Unwanted application attacks Mac OS X users
Unwanted and malicious programs that can be installed in the system in an implicit manner or forcing the user to load suspicious applications, or browser plug-ins installed without user's knowledge, are subject to analysis by Doctor Web security specialists for a long time. This type of software has recently spread quite widely, mainly targeting Microsoft Windows users. However, more and more such programs also appear for Mac OS X. One of them has just been added to the Dr.Web virus database under the name Adware.Mac.InstallCore.1.
In particular, among the SDK files there is a configuration file config.js that has a special section with information on what applications should be downloaded. This section has information on how many applications must be installed in the system, the presence of which programs and virtual machines protects before installing additional programs and a list of components to be installed. The configuration file included in the application is not the only file used by the program for its operation. Another file is obtained from a remote server whose address is specified in the local configuration file. Data downloaded from the network are encrypted using the XOR algorithm and compressed using GZIP. The encrypted file contains various data and language parameters required for the correct display of program interface elements.
The scripts.js file offers the ability to check your computer for the presence of virtual machines and some already installed applications. Malware will not require the user to install additional programs if it runs in a VirtualBox, VMware Fusion or Parallels environment or even if the XCode development environment package or the Charles application used to debug the programs is detected on the "Mac". There are also several other cases where an unwanted application will not ask the user to install additional programs. Namely, if one of the following antivirus applications is detected in the system: AVG, Avast, BitDefender, Comodo, ESET, Kaspersky, Sophos, Symantec, Intego, ClamAV or F-Secure. In addition, the black list Adware.Mac.InstallCore.1 contains several other applications.
The following list presents several programs and tools that Adware.Mac.InstallCore.1 can install on the compromised system:
- Yahoo Search
- MacKeeper (Program.Unwanted.MacKeeper)
- MacBooster 2
- PremierOpinion (Mac.BackDoor.OpinionSpy)
source: Doctor Web
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.