Friday, January 18, 2008

A Deeper Look On MacSweeper

Do you think Macsweeper is not a rogue application? Ok, let's take a deeper look and see what it does.

::::::::::::
File Size
::::::::::::

MacSweeperSetup.dmg 1.5 MB (1,600,201 bytes)
MacSweeper.app 2.6 MB (2,563,303 bytes)

:::::::::::::::::
Installation
:::::::::::::::::

Like other rogue application, MacSweeper uses a deceptive sales and marketing technique to get into users' system. It does not have the capability to propagate or spread by itself, but it arrives as an Ads where it redirects users to this bogus webpage.


Behind this page is a SWF flash file and javascripts that records the traffic and clicks.

After the fake display of scanning process, this bogus website displays an Alert box.


The buttons "Ignore" and "Remove" are useless since it will continue to display another message box, and this time the user has no other option but to click "OK". Check the screenshot here.

Clicking "Ok" triggers the downloading of MacSweeperSetup.dmg. Inside this DMG file is the rogue application - MacSweeper.app.

MacSweeper does not require root admin password to execute and it remains in Download folder unless the user manually drag it to another location.

::::::::::::::
Network
::::::::::::::

Lookup information of www.macsweeper.com:

www.macsweeper.com. A 217.20.175.39
ns1.vici.au NS 217.20.175.157
ns2.vici.au NS 217.20.182.29
alt1.aspmx.l.google.com
MX 209.85.147.27
alt2.aspmx.l.google.com
MX 64.233.185.27
aspmx.l.google.com
MX 66.249.93.27










The screenshot shows that MacSweeper.com, Cleanator.com, Clenator.com and Kivvisoftware.com are sharing same name server IP address.

Cleanator is a rogue application that works in Windows platform.

:::::::::::::::::::::::::::::::
Behaviour & Analysis
:::::::::::::::::::::::::::::::

Most of the files inside MacSweeper.app are images file (in PNG file format). Let's check the other files ...

PkgInfo contains strings "APPL????"

Database.plist contains 6390 cookie data that looks like this:

Cookie
YMR6LmFmdGVyZGF3bi5uZXQ

TODO.txt contains list of things to do that includes its current limitation, bugs and features. Interesting info from this text file is this:

"18. When update in process arert of new version can come, and fuck everithing"

You may check the complete list here.



Info.plist contains the following strings:

Identifier: com.KIVViSoftware.MacSweeper
Package Type: APPL
Executable: MacSweeper
Update URL: http://update.macsweeper.com/rss/MacSweeper.xml

The file MacSweeper inside MacOS folder is a binary file in universal binary format. Which means, this could work both in PPC and x86.

From the screenshot above, you will think that this application has scanned unwanted files from your system. However in background, MacSweeper executes the following shell command:

find "%@" ! -empty -and -type f > /private/tmp/com.MacSweeper.found.tmp;
file -f /private/tmp/com.MacSweeper.found.tmp -kn | grep 'universal binary' | sed -e 's/: *Mach.*//g' > /private/tmp/com.MacSweeper.found2.tmp;
exit;

lipo "%@" -thin %@ -output "%@.lipo"&& mv -f "%@.lipo" "%@";


During the scanning process, it drops the following temporary files:

/private/tmp/com.MacSweeper.found.tmp
/private/tmp/com.MacSweeper.found2.tmp

It then uses these files to display the scan result. This application does not scan for unwanted files, instead it is giving you list of legitimate information installed in your system.

And it does not end here, few minutes after displaying the scan result, it will display a bugging screen as shown below:

What! privacy violation with your own legitimate files ? Absolutely, not right.

From the code, this application unlocks more feature and displays the message below once the user input a valid serial code.

Thank You! You made me a bit hapier :)

Definitely, this application is not just a rogue but also a junkware.