For the last month or so we have been carefully tracking the developments in the Mac OS X malware community. Our conclusion? It’s advancing fast and taking many cues from the Windows malware scene.
Let’s review the evolution of this threat briefly to see where we’ve been.
May 6, 2011: At this point, we’re seeing new variants almost daily. Some of the new samples display random pornographic web pages to scare you and better convince you that your Mac is infected. We also sometimes see the name change from MacDefender to Mac Security.
May 15, 2011: We begin seeing the first attempts to obfuscate the content inside the malware to disguise its functionality. Early versions had the registration codes embedded in plain text, but now the registration codes are encoded so they are more difficult to discover.
All of these original variants still prompted the user for their Administrator password to install the malware. As Apple advises in their knowledge base article on the topic, this is a warning sign and an excellent opportunity to abort the installation.
May 25, 2011: Just like in the Windows versions, the latest variants seen today (OSX/FakeAvDl-A) no longer require administrative credentials. They now install into areas of the system that only require standard user privilege. In other words, the attacks no longer ask for an admin password. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases.
Here’s how the latest Mac malware attack works in pictures (click for a larger version of each image):
First, you visit a poisoned webpage using Apple’s Safari web browser. Perhaps you stumbled across it by clicking on a dangerous thumbnail while doing a search using Google Images.
Safari downloads the file, and automatically begins to run the installer for a program called “Mac Guard”:
It looks like a regular install process, but doesn’t require you to enter your username and password:
With the destination drive chosen, the install of the fake anti-virus software begins:
Once installed, the software claims to have found lots of malware threats on your Mac, but advises that you need to register your copy to remove the infections:
What’s that? You don’t have a registration number? Not to worry, the criminals have thought of that and urge you to enter your credit card details to buy the required serial number. Unfortunately, you can’t tell what they plan to do with your credit card information – but you can be sure they’re up to no good.
Of course, if you were running an anti-virus product on your Mac (such as the free Sophos Anti-Virus for Mac home users) then you would have been protected and the bad guys wouldn’t have been able to scare you into entering your credit card details.
In this case, Sophos detects the threat as OSX/FakeAvDl-A.
Apple has stated:
"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants."
This is good news for OS X users who have been affected, but with new variants arriving daily, how will this work?
Are they going to develop their own anti-virus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to.
SophosLabs continues to investigate and publish protection for Mac users. We invite you to download Sophos Anti-Virus for Mac Home Edition for free to help you keep your Mac safe and secure.
Creative Commons image of a Mother’s Day card courtesy of MothersandDaughters Flickr photostream.