Minor new MacProtector variant
Published May 17th, 2011 at 10:54 PM EDT , modified May 18th, 2011 at 8:57 AM EDT
A colleague sent me a slightly different variant of MacProtector recently, with a creation date of 5/11/2011. I haven’t had time to do any really detailed analysis of it, and I’m not sure that the trouble will be warranted anyway. The differences appear to be minor.
The first thing I did was use the Unix ‘diff’ command to compare the two installer packages. It found differences in the following files:
MacProtector.mpkg/Contents/Packages/macprotector.pkg/ Contents/Archive.bom MacProtector.mpkg/Contents/Packages/macprotector.pkg/ Contents/Archive.pax.gz MacProtector.mpkg/Contents/Packages/macprotector.pkg/ Contents/Info.plist MacProtector.mpkg/Contents/distribution.dist
These differences are fairly minor, except for the differences in the archive, which is the meat of the installer. Next, I extracted the application from each installer using Pacifist, and compared the applications. Here’s a list of the differences:
MacProtector.app/Contents/MacOS/MacProtector MacProtector.app/Contents/Resources/AboutD.nib MacProtector.app/Contents/Resources/ControlCenterD.nib MacProtector.app/Contents/Resources/CrashAppAlert.nib MacProtector.app/Contents/Resources/English.lproj/Localizable.strings MacProtector.app/Contents/Resources/English.lproj/MainMenu.nib MacProtector.app/Contents/Resources/NotificationPWnd.nib MacProtector.app/Contents/Resources/OptionsD.nib MacProtector.app/Contents/Resources/PayFormWnd.nib MacProtector.app/Contents/Resources/RegWinD.nib MacProtector.app/Contents/Resources/ScanD.nib MacProtector.app/Contents/Resources/Splash.nib MacProtector.app/Contents/Resources/SysInfoD.nib MacProtector.app/Contents/Resources/affid.txt MacProtector.app/Contents/Resources/ksms.txt
Again, these differences are all minor, with one exception. The actual executable file itself is slightly different. Not a lot different, but some, which leads to what the difference might be. I did run the app in an isolated account on a test system, and didn’t see any behavior that was different from the previous version of MacProtector. But, as stated already, I haven’t actually done detailed tests to see what files might have been changed on the system, what data might be going out over the network, etc. My suspicion is that this is simply a minor improvement, and that it isn’t doing anything substantially different, but I have not yet backed up that suspicion with tests.
Note that some people have been confused by the requirement for an admin password, and have been under the mistaken assumption that the malware is getting root access to the system. This is not correct… only the Apple installer is authenticating for root access, so that it can move all the components into the specified locations The application itself still does not have root privileges at any point, just as with all previous variants of this malware, which means that its options for mischief are somewhat limited.
Edit: Note that MacProtector is just the latest variant of what started out as MacDefender. However, as neither MacDefender or MacSecurity have been seen in the wild since the MacProtector variant appeared, I am going to begin calling this malware by the current name, rather than risk confusion by referring to MacDefender or MacSecurity.