Thursday, June 2, 2011

MacGuard Downloader for MacDefender/MacProtector/MacSecurity

The evolution of MacDefender is out of expectation. Mac rogue antivirus has evolved rapidly until the latest variant MacGuard which does not require administrator password during installation. See MacGuard in action in below screenshots:

Figure 1: MacGuard is downloading 

Figure 2: MacGuard installation

Analysis of MacGuard Downloader

  1. Identifying malicious URL
When avRunner is executing, __DownloadWinCtrl_startDownloadingURL__ handler will be executed to start the download routine. Basically, the downloader will first obtain the variables like:  

  •  The downloaded fake av archive installer’s name
  • The remote server where it hosts the fake av archive installer
  •   Affiliates ID used by the server script
These variables can be obtained through __ZL14getConfigParami.
After the variables are obtained, a complete URL is formed which is the remote server address that stores the fake av archive installer. The URL format: 


Figure 3: Start Downloading Mac Fake AV Installer

  1. Identifying where the downloaded component will be stored

If the URL is valid and the Objective-C NSURLDownload returns a valid object, it will continue to call local function __ZL21getDownloadedFilePathv to get the local folder directory to store the downloaded file.
Figure 4: Save the Downloaded File to Local Drive

Within the __ZL21getDownloaderFilePathv, it calls __ZL14getConfigParami again to get the downloaded installer’s name. We will look at that function in the next part. The file will be downloaded to “/Application/[installer_name]
Figure 5: Get the Downloaded File Path

  1. Identifying the remote server URL

As the name implied, __Zl14getConfigParami will read the configuration file and return the desired result, according to the argument passed by the caller, to the caller function.
The configuration file is actually a PNG image file stored inside avRunner package called DownloadPict.png as shown in Figure 7.

Figure 6: Downloader’s Configuration File Reading

Figure 7: avRunner Package Contents

Basically, from Figure 6 second part, it attempts to read the last byte of the picture file which is 27h that is the starting offset where the encoded data is located. After that, it reads 27h bytes encoded data and decode it using simple decoding method. The decoding configuration data can be seen in the highlighted image in Figure 8.

  1. Decoding and retrieving the URL's variables

This configuration data will be separated by the delimiter “;”. In short the configuration data can be represented as following:
Index 0 => Installer’s file name
Index 1 => First remote server ip address
Index 2 => Second remote server ip address
Index 3 => Affiliates ID
For example, the caller function can pass argument 0 to get the installer’s file name and so forth.

Figure 8: Decoding DownloadPict Configuration File

After the download is completed, MacGuard will be launched automatically. The downloaded ZIP archive file will be removed from the local drive.

Register your copy of MacGuard

Kaspersky Lab has published a second part of Mac Protector: Register your copy now! Not surprisingly, in the latest variant, it uses the similar string retrieval method as described in Decoding and retrieving the URL's variables.


Anonymous said...

What about the other set of encrypted code in the file downloadPict.png? I noticed that there are actually 2 sets of appname,remote server,and affiliates ID. Will it be used by the malware as well?

x9090 said...

At the time of analysis, the another set of decoded URLs did not lead the browser to the fake av page (at least the variant that I analyzed) and which set to be used can be defined by the author through the program/code easily.

I believe this is done purposely so that the author can update the "configuration" file (downloadPict.png) and the new variants easily in the future.