Further analysis of MacProtector
Published May 10th, 2011 at 8:53 PM EDT , modified March 12th, 2013 at 7:52 PM EDT
There have been reports circulating that MacDefender/MacSecurity/MacProtector may be doing nasty things like scanning the hard drive and sending data home. If this is true, it would be a more serious problem. The behavior that has been documented to date is less dangerous because it is entirely under your control. You choose whether to proceed with the installation, and you choose whether to give a credit card number. Many people have accepted the installation, but balked at the credit card… but that could be a problem if the trojan is doing other things behind the scenes. So, are these rumors true? Here’s what I found.
Over the last few days, in my spare time, I’ve been preparing an external drive, connected to my MacBook Pro, with two partitions. On the first, called “Test System”, I installed a squeaky-clean version of Mac OS X (version 10.6.3). I booted from this system and installed a copy of Little Snitch. Next, I rebooted from my MacBook Pro’s internal drive and used Carbon Copy Cloner to duplicate “Test System” onto the second partition, “Backup System”. At this point, I had two partitions on the external drive with identical systems.
Next, I copied a MacProtector installer onto the desktop of the test user on the “Test System” partition and rebooted from that partition. I opened the installer, let it go through the install process, entered my admin password, and had MacProtector start up. Almost immediately after it started up I got the following alert from Little Snitch:
I selected Once and clicked Allow. I don’t know what data was sent, perhaps someone experienced with packet sniffing could test and let us know. (Edit: I took a shot at collecting the data in Wireshark, and the relevant packets can be seen
here. None of it looks particularly disturbing to me, but I’m far from an expert at network packet analysis. Note that the IP address involved is registered to a company in Monte Carlo, Monaco.) However, there certainly hadn’t been enough time for any real scanning of the drive to be done, so I’m not too concerned about what it might have been.
I allowed MacProtector to run for a while, and it did not try to make any other connections until I, just for the heck of it, clicked the Register button. At that point, it made three successive connections to a different IP address than the initial connection.
After letting it run for a little while longer, during which time I never saw any serious disk activity in Activity Monitor, I finally shut down and restarted from my normal system. I then opened the Terminal and used the Unix utility “diff” to compare “Test System” to the reference system I had made on “Backup System”. The results can be found
here, in somewhat trimmed-down form. I removed a lot of things that were unrelated differences, caused simply by running the system on “Test System”, such as log files, caches, preference files, etc. Of the things that I left, in all honesty, I had no idea what some of them were.
Of particular interest are the following entries:
Only in /Volumes/Test System/Applications: MacProtector.app Only in /Volumes/Test System/Library/Receipts: macProtectorInstallerProgramPostflight.pkg Only in /Volumes/Test System/Library/Receipts: macprotector.pkg Only in /Volumes/Test System/Users/test/Library/Caches: com.aple.sv Only in /Volumes/Test System/Users/test/Library/Preferences: com.aple.sv.plist Only in /Volumes/Test System/Users/test: dmem.txt Only in /Volumes/Test System/Users/test: proc.txt
Everything in this list, except for the app, is fairly innocent. None of these things are remotely dangerous. If you want to remove them, you can, but it shouldn’t be necessary to hunt them down.
The dmem.txt and proc.txt files are interesting. I’m assuming they are MacProtector files, as they contain information that looks like it would have been created by the System Info pane in MacProtector (which looks a bit like Activity Monitor, but does not appear to be functional). The contents of dmem.txt are:
Filesystem 1G-blocks Used Available Capacity Mounted on /dev/disk1s2|27|10|17|37%|/
The contents of proc.txt start like this:
PID COMM 1|/sbin/launchd 10|/usr/libexec/kextd 11|/usr/sbin/notifyd 12|/usr/sbin/diskarbitrationd 13|/usr/libexec/configd 14|/usr/sbin/syslogd 15|/usr/sbin/DirectoryService [...snip...]
The list continues, looking much like a list of all processes in Activity Monitor. Compare to a screenshot of the System Info panel in MacProtector:
In all, nothing that I’ve seen makes me concerned that this trojan does anything other than try to convince you to give them your credit card number. Although there is always the possibility that it sneaked something past me, I don’t think that’s likely. There is always the danger of someone creating a more dangerous variant of this trojan in the future, but at this time it is my opinion that you’re still safe as long as you don’t give them your credit card number and delete MacDefender/MacSecurity/MacProtector according to my instructions. If anyone else has more details to contribute, please feel free to share!