Obfuscated IP Addresses and Affiliate IDs in Mac FAKEAV
The current wave of Mac OS X FAKEAV infections follows a three-step process. To those familiar with Windows-based FAKEAV variants, the pattern in this infection chain will be quite familiar.
- Displays a “scanning page” from poisoned Google searches.
- Prompts the user to download a .ZIP file that contains a .PKG installer. This installer installs a downloader.
- The downloader downloads another .ZIP file that contains the actual FAKEAV .APP file.
In step 2, the downloaded installer package (.PKG file) contains two notable files:
- The downloader binary
- A .PNG file
The downloader binary is responsible for downloading (and executing) the final FAKEAV payload. Interestingly, an important part of the download URL—the IP address—is stored not within the downloader binary. Instead, the host IP address is stored at the end of the above-mentioned .PNG file.
 |
The data appended at the end of the .PNG file is encrypted using a simple cipher, the encryption key to which can be found in the downloader binary. When decrypted, the data looks like this:
 |
The decrypted data reveals two sets of information:
- The IP addresses from which the final FAKEAV payload can be downloaded
- The affiliate IDs
With the IP address decrypted, the downloader binary assembles the download URL, which comes in the following form:
- http://ip_address/mac/soft.php?affid=xxxxx
affid refers to a number. This affiliate ID (affid) denotes the ID of the affiliate member who is responsible for the distribution of the Mac FAKEAV.
The presence of the affiliate ID is disturbing. This means that there are already organized affiliate programs targeting Mac OS X. With these affiliate programs already in place and already operational, we can expect sustained attacks against Mac OS X users in the future.
Post from: TrendLabs | Malware Blog – by Trend Micro
Spotlight
Cloud Computing
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
- FBI trying to train financial execs on cyber threats
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet