OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Further analysis of MacProtector

Published May 10th, 2011 at 8:53 PM EDT , modified March 12th, 2013 at 7:52 PM EDT

There have been reports circulating that MacDefender/MacSecurity/MacProtector may be doing nasty things like scanning the hard drive and sending data home.  If this is true, it would be a more serious problem.  The behavior that has been documented to date is less dangerous because it is entirely under your control.  You choose whether to proceed with the installation, and you choose whether to give a credit card number.  Many people have accepted the installation, but balked at the credit card…  but that could be a problem if the trojan is doing other things behind the scenes.  So, are these rumors true?  Here’s what I found.

Over the last few days, in my spare time, I’ve been preparing an external drive, connected to my MacBook Pro, with two partitions.  On the first, called “Test System”, I installed a squeaky-clean version of Mac OS X (version 10.6.3).  I booted from this system and installed a copy of Little Snitch.  Next, I rebooted from my MacBook Pro’s internal drive and used Carbon Copy Cloner to duplicate “Test System” onto the second partition, “Backup System”.  At this point, I had two partitions on the external drive with identical systems.

Next, I copied a MacProtector installer onto the desktop of the test user on the “Test System” partition and rebooted from that partition.  I opened the installer, let it go through the install process, entered my admin password, and had MacProtector start up.  Almost immediately after it started up I got the following alert from Little Snitch:

I selected Once and clicked Allow.  I don’t know what data was sent, perhaps someone experienced with packet sniffing could test and let us know. (Edit: I took a shot at collecting the data in Wireshark, and the relevant packets can be seen here. None of it looks particularly disturbing to me, but I’m far from an expert at network packet analysis. Note that the IP address involved is registered to a company in Monte Carlo, Monaco.)  However, there certainly hadn’t been enough time for any real scanning of the drive to be done, so I’m not too concerned about what it might have been.

I allowed MacProtector to run for a while, and it did not try to make any other connections until I, just for the heck of it, clicked the Register button.  At that point, it made three successive connections to a different IP address than the initial connection.

After letting it run for a little while longer, during which time I never saw any serious disk activity in Activity Monitor, I finally shut down and restarted from my normal system.  I then opened the Terminal and used the Unix utility “diff” to compare “Test System” to the reference system I had made on “Backup System”.  The results can be found here, in somewhat trimmed-down form.  I removed a lot of things that were unrelated differences, caused simply by running the system on “Test System”, such as log files, caches, preference files, etc.  Of the things that I left, in all honesty, I had no idea what some of them were.

Of particular interest are the following entries:

Only in /Volumes/Test System/Applications: MacProtector.app
Only in /Volumes/Test System/Library/Receipts:
   macProtectorInstallerProgramPostflight.pkg
Only in /Volumes/Test System/Library/Receipts:
   macprotector.pkg
Only in /Volumes/Test System/Users/test/Library/Caches:
   com.aple.sv
Only in /Volumes/Test System/Users/test/Library/Preferences:
   com.aple.sv.plist
Only in /Volumes/Test System/Users/test: dmem.txt
Only in /Volumes/Test System/Users/test: proc.txt

Everything in this list, except for the app, is fairly innocent.  None of these things are remotely dangerous.  If you want to remove them, you can, but it shouldn’t be necessary to hunt them down.

The dmem.txt and proc.txt files are interesting.  I’m assuming they are MacProtector files, as they contain information that looks like it would have been created by the System Info pane in MacProtector (which looks a bit like Activity Monitor, but does not appear to be functional).  The contents of dmem.txt are:

Filesystem 1G-blocks Used Available Capacity Mounted on
/dev/disk1s2|27|10|17|37%|/

The contents of proc.txt start like this:

PID COMM
1|/sbin/launchd
10|/usr/libexec/kextd
11|/usr/sbin/notifyd
12|/usr/sbin/diskarbitrationd
13|/usr/libexec/configd
14|/usr/sbin/syslogd
15|/usr/sbin/DirectoryService
[...snip...]

The list continues, looking much like a list of all processes in Activity Monitor. Compare to a screenshot of the System Info panel in MacProtector:

In all, nothing that I’ve seen makes me concerned that this trojan does anything other than try to convince you to give them your credit card number.  Although there is always the possibility that it sneaked something past me, I don’t think that’s likely.  There is always the danger of someone creating a more dangerous variant of this trojan in the future, but at this time it is my opinion that you’re still safe as long as you don’t give them your credit card number and delete MacDefender/MacSecurity/MacProtector according to my instructions.  If anyone else has more details to contribute, please feel free to share!

Tags: , , ,

3 Comments

  • Al Varnell says:

    The proc.txt file looks like an output file of the Terminal command ps -ax with some formatting tweeks.

    The dmem.txt file looks like the output file of the Terminal command df.

  • Tommy says:

    Hey Thomas. My wife downloaded Macprotector, gave her password and CC #. I deleted it according to your instructions, thanks. I also called the CC company and had the charge removed and new cards sent out. However I wanted to know if you think it could have taken any other personal info? Do you recommend downloading personal files to an external drive and reinstalling everything?

    • Thomas says:

      I do not believe that any other personal information was taken, though I cannot be sure of that. Keep in mind that these folks want money, though, and they already had your credit card number, so there was no need to look for anything else. As to reinstalling, as far as I have been able to determine, there’s no need to do that. If you want to feel more secure, get one of the anti-virus programs I recommended in a previous comment and do a scan.

      Edit: That previous comment was on a different post! See Identifying and removing MacDefender trojans. Sorry about that!

This post is more than 90 days old and has been locked. No further comments are allowed.