Posted by: David Harley | May 27, 2011

MacDefender: removing the malware and following the money

…and, back on the MacDefender case (yawn…) …

  • bleepingcomputer.com has removal guides for several variants, plus a removal tool courtesy of Lawrence Abrams. I haven’t checked them out personally, but I’ve no doubt they’ll be carefully done, as usual. The guides are linked from Security Garden: thanks, Corrine, for the pointer update. Also to Randy Knobloch for his continuing and valued input: interesting that so much of the useful information on this stuff is coming from MS-qualified professionals. I can’t say I’ve noticed a similar information flow the other way with respect to Windows problems. 😉
  • Brian Krebs also weighs in (hat tip to @virusbtn for flagging his article). While he neatly summarizes some of the issues, two of the really interesting angles are that:
    • The money trail goes back to Chronopay, a huge online payment processing operation in Russia and a long-time player in the fake AV market.
    • He’s noted a couple of domain names not used yet(appledefence.com and appleprodefence.com) that suggest fake product names in the pipeline. Interesting that the names use the UK-ish spelling *defence rather than the USian *defense. I wouldn’t have thought that Russian gangs favour UK finishing schools…

Great investigative work, as usual.

David Harley CITP FBCS CISSP
Small Blue-Green World

Posted in David Harley | Tags: , , , , , , , , , , , , , , , , ,

«
»

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories

%d bloggers like this: