Unwanted application attacks Mac OS X users

Unwanted and malicious programs that can be installed in the system in an implicit manner or forcing the user to load suspicious applications, or browser plug-ins installed without user's knowledge, are subject to analysis by Doctor Web security specialists for a long time. This type of software has recently spread quite widely, mainly targeting Microsoft Windows users. However, more and more such programs also appear for Mac OS X. One of them has just been added to the Dr.Web virus database under the name Adware.Mac.InstallCore.1.

Unwanted application Adware.Mac.InstallCore.1 is an installer containing three main folders (bin, MacOS and Resources). The first folder contains the application detected by the Dr.Web Antivirus as the Tool.Mac.ExtInstaller. It offers the option of installing browser plug-ins, and also changes the homepage or default search service. The MacOS folder contains the installer binary file; The Resources folder contains the main part of the Software Development Kit (SDK) in the form of JavaScript scripts. These scripts can be (optionally) encrypted using the AES algorithm.

In particular, among the SDK files there is a configuration file config.js that has a special section with information on what applications should be downloaded. This section has information on how many applications must be installed in the system, the presence of which programs and virtual machines protects before installing additional programs and a list of components to be installed. The configuration file included in the application is not the only file used by the program for its operation. Another file is obtained from a remote server whose address is specified in the local configuration file. Data downloaded from the network are encrypted using the XOR algorithm and compressed using GZIP. The encrypted file contains various data and language parameters required for the correct display of program interface elements.

The scripts.js file offers the ability to check your computer for the presence of virtual machines and some already installed applications. Malware will not require the user to install additional programs if it runs in a VirtualBox, VMware Fusion or Parallels environment or even if the XCode development environment package or the Charles application used to debug the programs is detected on the "Mac". There are also several other cases where an unwanted application will not ask the user to install additional programs. Namely, if one of the following antivirus applications is detected in the system: AVG, Avast, BitDefender, Comodo, ESET, Kaspersky, Sophos, Symantec, Intego, ClamAV or F-Secure. In addition, the black list Adware.Mac.InstallCore.1 contains several other applications.

The following list presents several programs and tools that Adware.Mac.InstallCore.1 can install on the compromised system:

  • Yahoo Search
  • MacKeeper (Program.Unwanted.MacKeeper)
  • ZipCloud
  • WalletBee
  • MacBooster 2
  • PremierOpinion (Mac.BackDoor.OpinionSpy)
  • RealCloud
  • MaxSecure
  • iBoostUp
  • ElmediaPlayer

The Adware.Mac.InstallCore.1 signature has been added to Dr.Web virus databases for Mac OS X, so Dr.Web users are already covered by reliable protection against malicious activities of this program.

source: Doctor Web


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.