OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Minor new MacProtector variant

Published May 17th, 2011 at 10:54 PM EDT , modified May 18th, 2011 at 8:57 AM EDT

A colleague sent me a slightly different variant of MacProtector recently, with a creation date of 5/11/2011.  I haven’t had time to do any really detailed analysis of it, and I’m not sure that the trouble will be warranted anyway.  The differences appear to be minor.

The first thing I did was use the Unix ‘diff’ command to compare the two installer packages.  It found differences in the following files:

MacProtector.mpkg/Contents/Packages/macprotector.pkg/
   Contents/Archive.bom
MacProtector.mpkg/Contents/Packages/macprotector.pkg/
   Contents/Archive.pax.gz
MacProtector.mpkg/Contents/Packages/macprotector.pkg/
   Contents/Info.plist
MacProtector.mpkg/Contents/distribution.dist

These differences are fairly minor, except for the differences in the archive, which is the meat of the installer. Next, I extracted the application from each installer using Pacifist, and compared the applications.  Here’s a list of the differences:

MacProtector.app/Contents/MacOS/MacProtector
MacProtector.app/Contents/Resources/AboutD.nib
MacProtector.app/Contents/Resources/ControlCenterD.nib
MacProtector.app/Contents/Resources/CrashAppAlert.nib
MacProtector.app/Contents/Resources/English.lproj/Localizable.strings
MacProtector.app/Contents/Resources/English.lproj/MainMenu.nib
MacProtector.app/Contents/Resources/NotificationPWnd.nib
MacProtector.app/Contents/Resources/OptionsD.nib
MacProtector.app/Contents/Resources/PayFormWnd.nib
MacProtector.app/Contents/Resources/RegWinD.nib
MacProtector.app/Contents/Resources/ScanD.nib
MacProtector.app/Contents/Resources/Splash.nib
MacProtector.app/Contents/Resources/SysInfoD.nib
MacProtector.app/Contents/Resources/affid.txt
MacProtector.app/Contents/Resources/ksms.txt

Again, these differences are all minor, with one exception.  The actual executable file itself is slightly different.  Not a lot different, but some, which leads to what the difference might be.  I did run the app in an isolated account on a test system, and didn’t see any behavior that was different from the previous version of MacProtector.  But, as stated already, I haven’t actually done detailed tests to see what files might have been changed on the system, what data might be going out over the network, etc.  My suspicion is that this is simply a minor improvement, and that it isn’t doing anything substantially different, but I have not yet backed up that suspicion with tests.

Note that some people have been confused by the requirement for an admin password, and have been under the mistaken assumption that the malware is getting root access to the system.  This is not correct…  only the Apple installer is authenticating for root access, so that it can move all the components into the specified locations  The application itself still does not have root privileges at any point, just as with all previous variants of this malware, which means that its options for mischief are somewhat limited.

Edit: Note that MacProtector is just the latest variant of what started out as MacDefender. However, as neither MacDefender or MacSecurity have been seen in the wild since the MacProtector variant appeared, I am going to begin calling this malware by the current name, rather than risk confusion by referring to MacDefender or MacSecurity.

Tags: , , , , ,

2 Comments

  • Al Varnell says:

    Somebody posted a new one to VirusTotal today . 18 AV’s still caught it, including clamav. I’m not planning on chasing it.

    • Thomas says:

      Yeah, I’m not sure that I’m going to be able to keep up with detailed analysis of every little minor variation, either.

This post is more than 90 days old and has been locked. No further comments are allowed.