It seems there is no let up in the recent spate of Mac malware. A few days ago, another group of domains were registered and are being used to support a fake antivirus campaign that not only targets Mac, but also Windows users.
A series of sites were all registered by a Lee Juango who gives an address in "Pekin". However, the Web sites are hosted in Romania. The interesting thing is that these sites look almost exactly the same, with slight text changes depending on if the target is a Mac or a PC.
On the Mac domains, you will get a file called "macprotector.zip" (MacProtector). On the page for Windows, you get a file named “install.exe” (detected as Trojan.Gen/Trojan.FakeAV!gen39). This is actually a copy of SystemTool.
Another thing to note about this campaign is that the people behind it are getting really lazy. The site says the name of the Windows version of the fake antivirus product as Essential Cleaner, but when you install it, you can easily see that it is in fact a repacked version of SystemTool. I don't know about you, but I'm thinking that at least they could have reskinned SystemTool so that it says "Essential Cleaner" after you install it.
There was some talk in the media and on blogs about the idea that the people behind Windows fake antivirus are also behind the recent spate of Mac-targeted fake antivirus. This suggests that these people may indeed be branching out. Now that they have made the move to the Mac world, they are unlikely to leave it anytime soon.
By: Hon Lau
A series of sites were all registered by a Lee Juango who gives an address in "Pekin". However, the Web sites are hosted in Romania. The interesting thing is that these sites look almost exactly the same, with slight text changes depending on if the target is a Mac or a PC.
On the Mac domains, you will get a file called "macprotector.zip" (MacProtector). On the page for Windows, you get a file named “install.exe” (detected as Trojan.Gen/Trojan.FakeAV!gen39). This is actually a copy of SystemTool.
Another thing to note about this campaign is that the people behind it are getting really lazy. The site says the name of the Windows version of the fake antivirus product as Essential Cleaner, but when you install it, you can easily see that it is in fact a repacked version of SystemTool. I don't know about you, but I'm thinking that at least they could have reskinned SystemTool so that it says "Essential Cleaner" after you install it.
There was some talk in the media and on blogs about the idea that the people behind Windows fake antivirus are also behind the recent spate of Mac-targeted fake antivirus. This suggests that these people may indeed be branching out. Now that they have made the move to the Mac world, they are unlikely to leave it anytime soon.
By: Hon Lau