x9090's Blog

MacGuard Downloader for MacDefender/MacProtector/MacSecurity

2011-06-02T23:55:00.002+08:00

The evolution of MacDefender is out of expectation. Mac rogue antivirus has evolved rapidly until the latest variant MacGuard which does not require administrator password during installation. See MacGuard in action in below screenshots:

Figure 1: MacGuard is downloading

Figure 2: MacGuard installation

Analysis of MacGuard Downloader

Identifying malicious URL

When avRunner is executing, __DownloadWinCtrl_startDownloadingURL__ handler will be executed to start the download routine. Basically, the downloader will first obtain the variables like:

The downloaded fake av archive installer’s name
The remote server where it hosts the fake av archive installer
Affiliates ID used by the server script

These variables can be obtained through __ZL14getConfigParami.

After the variables are obtained, a complete URL is formed which is the remote server address that stores the fake av archive installer. The URL format:

http://[remote_server_ip]/mac/soft.php?affid=[id]

Figure 3: Start Downloading Mac Fake AV Installer

Identifying where the downloaded component will be stored

If the URL is valid and the Objective-C NSURLDownload returns a valid object, it will continue to call local function __ZL21getDownloadedFilePathv to get the local folder directory to store the downloaded file.

Figure 4: Save the Downloaded File to Local Drive

Within the __ZL21getDownloaderFilePathv, it calls __ZL14getConfigParami again to get the downloaded installer’s name. We will look at that function in the next part. The file will be downloaded to “/Application/[installer_name].app.zip”

Figure 5: Get the Downloaded File Path

Identifying the remote server URL

As the name implied, __Zl14getConfigParami will read the configuration file and return the desired result, according to the argument passed by the caller, to the caller function.

The configuration file is actually a PNG image file stored inside avRunner package called DownloadPict.png as shown in Figure 7.

Figure 6: Downloader’s Configuration File Reading

Figure 7: avRunner Package Contents

Basically, from Figure 6 second part, it attempts to read the last byte of the picture file which is 27h that is the starting offset where the encoded data is located. After that, it reads 27h bytes encoded data and decode it using simple decoding method. The decoding configuration data can be seen in the highlighted image in Figure 8.

Decoding and retrieving the URL's variables

This configuration data will be separated by the delimiter “;”. In short the configuration data can be represented as following:

Index 0 => Installer’s file name

Index 1 => First remote server ip address

Index 2 => Second remote server ip address

Index 3 => Affiliates ID

For example, the caller function can pass argument 0 to get the installer’s file name and so forth.

Figure 8: Decoding DownloadPict Configuration File

After the download is completed, MacGuard will be launched automatically. The downloaded ZIP archive file will be removed from the local drive.

Register your copy of MacGuard

Kaspersky Lab has published a second part of Mac Protector: Register your copy now! Not surprisingly, in the latest variant, it uses the similar string retrieval method as described in Decoding and retrieving the URL's variables.

[NEWS] Mac OSX First Ever Fake Antivirus

2011-05-15T15:28:00.002+08:00

The first fake antivirus has been released on Mac OS X recently which is called MacDefender/MacProtector/MacSecurity.

I had a chance to come across this fake av when I did google image search a few days back. Unsurprisingly, this Mac fake av does exactly the same way as what Windows fake av did that is it also presents a fake browser page showing the user that their machine has been infected with malware.

When I did a google image search, I opened an image indexed by google in which google will redirect me to a compromised website with a "hidden" (from novice computer user point of view) javascript. After the compromised page is opened, it will immediately redirect user to another page with URL top level domain "cz.cc" which is where the fake av page will be displayed.

Figure 1: Image Indexed by Google

Figure 2: Script Redirection From Compromised Site

Figure 3: Fake AV Scan Result

Immediately after the scan finished, it will prompt a dialog box to ask download and execute the file after user clicked "Remove all" button.

Figure 4: Download Fake AV File

If you are interested a get a registered version of this MacSecurity, you can visit this post from Kaspersky Lab, http://www.securelist.com/en/blog/11252/Mac_Protector_Register_your_copy_now where you can get a list of valid license key!

Figure 5: Fake AV Scanning in Action

Now I have a registered MacProtector to clean the "detected" file =)

Figure 6: Registered Copy of MacProtector

Reference

You can visit http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/ for the excellent research on google image SEO poisoning technical information.

Have fun!

Signing off @x9090

My PC Was Stoned by Ransom Seftad

2010-12-04T16:53:00.002+08:00

If you are so unlucky to be one of the victims of Seftad MBR ransomware, do not worry, this MBR infector does not work as what it claims. That is it does not encrypt you hard drive at all but it merely infects your hard disk drive MBR:

Original Clean MBR

Seftad infected MBR

Basically, it replaces the original MBR with the malicious one that is 3 sectors length. The original MBR will be stored at the 4th sector which is offset 0x800.

The password that user entered will be calculated as a word hash value and it can be found here:

The address 7FFA refers to the real-mode address in boot sector and the password is actually located at offset 0x5FA:

which is 0x3c01.

Nevertheless, this MBR infection can be easily solved by using Windows Recovery Console > 'Fixmbr'.

Signing off @x9090