OSX/FakeAV-A

Category: Viruses and SpywareProtection available since:06 May 2011 10:39:36 (GMT)
Type: Malicious behaviorLast Updated:17 Apr 2015 09:23:41 (GMT)
Prevalence: Several Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

When accessing popular image hits, SEO poisoning redirects user to a FakeAV 'scan' javascript which reports 'your computer may be infected'. A zip file is then downloaded in the background and an MPKG-style installer app is launched, prompting the user for administrator credentials. If they are given, the FakeAV app is installed in the /Applications folder and launched. The FakeAV then repeats the 'detection' alert, while also opening the referenced web pages in the system's default web browser.

The FakeAV then prompts the user to register the software to 'clean up' the 'infections', bringing up an online payment page where the user can pay by credit card for a one year, two year, or lifetime license while providing full contact information to the authors. If the buy me now link is clicked, you will be directed to an IP-based domains routed via <something>.cz.cc redirection pages.

Early versions of this FakeAV family used the Windows version of the online script to trigger the initial download, but the interface has since been updated to look more Mac-like at the original SEO landing site.

OSX/FakeAV-A may have one of the following file names:

MACDefender.app
Mac Defender.app
Mac Security.app
Mac Protector.app
BestMacAntivirus2011.mpkg.zip
Best-Mac-Antivirus-2011.mpkg.zip

After the file has been executed, OSX/FakeAV-A may attempt to contact one of the following sites:

gay DOT porn DOT com
buy-viagra-now DOT net
fitish DOT com
www DOT gay DOT com
www DOT porn DOT com
www DOT freebdsmgalleries DOT com


OSX/FakeAV-A may also install additional malware, including:

OSX/FakeAV-DMP
OSX/FakeAV-DMU
OSX/FakeAV-DOE
OSX/FakeAV-DOY
OSX/FakeAvIs-A
OSX/FakeAvIs-B
OSX/FakeAVSc-A
OSX/FakeAVZp-B

Also related to Windows FakeAV:

Mal/FakeAV-FS

Examples of OSX/FakeAV-A include:

Example 1

File Information

Size
1.8M
SHA-1
10c8fa43d9f1f0121961ea393349eb27717457bf
MD5
81bf20f352ecd1d42f5d3d65e09e1a75
CRC-32
b90aaeef
File type
PK ZIP archive
First seen
2011-05-09

Other vendor detection

Kaspersky
Hoax.OSX.Defma.d

Example 2

File Information

Size
291K
SHA-1
160e9ad7cc453d70ebc62c5c7d38b32f6fc2951f
MD5
7c92d916b9b2b4a3355d98ac9d5c5043
CRC-32
c7cb4f9f
File type
Apple Mac executable
First seen
2013-08-07

Example 3

File Information

Size
138K
SHA-1
1de09b3de222ab9ed866f65852dcb0ff86cd13f1
MD5
51167b6a2f3c8e10b6a9600bc4e71504
CRC-32
1c7666de
File type
Unspecified binary - probably data
First seen
2011-07-11

Further information

There is more information about OSX/FakeAV-A on the blog article Mac fake anti-virus attack gets dirty to ensnare victims.