This week, our friends at Trend blogged about a new misleading application for the Mac. We decided to take a look at it as well. The application, named iMunizator, is a variant of the well known rogue antivirus product called Macsweeper, which we have blogged about previously.

When launched, iMunizator performs a full scan of the system and soon after it reports the “problems” that it found. Worryingly, some of the files detected by iMunizator are actually safe system binaries that should never be removed—files with "app" extensions. See the screenshot below:

iMunizator reports these safe files as "problems" and recommends their removal. Of course, it doesn't forget to ask the user to pay a license fee for this operation.

Once the scan is complete and the user still hasn't purchased the license, the program will show the user the below popup with a "helpful" recommendation, this occurs shortly after the scan is finished. The window presented is using obvious and well known scareware tactics to persuade the user to purchase the full version of the product.

The link between Macsweeper and iMunizator can be easily found. For example, some resource files that are packaged with iMunizator still contain Macsweeper strings and references:

We left the biggest surprise to the end. The mechanism used by iMunizator to report all the "potential" problems within the system is based on a log file that is generated by simply running common shell commands. These shell commands consist of nothing more than commands that can enumerate the filesystem in order to find Universal Binaries. That is, the user interface is a wrapper for a couple of shell commands, as shown below.

Together with typos and errors on the user interface, the above code gives a good insight into the motives and skills of the program's authors.

iMunizator is the second misleading application for Mac this year. Is it the last? Hard to say. During the latest CanSecWest Pwn2own contest, the team of Charlie Miller, Jake Honoroff, and Mark Daniel was the first to “pwn” one of the possible targets, a brand new Mac Book Air shipped with Mac OS X 10.5.2. The new vulnerability affects the Safari browser and was exploited only during the second phase of the contest, which allows the researchers to attempt to exploit default client-side applications. Mac OS fell again, due to a vulnerability within the Safari browser, as happened in the previous edition of the same contest.

Interest in this platform is growing and the fact that clones of misleading applications pop up in cyberspace more and more often is worrying. When rogue antivirus clones first appeared on the Windows platform, the number of “different” products appearing rose very quickly. Since this is the first rogue antivirus clone for Mac OS X, unfortunately, we should expect plenty more to come.