Thursday, June 2, 2011

MacGuard Downloader for MacDefender/MacProtector/MacSecurity

The evolution of MacDefender is out of expectation. Mac rogue antivirus has evolved rapidly until the latest variant MacGuard which does not require administrator password during installation. See MacGuard in action in below screenshots:

Figure 1: MacGuard is downloading 

Figure 2: MacGuard installation

Analysis of MacGuard Downloader

  1. Identifying malicious URL
When avRunner is executing, __DownloadWinCtrl_startDownloadingURL__ handler will be executed to start the download routine. Basically, the downloader will first obtain the variables like:  

  •  The downloaded fake av archive installer’s name
  • The remote server where it hosts the fake av archive installer
  •   Affiliates ID used by the server script
These variables can be obtained through __ZL14getConfigParami.
After the variables are obtained, a complete URL is formed which is the remote server address that stores the fake av archive installer. The URL format: 


Figure 3: Start Downloading Mac Fake AV Installer

  1. Identifying where the downloaded component will be stored

If the URL is valid and the Objective-C NSURLDownload returns a valid object, it will continue to call local function __ZL21getDownloadedFilePathv to get the local folder directory to store the downloaded file.
Figure 4: Save the Downloaded File to Local Drive

Within the __ZL21getDownloaderFilePathv, it calls __ZL14getConfigParami again to get the downloaded installer’s name. We will look at that function in the next part. The file will be downloaded to “/Application/[installer_name]
Figure 5: Get the Downloaded File Path

  1. Identifying the remote server URL

As the name implied, __Zl14getConfigParami will read the configuration file and return the desired result, according to the argument passed by the caller, to the caller function.
The configuration file is actually a PNG image file stored inside avRunner package called DownloadPict.png as shown in Figure 7.

Figure 6: Downloader’s Configuration File Reading

Figure 7: avRunner Package Contents

Basically, from Figure 6 second part, it attempts to read the last byte of the picture file which is 27h that is the starting offset where the encoded data is located. After that, it reads 27h bytes encoded data and decode it using simple decoding method. The decoding configuration data can be seen in the highlighted image in Figure 8.

  1. Decoding and retrieving the URL's variables

This configuration data will be separated by the delimiter “;”. In short the configuration data can be represented as following:
Index 0 => Installer’s file name
Index 1 => First remote server ip address
Index 2 => Second remote server ip address
Index 3 => Affiliates ID
For example, the caller function can pass argument 0 to get the installer’s file name and so forth.

Figure 8: Decoding DownloadPict Configuration File

After the download is completed, MacGuard will be launched automatically. The downloaded ZIP archive file will be removed from the local drive.

Register your copy of MacGuard

Kaspersky Lab has published a second part of Mac Protector: Register your copy now! Not surprisingly, in the latest variant, it uses the similar string retrieval method as described in Decoding and retrieving the URL's variables.

Sunday, May 15, 2011

[NEWS] Mac OSX First Ever Fake Antivirus

The first fake antivirus has been released on Mac OS X recently which is called MacDefender/MacProtector/MacSecurity.

I had a chance to come across this fake av when I did google image search a few days back. Unsurprisingly, this Mac fake av does exactly the same way as what Windows fake av did that is it also presents a fake browser page showing the user that their machine has been infected with malware.

When I did a google image search, I opened an image indexed by google in which google will redirect me to a compromised website with a "hidden" (from novice computer user point of view) javascript. After the compromised page is opened, it will immediately redirect user to another page with URL top level domain "" which is where the fake av page will be displayed.

Figure 1: Image Indexed by Google

Figure 2: Script Redirection From Compromised Site

Figure 3: Fake AV Scan Result

Immediately after the scan finished, it will prompt a dialog box to ask download and execute the file after user clicked "Remove all" button.

Figure 4: Download Fake AV File

If you are interested a get a registered version of this MacSecurity, you can visit this post from Kaspersky Lab, where you can get a list of valid license key!

Figure 5: Fake AV Scanning in Action

Now I have a registered MacProtector to clean the "detected" file  =)

Figure 6: Registered Copy of MacProtector


You can visit for the excellent research on google image SEO poisoning technical information.

Have fun!

Signing off @x9090