iThreats

As I mentioned last topic, Zlob fake codec sites are smart enough to know whether you are running on Windows or Mac. If you are an analyst or researcher and would like to download the DMG file, you cannot simply modify the URL or force the browser to download it, although you can modify the file extension but still the downloaded file will contain MZ header – which mean, Windows Executable.

So, now you can figure out why.

If you are running in Windows and you want to download Zlob fake codec for Macintosh, you can simply send fake User-Agent header. This means, you are sending hand crafted http request to the server; This is impersonating the Mac browser.

There are many tools that can help you perform this job, few names like curl, fiddler and malzilla – known as malware website hunting tool.

The screenshot below shows how Malzilla download the DMG file in Windows.

This is an example of a rogue anti-spyware application. These are software/application that uses deceptive sales technique and false positives to convince users to pay for license. Their websites looks like reliable, informative and convincing – usually claims as one of the best security software.

Much of these rogue application websites appears in Google search when using keywords such as IEDefender, Privacy Control, Antispy-pro, WinSpyKiller, spy-bot and the likes. These may also arrive to users via spammed e-mails, pop-ups, banner advertisements and sometimes from malwares.

Does it work in Mac OS X? No (as of this writing) although some rogue online scanners seemed to be working and catching malwares in Mac but everything is just for the good show but they are fakes!

These rogue applications currently supports Windows platform (downloads EXE installer), but like fake codecs, we never know one day it’s gonna be in OS X as well.

For awareness, here’s the list of rogue anti-spyware websites.

Have a Malware free day and Happy New Year!