this:

    The decrypted data reveals two sets of information:

    1. The IP addresses from which the final FAKEAV payload can be downloaded
    2. The affiliate IDs

    With the IP address decrypted, the downloader binary assembles the download URL, which comes in the following form:

    • http://ip_address/mac/soft.php?affid=xxxxx

    affid refers to a number. This affiliate ID (affid) denotes the ID of the affiliate member who is responsible for the distribution of the Mac FAKEAV.

    The presence of the affiliate ID is disturbing. This means that there are already organized affiliate programs targeting Mac OS X. With these affiliate programs already in place and already operational, we can expect sustained attacks against Mac OS X users in the future.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice