Variant of SMSSend slips past XProtect
Published February 11th, 2013 at 9:47 PM EST , modified February 11th, 2013 at 9:47 PM EST
This weekend, I got my hands on a variant of the SMSSend malware. What I found was very interesting, and very concerning. After examining it, it’s evident that the malware is still evolving and is still an active threat. Worst of all: it seems to be capable of slipping past the current version of the built-in anti-malware security in Mac OS X (aka, XProtect)!
Originally described by Dr. Web, this malware pretended to be an installer for an application called VKMusic. As part of the install process, it requested a cell phone number, and required the user to enter an activation key that would be texted to that number. The process, however, would result in the cell phone being subscribed to a premium text message service, thus generating revenue for the malware.
The current incarnation that I have stumbled across no longer pretends to install VKMusic. Instead, it pretends to be an installer for something called History of Sochi. Opening it launches what looks like an official Apple installer, though there are some oddities. (For example, at one point a message reads, “Wait the Wizard to finalize files check History of Sochi…”)
The installation process culminates in a request for the user to text a particular code to a cell phone number. There is a fairly limited number of countries to choose from: Albania, Armenia, Belorussia, Brazil, Estonia, Germany, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldavia, Russia, Ukraine and Vietnam. (Presumably the malware is not likely to be found outside one of those countries, but that could change at any time.)
Alternately, the user can choose a different method of activation. The other choice in the relevant menu is WebMoney, and includes a link to a payment page.
Of course, I was not willing to do what was necessary to get an activation code, so I could not take this any further. I cannot say whether a legitimate app may actually be installed, despite the means, or if more malware might be installed. The app does contain a .zip file that probably contains whatever payload is installed, but it is encrypted with a password, so it cannot be extracted and examined.
None of this is particularly surprising, of course. It is interesting that the name of the app and some methods have changed. However, more worrisome is the fact that I was able to open this installer on Mac OS X 10.8.2. The system was fully up-to-date, and I forced it to update its XProtect definitions prior to making the attempt. When I opened it, I got only the familiar warning that the application had been downloaded from the internet, not the scarier warning that the application will harm the computer that should be given when trying to open a malicious application.
What this means is that this variant of SMSSend is not covered by the signatures for SMSSend that are currently found in XProtect. This is a very serious matter, and I plan to immediately contact Apple about it. Hopefully, the situation will be remedied soon.
It’s important to understand that I am not picking on Apple alone. A number of very prominent anti-virus programs also fail to detect this variant of the malware. Such is the nature of malware detection… it is always a game of catch-up. Besides which, although this variant would slip past XProtect, it is blocked entirely by Gatekeeper in Mountain Lion, unless overridden by the user (as I had to do), as the developer is not registered with Apple.