Winwebsec gang responsible for FakeMacdef?
We've noticed a few odd rogue security software applications recently—although this type of threat is nothing new, these samples are interesting because they target the Mac OS X operating system.
There have been several variants of a threat, which we detect as Rogue:MacOS_X/FakeMacdef, going around this month. As you would expect with any rogue antimalware product, it tries to trick users into thinking that they are infected with something which only it is able to remove… for a price.
The product, which calls itself MacDefender, is being distributed in much the same format as its Windows-based cousins: through an imitation scanner interface which runs within the browser, similar to that described in this blog post. It typically depicts a Windows XP system running through an anti-malware scan, however there have been reports of one that impersonates the Mac OS X finder. Malware is delivered to the user irrespective of whether they click through the UI, or click on the fake Cancel button. This distribution component reads the client's useragent in order to discern the operating system, and then serves up a malicious application designed for that operating system (that is, if you're running on Windows, the site will serve up Win32/Winwebsec, but if you're on a Mac you'll get MacOS_X/FakeMacdef).
Some Mac users have reported that the malware is automatically being downloaded and started when they land on the imitation scanner pages. This may be related to Safari's "open safe files", which we recommend you disable (click on the link for more information).
Upon closer examination, we found more connections between FakeMacdef and Winwebsec. The best example is that the URL format that FakeMacdef uses to call home is almost identical to that which we see in Winwebsec:
WinWebSec -
http://x.x.x.x/i.php?affid=xxxxx&data=x&v=x FakeMacdef -
http://x.x.x.x/i.php?v=x&affid=xxxxx&data=x The purchase pages are also similar:
Winwebsec -
http://x.x.x.x/buy.php?affid=xxxxx&data=x&v=x FakeMacdef -
http://x.x.x.x/mac.php?v=x&affid=xxxxx&data=x http://blogs.technet.com/b/mmpc/archive/2011/05/17/winwebsec-gang-responsible-for-fakemacdef.aspx