Dual-driver downloader brings Windows and Mac OS X malware

INSECURITY FIRM Kaspersky Lab has revealed the existence of an interesting new downloader with two software drivers, running fake antivirus malware for both PC and Mac systems.

The program first needs to be downloaded using a Blackhole Exploit Kit, which targets flaws in the Java Runtime Environment (JRE) and PDF files. It carries a 32-bit and 64-bit driver, both described as "standard rootkits with rich functionality".

Kaspersky Lab researcher Vyacheslav Zakorzhevsk said that one of the rootkits took advantage of a 'testsigning' mode in Windows Vista and higher, which is supposed to allow developers to test driver creations. Unfortunately, criminals have made use of it to launch drivers without legitimate signatures.

Zakorzhevsk said, "Once the driver is successfully loaded and running on the system, it's difficult to get rid of it. The rootkit blocks the launch of drivers belonging to anti-rootkit and antivirus products."

The C++ created downloader uses the 32-bit or 64-bit driver to launch files from a list of URLs. One of the links is to a fake anti-virus product that targets Mac OS, which oddly, the rootkit tries to run under Windows.

The reseacher added, "It appears that the developers of the latest rogue AV program for MacOS are actively distributing it via intermediaries, who don't really understand what it is they are supposed to install on users' computers."

You just can't find good help any more nowadays. µ