Sunday, May 15, 2011

[NEWS] Mac OSX First Ever Fake Antivirus

The first fake antivirus has been released on Mac OS X recently which is called MacDefender/MacProtector/MacSecurity.

I had a chance to come across this fake av when I did google image search a few days back. Unsurprisingly, this Mac fake av does exactly the same way as what Windows fake av did that is it also presents a fake browser page showing the user that their machine has been infected with malware.

When I did a google image search, I opened an image indexed by google in which google will redirect me to a compromised website with a "hidden" (from novice computer user point of view) javascript. After the compromised page is opened, it will immediately redirect user to another page with URL top level domain "cz.cc" which is where the fake av page will be displayed.

Figure 1: Image Indexed by Google


Figure 2: Script Redirection From Compromised Site


Figure 3: Fake AV Scan Result

Immediately after the scan finished, it will prompt a dialog box to ask download and execute the file after user clicked "Remove all" button.

Figure 4: Download Fake AV File


If you are interested a get a registered version of this MacSecurity, you can visit this post from Kaspersky Lab, http://www.securelist.com/en/blog/11252/Mac_Protector_Register_your_copy_now where you can get a list of valid license key!

Figure 5: Fake AV Scanning in Action

Now I have a registered MacProtector to clean the "detected" file  =)

Figure 6: Registered Copy of MacProtector

Reference


You can visit http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/ for the excellent research on google image SEO poisoning technical information.

Have fun!

Signing off @x9090