That recent malware that targeted Mac OSX systems, MacDefender and MacProtector, are fake anti-virus products designed to steal users personal information including credit card accounts. We think version OSX/MAcDefender.F tries to steal two credit card numbers by bouncing one and directing the user to another site. Below is our pending draft analysis for OSX/MacDefender.A , OSX/MacDefender.D and OSX/MacDefender.F.
Our analysis includes takeaway’s of the evolution of key inherited traits within each rouge application followed by an detailed technical breakdown or the woking three variants we have. Our format is broken into stakeholder sections for executives, users, researchers and experienced MacOSX administrators. This report is a draft and may change without notification.
Excerpts From Our Analysis
Files
/Contents/MacOS/MacDefender (OSX/MacDefender.A)
MD5(MacDefender)= 2f357b6037a957be9fbd35a49fb3ab72
SHA(MacDefender)= 470e1c99d7b5ec6d00b26715f4fa37bc70984fb4
/Contents/MacOS/MacProtector (OSX/MacDefender.D)
MD5(MacProtector)= 1f8e9cd3f0717a85b96f350e4f4a539a
SHA(MacProtector)= 361ba7b420e1a9ec0af5f7811e84dc95d04624a9
Added 05_21_2011
/Contents/MacOS/MacProtector (OSX/MacDefender.F)
SHA(MacProtector)= a94bd6a52bcb275a8ff1cd15977167f709b7ab04
@interface URLMaster : NSObject{}
+ (id)getBuyPageIP; // IMP=0x000000010000f1f7+ (id)getBackupBuyPageIP; // IMP=0x000000010000f1e8+ (id)getSoftInstallLink; // IMP=0x000000010000f391+ (id)getBuyPagLink; // IMP=0x000000010000f30d+ (id)getBackupBuyPageLink; // IMP=0x000000010000f289+ (id)getSendTicketLink; // IMP=0x000000010000f0a8
@end
Update-Draft report v2.
Magmatic_Analysis_MacDefender_MacProtectorv2Draft.pdf (MAJOR UPDATE PENDING)
SHA(Magmatic_Analysis_MacDefender_MacProtectorv2Draft.pdf)= 72b17c4250da23ae3c744fb26508d2b1889ae49e
Draft report v1
Magmatic_Analysis_MacDefender_MacProtector(DRAFT)
sha=5a708a3751c3ddd7bf38fcf240d8abc676514452
Magmatic_Analysis_MacDefender_MacProtector(DRAFT)
sha=c20f74b6eef02667033ddf50ff8a4ef1a10c7f13
MacProtector (OSX/MacDefender.A)
OSX_MacDefender.A_ClassDiagramDraft2.pdf
SHA(OSX_MacDefender.A_ClassDiagramDraft2.pdf)=d4b9902967f842773a563b215cae49ac5d3bde40
MacProtector (OSX/MacDefender.D)
OSX_MacDefender.D_ClassDiagramDraft2.pdf
SHA(OSX_MacDefender.D_ClassDiagramDraft2.pdf)= 2a92c951b9378d2370d559cbcbce873660fcc12d
MacProtector (OSX/MacDefender.F)
OSX_MacDefender.F_ClassDiagramDraft2.pdf
SHA(OSX_MacDefender.F_ClassDiagramDraft2.pdf)= 2b80717c46157cd2606dcbe6a7817e5993fb7ace
MacDefenderOSX_MacDefender_A_ClasssDump (OSX/MacDefender.A)
SHA(MacDefenderOSX_MacDefender_A_ClasssDump.txt)= 5087f008da46bdd3cfacaf1be9d3729f19916f65
MacDefenderOSX_MacDefender_D_ClasssDump (OSX/macDefender.D)
SHA(MacProtector_OSX_MacDefender_D_ClassDump.txt)= a53cc5a8c9cd2f19726e56beed8b07a097d7b8e2
MacDefenderOSX_MacDefender_F_ClasssDump (OSX/MacDefender.F)
SHA(MacProtector_OSX_MacDefender_F_ClassDump.txt)= f26c0091ab26b1ca998d8f58e9ee133d967c5bd8
**Note-This is draft data and contains raw information, final release of the document and addition updates will be located at here. All information is provided as is and falls under the copyright located on this site and within the draft report. Any questions use the Contact Us Link and put "MacDefenderProtector Report" in subject line.