The current wave of Mac OS X FAKEAV infections follows a three-step process. To those familiar with Windows-based FAKEAV variants, the pattern in this infection chain will be quite familiar.
- Displays a “scanning page” from poisoned Google searches.
- Prompts the user to download a .ZIP file that contains a .PKG installer. This installer installs a downloader.
- The downloader downloads another .ZIP file that contains the actual FAKEAV .APP file.
In step 2, the downloaded installer package (.PKG file) contains two notable files:
- The downloader binary
- A .PNG file
The downloader binary is responsible for downloading (and executing) the final FAKEAV payload. Interestingly, an important part of the download URL—the IP address—is stored not within the downloader binary. Instead, the host IP address is stored at the end of the above-mentioned .PNG file.
The data appended at the end of the .PNG file is encrypted using a simple cipher, the encryption key to which can be found in the downloader binary. When decrypted, the data looks like this:
The decrypted data reveals two sets of information:
- The IP addresses from which the final FAKEAV payload can be downloaded
- The affiliate IDs
With the IP address decrypted, the downloader binary assembles the download URL, which comes in the following form:
affid refers to a number. This affiliate ID (affid) denotes the ID of the affiliate member who is responsible for the distribution of the Mac FAKEAV.
The presence of the affiliate ID is disturbing. This means that there are already organized affiliate programs targeting Mac OS X. With these affiliate programs already in place and already operational, we can expect sustained attacks against Mac OS X users in the future.