Archive

Posts Tagged ‘mac threats’

Virus Bulletin 2011

It’s 5:15 AM here in Barcelona and second day of the conference. For the past three years, I’ve been given an opportunity to present and discuss topic relating to malware or threats in Macs. And at the same time, attending VB conference allows you to meet, learn and discuss with fellow researcher sharing the same interest.

I have 30min. (11:20 – 11:50 am) this morning to discuss an interesting topic about Cyber attacks: how are Mac OS X and iOS users playing the role? The presentation is divided into two subtopics; I’ll first discuss Apple security defences and the financially motivated threats, then a topic that is complex because it’s beyond malware. However, in this forum, I’d like to draw attention and bring awareness of this subject.

Cyberattack is a form of threat motivated by ideals and belief, often responding to social and economic issues where people voluntarily participates and takes action as a response to an open call. Devices, system and application act as a tool and weapon – which aids in accomplishing a task or mission. Contrary to most people believe that threats are platform specific, and targets the biggest market share, this notion is not true. Attacks and threats today targets user’s data, the information space and user’s identity, and this occurs regardless of the platform.

On a sad note, I would like extend my deepest condolences and sympathy to a man of great spirit and high vision; his death is a great loss and his absence will surely be felt.

A Deeper Look On MacSweeper

Do you think Macsweeper is not a rogue application? Ok, let’s take a deeper look and see what it does.

::::::::::::
File Size
::::::::::::

MacSweeperSetup.dmg 1.5 MB (1,600,201 bytes)
MacSweeper.app 2.6 MB (2,563,303 bytes)

:::::::::::::::::
Installation
:::::::::::::::::

Like other rogue application, MacSweeper uses a deceptive sales and marketing technique to get into users’ system. It does not have the capability to propagate or spread by itself, but it arrives as an Ads where it redirects users to this bogus webpage.


Behind this page is a SWF flash file and javascripts that records the traffic and clicks.

After the fake display of scanning process, this bogus website displays an Alert box.

The buttons “Ignore” and “Remove” are useless since it will continue to display another message box, and this time the user has no other option but to click “OK”. Check the screenshot here.

Clicking “Ok” triggers the downloading of MacSweeperSetup.dmg. Inside this DMG file is the rogue application – MacSweeper.app.

MacSweeper does not require root admin password to execute and it remains in Download folder unless the user manually drag it to another location.

::::::::::::::
Network
::::::::::::::

Lookup information of http://www.macsweeper.com:

http://www.macsweeper.com. A 217.20.175.39
ns1.vici.au NS 217.20.175.157
ns2.vici.au NS 217.20.182.29
alt1.aspmx.l.google.com
MX 209.85.147.27
alt2.aspmx.l.google.com
MX 64.233.185.27
aspmx.l.google.com
MX 66.249.93.27


The screenshot shows that MacSweeper.com, Cleanator.com, Clenator.com and Kivvisoftware.com are sharing same name server IP address.

Cleanator is a rogue application that works in Windows platform.

:::::::::::::::::::::::::::::::
Behaviour & Analysis
:::::::::::::::::::::::::::::::

Most of the files inside MacSweeper.app are images file (in PNG file format). Let’s check the other files …

PkgInfo contains strings “APPL????”

Database.plist contains 6390 cookie data that looks like this:

Cookie
YMR6LmFmdGVyZGF3bi5uZXQ

TODO.txt contains list of things to do that includes its current limitation, bugs and features. Interesting info from this text file is this:

“18. When update in process arert of new version can come, and fuck everithing”

You may check the complete list here.

Info.plist contains the following strings:

Identifier: com.KIVViSoftware.MacSweeper
Package Type: APPL
Executable: MacSweeper

The file MacSweeper inside MacOS folder is a binary file in universal binary format. Which means, this could work both in PPC and x86.

From the screenshot above, you will think that this application has scanned unwanted files from your system. However in background, MacSweeper executes the following shell command:

find “%@” ! -empty -and -type f > /private/tmp/com.MacSweeper.found.tmp;
file -f /private/tmp/com.MacSweeper.found.tmp -kn | grep ‘universal binary’ | sed -e ‘s/: *Mach.*//g’ > /private/tmp/com.MacSweeper.found2.tmp;
exit;


lipo “%@” -thin %@ -output “%@.lipo”&& mv -f “%@.lipo” “%@”;

During the scanning process, it drops the following temporary files:

/private/tmp/com.MacSweeper.found.tmp
/private/tmp/com.MacSweeper.found2.tmp

It then uses these files to display the scan result. This application does not scan for unwanted files, instead it is giving you list of legitimate information installed in your system.

And it does not end here, few minutes after displaying the scan result, it will display a bugging screen as shown below:

What! privacy violation with your own legitimate files ? Absolutely, not right.

From the code, this application unlocks more feature and displays the message below once the user input a valid serial code.

Thank You! You made me a bit hapier 🙂

Definitely, this application is not just a rogue but also a junkware.