According to Kaspersky Lab Expert, Vyacheslav Zakorzhevsky, the threat executes a downloader to download fake antivirus programs, including one for Mac. The downloader will also run under Windows, the fake Mac antivirus is also downloaded, but it will not be executed.
Zakorzhevsky also mentioned that this may show those behind the fake antivirus for Mac are distributing it by all possible means, without knowing what they are going to install on target computers.
"Interestingly, one link leads to Hoax.OSX.Defma.f which we recently wrote about. Most importantly, the rootkit tries to run it... under Windows! It appears that the developers of the latest rogue AV program for MacOS are actively distributing it via intermediaries, who don’t really understand what it is they are supposed to install on users’ computers,"
– as mentioned on Zakorzhevsky's blog post.
Zakorzhevsky said that the rogue program is downloaded and installed with the BlackHole Exploit Kit, exploiting the weak points in Java as well as in Adobe PDF reader software.
Both drivers are basic rootkits with high functionality. One is a 32-bit while the other a 64-bit driver.
The 64-bit driver is signed using a so-called testing digital signature that executes Windows Vista and 7 if it is booted in "TESTSIGNING" mode. A "TESTSIGNING" mode lets drivers and applications being developed by software developers to launch in Windows.
 |
| Where's the "Panic Button" when you need it..? |
When the driver is loaded successfully and runs on the system, the rootkit halts the execution of drivers belonging to anti-rootkit and antivirus products.
No comments:
Post a Comment