When my colleague Fabio wrote about a Rogueware campaign targeting MAC users, I investigated a bit into the origin of these campaigns. It was interesting how different researchers were getting those samples through searching images on Google. However, different searches always arrive at the same result, leading to the question: How many search terms have been poisoned?
That was an interesting question. But the answer came reading another very interesting research from Unmask Parasites: http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/. I recommend you read the post, but in essence it explains how thousands of sites have been infected with a very effective schema that allows the criminals to poison image search results. Could it be that this schema was connected to the fakeAV for MAC?
I contacted the author of the post and he was very nice and helped me in conducting my own research (kudos for Unmask Parasites). Here are the results:
When connecting to an infected site, there is a redirection that is only effective when using a search engine such as Google as referrer in the parameters:
hxxp://kdsqXXXXe.ce.ms/in.cgi?2&seoref=www.google.com¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2FmatcXXXXnt.com.do%2F&default_keyword=default
After that you get malicious HTML with obfuscated Javascript code in it; in this case exploiting HPC URLHelp Center URL Validation Vulnerability (CVE-2010-1885). If the exploit is successful, you will be redirected to download a .jar file posing as a videogame:
kniXXXXng.info/games/mario.jar
Finally, the .jar file tries to download an .avi file from another server:
216.XXX.XXX.202/pub/new.avi
This file is detected as Trojan.Win32.Delf.arsr.
However the interesting thing is what happens when you start the infection chain with a MAC user agent. In this case the schema is different: you get HTML with an obfuscated Javascript with the following result.
Bingo! Here we have our FakeAV campaign. The HTML poses as the result of an antivirus running on a Finder interface. Clicking “Remove All” will download a zip file with a random name from the same server. These files are variants of the fakeAV binaries that my colleague Fabio explained in his post.
In this case the infection is social engineering, as you need to click the button and install the downloaded file. However from previous experience we know how effective this method is. Be careful, this time the campaign is massive and the criminals could change the infection method to launch an exploit, as they are doing in Windows. Protect your MAC, the good times are gone!
More fakeAV for MAC. This time it’s massive