MacDefender in action

Published May 3rd, 2011 at 7:40 AM EDT , modified May 7th, 2011 at 7:17 AM EDT

I have located a copy of the MacDefender trojan (thanks to Linc Davis, who sent me the link) and have done some testing myself.  Below is a detailed account of my experiences with it, as a continuing addition to previous news on this issue on my blog.

First, I visited the link on my regular account, on which Open “safe” files after downloading is turned off.  (See my previous report, MacDefender news, for why this is important.)  The first thing that happens – if you have JavaScript turned on in Safari – is that an alert pops up:

This alert should make Mac users suspicious – after all, they’re not using Windows!  In addition, a web site cannot scan your computer for viruses, though many users will not understand that the Safari icon plus the web site address means that this alert is being displayed by JavaScript code on that web site.  Of course, you have no choice but to click OK…  or force-quit Safari, which wouldn’t be a bad idea in a situation like this, just to be safe.

Clicking OK results in the following page being opened:

The page shows a progress bar as it “scans” for viruses.  Surprise, surprise, it actually finds some viruses, and up pops the “window” titled “Windows Security Alert” listing all the “viruses.”  This should be another warning that something is wrong.  All this is very Windows-oriented, and you, as a Mac user, are not using Windows.

If you click in most areas, the trojan will be downloaded to Safari’s downloads folder.  The download, named “BestMacAntivirus2011.mpkg.zip”, is a .mpkg installer file inside a .zip archive.  And, on my everyday user account, where Safari is not set to open such files, that is as far as it goes.  Unless I find that file later and decide to unzip it and run it, it will do no harm.

I then tested on a throwaway user account I created just for this purpose.  With the default settings in Safari – both JavaScript and Open “safe” files after downloading turned on – clicking anywhere on the page shown above results in not only the trojan being downloaded, but also being automatically unzipped and the installer launched!  This is a very serious security breach in Safari that Apple must address as soon as possible.  I’m surprised it has never been an issue before.

From there, one must proceed through installation, in Apple’s own installer, so there’s nothing scary-looking about it.  However, users should be on alert to installers that they did not intentionally launch!  I stopped here, being unwilling to see what happened to my machine after clicking Install.  From what I understand, though, from third-party sources, a password is required before the installation can commence.

It is important to point out that in the course of writing this, Safari has started displaying the following warning when I try to visit the malicious site:

In all, the most concerning part of this is that Safari will open an installer automatically, given the right preferences turned on and the right kind of installer, and that Quarantine also will not catch this installer.

Edit (7:40 am): Oh, and the confusion about what Fast Windows Antivirus is is resolved…  that’s the title of the browser window when you visit the malicious web site.

Edit (8:10 am): I tested ClamXav to see if it would detect the malware, and at this time, it does not.  However, I have seen a post on the Apple Support Communities that indicates that they are working on adding it and will be updating their definitions “shortly.”  As Intego and Sophos have both posted information about this trojan on their sites, I’m sure they have likewise added it to the definitions for their anti-virus software.

Edit (10:40 am): Linc Davis actually ran the installer on a test account.  Here is his account of what happens after installation:

I didn’t run the installer because I wasn’t motivated to take the necessary precautions. Instead, I extracted the package contents manually and ran them in an unprivileged account, which I then deleted.

The archive that I downloaded was named “BestMacAntivirus2011.mpkg.zip.” The package installs only the application MacDefender.app. It also runs a shell script that launches the application.

When launched, the application adds itself to the user’s login items and writes a preference file, ~/Library/Preferences/com.alppe.md.plist.plist. It doesn’t modify any other user files. It runs as a multi-threaded 64-bit process and doesn’t spawn any subprocesses. It contacts a server at the address 69.50.214.53, which is in a netblock assigned to “atjeu publishing, llc” of Phoenix, AZ. A hosting service seems to operate out of that network. The registrant’s contact name is given by whois as “Vasilev, Boris.”

The application is localized in two languages, English and Russian.

The bundle identifier is “com.alppe.spav.plist”. That’s a Java-style MIB, not a filename. The indicated domain is registered anonymously in Australia and is represented by a parking page.

The application really does scan the Applications folder and flags a number of executables variously as “Rootkit,” “Worm,” “Troyan,” (sic) and so forth. After the scan completes, the main window closes, but the application doesn’t exit. It loads some objectionable pages in Safari, as has been reported, and installs a menu item. There is no Quit menu and the only way to get rid of it is to terminate the process with kill(1) or Activity Monitor.

So to summarize, the trojan can be removed simply by killing the process “MacDefender” in Activity Monitor, deleting the application and the preference file, and removing the login item. There would also be a receipt in /var/db/receipts if you ran the installer, which I didn’t.

Mr. Davis confirms in a separate message that the installer does require an administrative password, if allowed to proceed that far.

Tags: Mac OS X, MacDefender, malware, trojan