The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


MacDefender in action

Posted on May 3rd, 2011 at 7:40 AM EDT

I have located a copy of the MacDefender trojan (thanks to Linc Davis, who sent me the link) and have done some testing myself.  Below is a detailed account of my experiences with it, as a continuing addition to previous news on this issue on my blog.

First, I visited the link on my regular account, on which Open “safe” files after downloading is turned off.  (See my previous report, MacDefender news, for why this is important.)  The first thing that happens – if you have JavaScript turned on in Safari – is that an alert pops up:

This alert should make Mac users suspicious – after all, they’re not using Windows!  In addition, a web site cannot scan your computer for viruses, though many users will not understand that the Safari icon plus the web site address means that this alert is being displayed by JavaScript code on that web site.  Of course, you have no choice but to click OK…  or force-quit Safari, which wouldn’t be a bad idea in a situation like this, just to be safe.

Clicking OK results in the following page being opened:

The page shows a progress bar as it “scans” for viruses.  Surprise, surprise, it actually finds some viruses, and up pops the “window” titled “Windows Security Alert” listing all the “viruses.”  This should be another warning that something is wrong.  All this is very Windows-oriented, and you, as a Mac user, are not using Windows.

If you click in most areas, the trojan will be downloaded to Safari’s downloads folder.  The download, named “BestMacAntivirus2011.mpkg.zip”, is a .mpkg installer file inside a .zip archive.  And, on my everyday user account, where Safari is not set to open such files, that is as far as it goes.  Unless I find that file later and decide to unzip it and run it, it will do no harm.

I then tested on a throwaway user account I created just for this purpose.  With the default settings in Safari – both JavaScript and Open “safe” files after downloading turned on – clicking anywhere on the page shown above results in not only the trojan being downloaded, but also being automatically unzipped and the installer launched!  This is a very serious security breach in Safari that Apple must address as soon as possible.  I’m surprised it has never been an issue before.

From there, one must proceed through installation, in Apple’s own installer, so there’s nothing scary-looking about it.  However, users should be on alert to installers that they did not intentionally launch!  I stopped here, being unwilling to see what happened to my machine after clicking Install.  From what I understand, though, from third-party sources, a password is required before the installation can commence.

It is important to point out that in the course of writing this, Safari has started displaying the following warning when I try to visit the malicious site:

In all, the most concerning part of this is that Safari will open an installer automatically, given the right preferences turned on and the right kind of installer, and that Quarantine also will not catch this installer.

Edit (7:40 am): Oh, and the confusion about what Fast Windows Antivirus is is resolved…  that’s the title of the browser window when you visit the malicious web site.

Edit (8:10 am): I tested ClamXav to see if it would detect the malware, and at this time, it does not.  However, I have seen a post on the Apple Support Communities that indicates that they are working on adding it and will be updating their definitions “shortly.”  As Intego and Sophos have both posted information about this trojan on their sites, I’m sure they have likewise added it to the definitions for their anti-virus software.

Edit (10:40 am): Linc Davis actually ran the installer on a test account.  Here is his account of what happens after installation:

I didn’t run the installer because I wasn’t motivated to take the necessary precautions. Instead, I extracted the package contents manually and ran them in an unprivileged account, which I then deleted.

The archive that I downloaded was named “BestMacAntivirus2011.mpkg.zip.” The package installs only the application MacDefender.app. It also runs a shell script that launches the application.

When launched, the application adds itself to the user’s login items and writes a preference file, ~/Library/Preferences/com.alppe.md.plist.plist. It doesn’t modify any other user files. It runs as a multi-threaded 64-bit process and doesn’t spawn any subprocesses. It contacts a server at the address 69.50.214.53, which is in a netblock assigned to “atjeu publishing, llc” of Phoenix, AZ. A hosting service seems to operate out of that network. The registrant’s contact name is given by whois as “Vasilev, Boris.”

The application is localized in two languages, English and Russian.

The bundle identifier is “com.alppe.spav.plist”. That’s a Java-style MIB, not a filename. The indicated domain is registered anonymously in Australia and is represented by a parking page.

The application really does scan the Applications folder and flags a number of executables variously as “Rootkit,” “Worm,” “Troyan,” (sic) and so forth. After the scan completes, the main window closes, but the application doesn’t exit. It loads some objectionable pages in Safari, as has been reported, and installs a menu item. There is no Quit menu and the only way to get rid of it is to terminate the process with kill(1) or Activity Monitor.

So to summarize, the trojan can be removed simply by killing the process “MacDefender” in Activity Monitor, deleting the application and the preference file, and removing the login item. There would also be a receipt in /var/db/receipts if you ran the installer, which I didn’t.

Mr. Davis confirms in a separate message that the installer does require an administrative password, if allowed to proceed that far.

Post to Twitter

Tags: , , ,


6 Comments

  • TMO says:

    I was using Safari for browsing facebook. I clicked on a link that took me to a blog page on discovermagazine.com and suddenly there was a download in progress (I usually use firefox so I was unaware of the default Safari behavior). I got the install page, knew something was wrong and quit Safari. Note that subsequent browsing to that very page resulted in a normal page. Here are my particulars:
    * The redirect seemed to be to [link removed] .
    * Once there I quickly saw a browser entry looking like an IP concatenated before the blog page I was going to. The IP was 69.50 something. The fake scanning page came up and immediately tried to get me to install mac defender
    * I think the downloaded file was macdefender.mpkg but my memory is fuzzy
    * A cookie was left on my system named 69.50.202.201
    * [address removed] resolves to [ip removed] . Another domain, [address removed], also resolves to it.

    • Thomas says:

      Other reports are coming out that this is appearing on sites other than Google Images, often in JavaScript in malicious ad banners.

  • Jen says:

    I got routed to this IP address when I was looking for low airfares on a site I had never heard of. I can’t remember the site I was at, though! I was just following links from my google search. The address is:
    http://178.162.157.198/eb2c530035c0581a9c4633dbfc55f5d83886b5372fba6510

    Hope this helps you figure it out and find a defense.
    Jen

  • Jen says:

    AAAAHHHH!!! don’t open the link in my previous post!!!! I thought I was just writing in the text, I didn’t know it would come up as a link. SORRY!

    • Thomas says:

      No worries, I could have commented out the link. It’s non-functional at this point though. These sites are moving around constantly… as one gets blacklisted and blocked, another opens up. I left the link present so people could see what they look like. Thus far, every link to this malware that I have seen looks similar. If you’re getting virus warnings and see something like that in your address bar, that’s another hint that something’s wrong!

  • Macaroni says:

    Thanks for this informative blog post. It answered all the questions my mind came up with after hearing about the “macdefender” scareware-trojan. Basically, your information clarifies that the default secure behavior of the Mac OS is not compromised/exploited, because you still have to willfully install the application by providing admin credentials.
    So if you install this trojan and “get infected” it’s your own dumb fault, and you need to learn to be more careful on your Mac.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.