Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Attack of the Clones II

Created: 17 Jan 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:57 GMT
Mateusz Misiewicz's picture
0 0 Votes
Login to vote

AVSystemCare, DriveCleaner, and MalwareAlarm (a clone of AntiSpywareShield)are known rogue antispyware/antivirus application "brands". They arepart of a growing list of misleading applications that deceive users bydisplaying scary warnings about the computer being infected with alarge number of fake threats, and then ask them to buy the softwarebefore they will fix the problems.

We wrote about AVSystemCare clonesa few months ago. Since then, the number of the domain names associatedwith these misleading applications has reached 500 and is stillgrowing. Similarly, the new clones of MalwareAlarm keep popping up aswell, often downloaded by Downloader.MisleadApp.

All these clones have one thing in common – they target Windows. Butif you are a Mac user, and thought that the folks behind these securityrisks were only targeting Windows users, you’d be wrong. A few daysago, our friends from F-Secure discovered the first misleadingapplication for Mac OS X, called MacSweeper.

Our research leads us to believe that this application has beenreleased, after a few months of testing, by the very same group behindthese other security risks. In fact, a quick comparison of the homepages, fake scanning engines, and general user interfaces shows that aliberal amount of content has been borrowed from the other misleadingapplications.


MacSweeper scanner


MalwareAlarm scanner


MacSweeper scanner detects threats


MalwareAlarm scanner detects threats

Given that the Mac platform is becoming more and more popular these days, it’s no surprise that security risk and malware authors are focusing on the platform in the search for additional profits.

Take the Trojan.Zlobfamily of Trojans, which often serve up fake video codecs throughmalicious Web sites. These sites are now offering different files,depending on the HTTP user agent information (specifically the browsertype and operating system) sent to the malicious sites. If you visitone of these Web sites with a Mac, the download offered will likely bea version of the Mac-specific OSX.RSPlug.A Trojan.

It is probably too early to thoroughly assess the impact ofMacSweeper’s release on the threat landscape. The various security riskauthors are known for their malicious productivity on the Windowsplatform. The list of domains is growing every month and with newdomains come new clones. But whether Mac-based versions are aflavor-of-the-month trend or here to stay has yet to be determined.