We've noticed a few odd rogue security software applications recently—although this type of threat is nothing new, these samples are interesting because they target the Mac OS X operating system.

There have been several variants of a threat, which we detect as Rogue:MacOS_X/FakeMacdef, going around this month. As you would expect with any rogue antimalware product, it tries to trick users into thinking that they are infected with something which only it is able to remove… for a price.

The product, which calls itself MacDefender, is being distributed in much the same format as its Windows-based cousins: through an imitation scanner interface which runs within the browser, similar to that described in this blog post. It typically depicts a Windows XP system running through an anti-malware scan, however there have been reports of one that impersonates the Mac OS X finder. Malware is delivered to the user irrespective of whether they click through the UI, or click on the fake Cancel button. This distribution component reads the client's useragent in order to discern the operating system, and then serves up a malicious application designed for that operating system (that is, if you're running on Windows, the site will serve up Win32/Winwebsec, but if you're on a Mac you'll get MacOS_X/FakeMacdef).

Some Mac users have reported that the malware is automatically being downloaded and started when they land on the imitation scanner pages. This may be related to Safari's "open safe files", which we recommend you disable (click on the link for more information).  

Upon closer examination, we found more connections between FakeMacdef and Winwebsec. The best example is that the URL format that FakeMacdef uses to call home is almost identical to that which we see in Winwebsec:

  • WinWebSec - http://x.x.x.x/i.php?affid=xxxxx&data=x&v=x
  • FakeMacdef - http://x.x.x.x/i.php?v=x&affid=xxxxx&data=x

The purchase pages are also similar:

  • Winwebsec - http://x.x.x.x/buy.php?affid=xxxxx&data=x&v=x
  • FakeMacdef - http://x.x.x.x/mac.php?v=x&affid=xxxxx&data=x

In addition to using similar UIs, we noticed that they even share the same payment gateway (this is the site where users are duped into giving the criminals their credit card information). Simply changing the file name from "buy.php" to "mac.php" causes the 'branding' to change from the Windows version to the Mac version:

Mac Defender:

Winwebsec:

In contrast to its Windows-based cousin, FakeMacdef loads adult-oriented or pharmaceutical websites at random intervals. However, upon closer examination, we did not determine that these links were affiliated with the malware threat. Instead, we suspect that this may be a trick to try and convince users that they are truly infected with some malware, and that FakeMacdef may be able to help them rid their computer of it.

We also noticed that FakeMacdef contains most of its resources in a directory named "ru.lproj", as opposed to "en.lproj"- this strengthens our suspicion that the developer may be Russian.

Thus far this month, we've seen three distinct 'branding' flavors of this threat:

  • Mac Defender
  • Mac Protector
  • Mac Security

There are several ways that we are able to block and remove it, for example if we see it on a shared drive, or if you're using the Forefront Threat Management Gateway we'll block the ability for users to download it through the web proxy server. Bing will try to block search results which link to it, and we'll prevent it from being distributed through Windows Live Hotmail and some of our other web properties. If you run a Macintosh computer, we highly recommend that you find and install an anti-malware solution from a trustworthy vendor.

-- Hamish O'Dea & Tareq Saade