This week, our friends at Trend blogged
about a new misleading application for the Mac. We decided to take a
look at it as well. The application, named iMunizator, is a variant of
the well known rogue antivirus product called Macsweeper, which we have blogged about previously.
When launched, iMunizator performs a full scan of the system and
soon after it reports the “problems” that it found. Worryingly, some of
the files detected by iMunizator are actually safe system binaries that
should never be removed—files with "app" extensions. See the screenshot
below:
iMunizator reports these safe files as "problems" and recommends
their removal. Of course, it doesn't forget to ask the user to pay a
license fee for this operation.
Once the scan is complete and the user still hasn't purchased the
license, the program will show the user the below popup with a
"helpful" recommendation, this occurs shortly after the scan is
finished. The window presented is using obvious and well known
scareware tactics to persuade the user to purchase the full version of
the product.
The link between Macsweeper and iMunizator can be easily found. For
example, some resource files that are packaged with iMunizator still
contain Macsweeper strings and references:
We left the biggest surprise to the end. The mechanism used by
iMunizator to report all the "potential" problems within the system is
based on a log file that is generated by simply running common shell
commands. These shell commands consist of nothing more than commands
that can enumerate the filesystem in order to find Universal Binaries.
That is, the user interface is a wrapper for a couple of shell
commands, as shown below.
Together with typos and errors on the user interface, the above code
gives a good insight into the motives and skills of the program's
authors.
iMunizator is the second misleading application for Mac this year. Is it the last? Hard to say. During the latest CanSecWest Pwn2own contest,
the team of Charlie Miller, Jake Honoroff, and Mark Daniel was the
first to “pwn” one of the possible targets, a brand new Mac Book Air
shipped with Mac OS X 10.5.2. The new vulnerability affects the Safari
browser and was exploited only during the second phase of the contest,
which allows the researchers to attempt to exploit default client-side
applications. Mac OS fell again, due to a vulnerability within the
Safari browser, as happened in the previous edition of the same contest.
Interest in this platform is growing and the fact that clones of
misleading applications pop up in cyberspace more and more often is
worrying. When rogue antivirus clones first appeared on the Windows
platform, the number of “different” products appearing rose very
quickly. Since this is the first rogue antivirus clone for Mac OS X,
unfortunately, we should expect plenty more to come.