Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    The recently reported malware attacks against Mac users prompted Apple to release a security update. We did initial analyses of both the FAKEAV for Macs as well as the latest Apple security update in our previous blog entry. I’ve extracted the version of XProtect.plist (Apple’s pattern file) to dig deeper into what’s inside it. The Property List (.PLIST) file type is an .XML file that uses Apple’s plist document type definition (DTD). .PLIST file types are standard parts of Apple’s Mac OS X Core Foundation.

    The update notes are stored in the file XProtect.meta.plist.

    Click for larger view

    XProtect.plist is basically XML formatted and is easily read using Mac’s built-in Dashcode tool.

    Click for larger view

    For OSX.MacDefender.C, there are four hex string matches done based on file content:

    1. File =
    Hex1 = 446F776E6C6F6164506963742E706E67 = DownloadPict.png

    Click for larger view

    2. File = Info.plist
    Hex1: 434642756E646C654E616D653C2F6B65793E = CFBundleName
    Hex2: 3C737472696E673E416E746976697275732053657475703C2F737472696E673E = Antivirus Setup

    Click for larger view
    Click for larger view

    3. postinstall
    <8bd19a1b fc1356fb 487da3ca 2cb3a186 da2fa720>

    Based on XProtect.plist, it appears that Apple uses string matching on most of its patterns. Knowing the pattern Apple implements, malware writers can easily modify malware to prevent detection. No matter what their antivirus software can do after the detection, it all depends on the pattern and how often it is updated so that the user is protected. Based on the recent history of FAKEAV Mac malware, we should expect the authors to release new slightly modified variants just enough to prevent detection to stay in the business.

    The MacDefender sample spreading on Facebook is covered by the latest Apple Security Update where the above-mentioned files were referenced.

    Upon further analysis of OSX_DEFMA.B—our detection for the said MacDefender variant—we found that after the MacDefender fake screen, it will cause a browser download of The said archive contains mdInstall.pkg that includes all of the pre-/post-install items for the application. Moreover, Archive.pax.gz contains mdDownloader, which is the installer itself. When laid out flat, the full content is shown below.

    Click for larger view

    Now, the Apple solution may have probably worked better if only the vendor encrypted the search strings. Unfortunately, all the bad guys had to do to circumvent this latest “security update” is to change the strings and locations and once again to continue to affect Mac users.

    In fact, we tested if a Mac patched with the security update can detect a malware found in February (OSX_MUSMINIM.A) and found that it is not covered. Considering the weaknesses of Apple’s current strategy against malware, we recommend that users exercise extreme caution.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice