Simply Security - News, Views, and Opinions from Trend Micro

Posted on June 13th, 2011 in Current News, Vulnerabilities & Exploits by TrendLabs | Be the first to comment |

For some years now, FAKEAV variants have been plaguing Windows-based systems. Recently, this malware type has entered the Mac OS X scene. As with Windows-based FAKEAV variants, poisoned search terms are the most common infection Mac FAKEAV vectors.

Take, for example, the following poisoned search result:

Accessing the website while using a Mac will directly lead the user to the following page:

Clicking OK on the page above leads to a page that supposedly scans the system for viruses.

After the fake scan is done, it reports the extent of the “infestation” the user’s Mac is suffering from.

As you may have noticed, the page above closely resembles Mac OS X’s Finder app whereas the FAKEAV “scanning page” for Windows looks like Windows Explorer.

Clicking Remove all or any part of the page above results in the download of the file anti-malware.zip. This .ZIP file contains an installer package file (.pkg), which, if executed, installs and runs a downloader application into the system’s Applications folder. This downloader application eventually downloads the actual FAKEAV application.

The first thing that the FAKEAV application does is to display the following loading screen:

The FAKEAV application then scares the heck out of the user via the following:

Take note, however, that there may be some bugs in this particular FAKEAV software. The Infected Object/File is [ and the word Trojan is not spelled right. Though the scary notifications in red, found in the upper-right hand of the screen, may do the trick.

When the user becomes scared enough to click Cleanup, the FAKEAV application prompts him/her that the current copy is “unregistered.”

Clicking Register displays a prompt where the user can enter a serial number.

In case the user does not have a serial number, there’s still the convenient Buy button. Clicking it loads the following purchase page:

The page asks the user to choose among the available software licenses (the price of the “Lifetime” license is a steal!). Most importantly, the page asks for the user’s credit card information.

Entering your credit card details is an easy way for criminals to steal your credit card information. Users who entered their credit card details in the page above basically served these important pieces of information on a silver platter to the criminals behind this notorious scheme. With the criminals in possession of the user’s credit card details, victims are now more susceptible to identity theft. What’s worse is that the victims did not buy any real security software—after all, these variants are not named FAKEAV for nothing.

Post from: TrendLabs | Malware Blog – by Trend Micro