The Latest in IT Security

Obfuscated IP addresses and Affiliate IDs in Mac FakeAV

10
Jun
2011

The current wave of Mac OS X FakeAV infection follows a three-step process. To those familiar with Windows-based FakeAV, the pattern in this infection chain is quite familiar.

  1. Displays a “scanning page” from poisoned Google searches
  2. Prompts a download of a .ZIP which contains a .PKG installer. This installer installs a downloader.
  3. The downloader downloads another .ZIP, this time, containing the actual FakeAV .app program

In step 2, the downloaded installer package (.pkg) contains two notable files:

  • the downloader binary
  • a PNG file

The downloader binary is responsible for downloading (and executing) the final FakeAV payload. Interestingly, an important part of the download URL – the IP address – is stored not within the downloader binary. Instead, the host IP address is stored at the end of the above PNG file.

The data appended at the end of the PNG file is encrypted by a simple cipher, the encryption key of which can be found in the downloader binary. When decrypted, the data looks like the one below:

The decrypted data reveals two sets of information:

  1. The IP addresses from where the final FakeAV payload can be downloaded
  2. Affiliate IDs

With the IP address decrypted, the downloader binary assembles the download URL, which is of the form: http://ip_address/mac/soft.php?affid=xxxxx

Where “affid” is a number. This affiliate ID (affid) denotes the ID of the affiliate member, who is responsible for the distribution of the Mac FakeAV.

The presence of the affiliate ID is disturbing. This means that there are already organized affiliate programs that target Mac OS X systems. With these affiliate programs targeting Macs already in place, and already in operation, we could expect a sustained attack against Mac OSX users in the future.

Leave a reply


Categories

WEDNESDAY, JANUARY 22, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments