Simply Security - News, Views, and Opinions from Trend Micro

Posted on June 6th, 2011 in Spotlight by TrendLabs | Be the first to comment |

The recently reported malware attacks against Mac users prompted Apple to release a security update. We did an initial analysis on both the FAKEAV for Macs as well as the latest Apple security update in our previous blog entry. I’ve extracted the version of XProtect.plist (Apple’s pattern file) to dig deeper what’s inside. The .PLIST (Property List) file type is an XML file using Apple’s plist DTD (document type definition.) .PLIST file types are a standard part of Apple’s OS X Core Foundation.

The update notes are stored in the file, XProtect.meta.plist.

XProtect.plist is basically XML formatted and is easily read using Mac’s built-in Dashcode tool:

For OSX.MacDefender.C, there are four hex string matches done based on file contents:

1. File = Archive.bom
Hex1 = 446F776E6C6F6164506963742E706E67 = DownloadPict.png

2. File = Info.plist
Hex1: 434642756E646C654E616D653C2F6B65793E = CFBundleName
Hex2: 3C737472696E673E416E746976697275732053657475703C2F737472696E673E = Antivirus Setup

3. postinstall
<8bd19a1b fc1356fb 487da3ca 2cb3a186 da2fa720>

Based on XProtect.plist, it appears that Apple uses string matching on most of its patterns. Knowing the pattern Apple is implementing, malware writers can easily modify the malware to prevent detection. No matter what their antivirus software can do after the detection, it all depends on the pattern and how often it is updated so that the user is protected. Based on the recent history of FAKEAV Mac malware, we should expect the authors to release new slightly modified variants just enough to prevent detection to stay in the business.

The MacDefender sample spreading on Facebook is covered by the latest Apple Security Update, where the above files were referenced.

Upon further analysis of OSX_DEFMA.B — our detection for the said MacDefender variant — we found out that after the MacDefender fake screen, it will cause a browser download of anti-malware.zip. The said archive contains mdInstall.pkg that includes all of the pre/post install items for the application. Moreover, Archive.pax.gz contains mdDownloader, which is the installer itself. When laid out flat the full contents are below:

Now the Apple solution may have probably worked better if only they had encrypted the search strings. Unfortunately, all the bad guys had to do to circumvent this latest “security update” is change the strings and locations and once again continue to affect Mac users.

Post from: TrendLabs | Malware Blog – by Trend Micro