The current wave of Mac OS X FakeAV infection follows a three-step process. To those familiar with Windows-based FakeAV, the pattern in this infection chain is quite familiar.
- Displays a “scanning page” from poisoned Google searches
- Prompts a download of a .ZIP which contains a .PKG installer. This installer installs a downloader.
- The downloader downloads another .ZIP, this time, containing the actual FakeAV .app program
In step 2, the downloaded installer package (.pkg) contains two notable files:
- the downloader binary
- a PNG file
The downloader binary is responsible for downloading (and executing) the final FakeAV payload. Interestingly, an important part of the download URL – the IP address – is stored not within the downloader binary. Instead, the host IP address is stored at the end of the above PNG file.
The data appended at the end of the PNG file is encrypted by a simple cipher, the encryption key of which can be found in the downloader binary. When decrypted, the data looks like the one below:
The decrypted data reveals two sets of information:
- The IP addresses from where the final FakeAV payload can be downloaded
- Affiliate IDs
With the IP address decrypted, the downloader binary assembles the download URL, which is of the form: http://ip_address/mac/soft.php?affid=xxxxx
Where “affid” is a number. This affiliate ID (affid) denotes the ID of the affiliate member, who is responsible for the distribution of the Mac FakeAV.
The presence of the affiliate ID is disturbing. This means that there are already organized affiliate programs that target Mac OS X systems. With these affiliate programs targeting Macs already in place, and already in operation, we could expect a sustained attack against Mac OSX users in the future.
Leave a reply