Wednesday, May 4, 2011
FAKE "MAC Defender" Scamware Attack
via infected Webpages
What is 'scamware'? (Also known as 'rogueware'). It is a form of malware that pretends to be something it is NOT in order to use social engineering / LUSER behavior to get you to install actual malware. The most numerous kind of scamware occurs on the Internet where you visit a web page and start getting bombarded with messages on your screen that you have been "INFECTED" with whatever, when in fact you have NOT. If you are, let's be blunt, foolish enough to allow your web browser to automatically download software, or even worse, if you allow your web browser to actually OPEN what you automatically download, you're a prime sucker for scamware. Don't do that!
This is the very first instance of actual working scamware for Mac OS X that I am aware of. The most excellent SANS NewsBites Volume 13 Number 35 newsletter issue provides an announcement of the situation as well as resource links. You can sign up for the free SANS newsletters HERE. (I occasionally have disagreements with SANS over their FUD publishing and spelling, but overall they're a terrific resource).
The Scamware: "MAC Defender" (Note the spelling difference from 'MacDefender', which is an actual program developed in Germany, sadly hurt by bad publicity created due to the 'MAC Defender' scamware).
The Infection Vector: Web pages.
1) Through nefarious means, the scamware tosses messages on your screen that you Mac has been infected with something. It insists that you pay $money$ to install the scamware Trojan horse in order to remove the fake 'infection'. Here is an illustration kindly provided by PCWorld.com.
2) If you foolishly allow your web browser to download software, the infected web page will IMMEDIATELY auto-download the Trojan horse to your Mac. THIS IS BAD!
3) If you foolishly allow your web browser to open software it has automatically downloaded, the Trojan horse will automatically open. THIS IS VERY BAD!
4) If you happily never allow auto-anything, then you could still be coerced into clicking the download link for the scamware Trojan horse. Worse yet, you might even open the Trojan horse on your computer. DON'T DO THAT!
At the moment, this scamware attack is occurring at a variety of web pages related to the killing of terrorism scourge Osama Bin Laden. Be extra special watchful at such websites for this scamware.
The STING: You fork over $money$ and your CREDIT CARD information for what is worthless garbage software that does nothing at all. Your credit card has just been stolen.
How to Protect Yourself:
A) The Second Rule of Computing! Verify the authenticity and legitimacy of absolutely every piece of software you are tempted to install. In this case, you'll save yourself spending $money$ on worthless garbage as well as your credit card information. Also, seeing as there are currently 28 different Trojan horses for Mac OS X, (26 actually, if you exclude the hacker tools), you'll be preventing yourself from getting infected for real.
Adding to SANS Editor Northcutt's comments in NewsBites, dangerous malware can be hidden in nearly any piece of software. This includes anything you are sent (via email or chat, etc.) or anything at any Internet location.
B) Don't auto anything! That means no auto-download or auto-open. Turn all such features OFF in your web browsers and other Internet related applications. (All such features should be removed from all programs as they are inherently dangerous).
C) Use a decent anti-malware application to protect you from infected web pages. As usual, I recommend Intego VirusBarrier X6, which I own and use and enjoy (usually) and want to marry. When you connect to an potentially dangerous web page, VirusBarrier stops it from loading and warns you of a detected threat. You are able to choose to ignore, block, or add the page to your 'Trusted Sites'.
Here are links with further details for your reading pleasure:
Fake AV Targets Mac OS X Through Poisoned Search Links
Fake "MAC Defender" antivirus app scams users for money, CC numbers
Fake security software takes aim at Mac users
Intego Security Memo – MAC Defender Fake Antivirus Program Targets Mac Users
Fake "MAC Defender" Brings Malware to Macs
Bogus MAC Defender malware campaign targets Mac users using Google Images
Apple Support Communities: Search for 'MACDefender'
(Please note that I corrected the name of this scamware in a few of the the titles above. I see no point in perpetuating misspelling. Thank you as ever to Intego and ars technica for correct spelling ;-).