Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Adware makers turn their sights on OS X
Betanews ^ | May 29, 2015 | By Ian Barker

Posted on 05/29/2015 11:45:36 AM PDT by Swordmaker

Hot on the heels of news that OS X topped the vulnerabilities charts in April comes Dr. Web's virus activity review for May which shows increasing quantities of adware and unwanted applications targeting the Apple operating system.

The company reports several programs aimed at OS X that either install adware, install other applications or inject JavaScript code into webpages.

Adware.Mac.InstallCore.1 cannot only install unwanted programs on the user's computer but also change the browser home page and the search engine used by default. The program incorporates debugging functions too -- once launched, it scans the system for the presence of virtual machines, anti-virus tools, and some other applications. If the scan returns positive results, the malware will not prompt the user to install additional programs.

Adware.Mac.WebHelper can be launched automatically with the help of PLIST (Property List) files. The application can modify the home page in Chrome, Firefox, and Safari. It can also change the default search engine to my-search-start.com. It contains a binary file that executes two AppleScripts (for Chrome and Safari) in an infinite loop. These scripts inject JavaScript code into webpages browsed by the user. Running of this code, in turn, results in downloading other JavaScripts that display adverts in the browser window.

There's similar functionality in Mac.Trojan.Crossrider which is distributed in the guise of an installation package (Safari Helper). Crossrider trojans may be familiar to Windows users but this variant specifically targets Apple systems. Running it triggers a stealthy installation of the FlashMall extension for Safari, Chrome, and Firefox. It also adds two applications to the system startup list: "WebSocketServerApp" and "Safari Security". The first is responsible for communication with the command and control server and the second one installs browser extensions. In addition the malware modifies the startup scripts for the browser extensions to be updated in the future.

Apple users may like to know they're not the only ones that are coming under attack. Linux.Kluh.1, developed by a Chinese hacker group, infects routers with the purpose of launching DDoS attacks. Linux.Iframe.4 is a malicious plug-in for the Apache web server that injects code into web pages browsed by users redirecting the victim to the web page run by cybercriminals.

Trojans continue to be the big threat to Windows systems with an overall increase of 14.9 percent in the amount of malware and riskware detected in May. Android users aren't safe either with an increase in numbers of banking and SMS trojans as well as the emergence of new ransomware.

There's been a big increase in malicious websites too with 221,346 URLs being added to Dr. Web's database in May. Many of these use social engineering techniques like sending bulk SMS messages informing the recipient that they have won a car. The message contains a link to a wesbite which tries to get visitors to part with their financial details.

More information on these and other threats is available on the Dr. Web site.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: macosx; security
As usual, everything from Dr. Web is suspect. Dr. Web is the Russian A/V site that claimed to have found the amazing shrinking and finally disappearing Java based 630,000 member MacBot several years ago that turned out to have been a hoax to sell their newly released Anti-virus for Mac Business release. . . and last year rinsed and repeated the same plan with claiming to find ANOTHER java based 20,000 member MacBot when they were releasing their new Mac anti-virus for Personal Macs.

Dr. Web announced they'd found this first OS X MacBot with 630,000 member computers. . . but a week later the number of computers was down to 270,000, then shrank to 160,000 a few days later, then 120,000, then 80,000, then disappeared completely and out of the news cycle, never to be heard of again. . . as no one ever found one.

Not one member of either of these claimed MacBots was ever found in the wild. To get infected with the MacBot trojan, a user had to visit an obscure Russian language gaming site, download an infected Russian language game character definition, ignore the triple step warning of a known trojan provided by the operating system when downloaded, installed and first run, giving an administrator's name and password, for a game that had had fewer than 10,000 downloads. . . yet 95% of the so-called infected Macs were located in the English speaking USA, Canada, and Great Britain? RIGHT, Sure. Dr. Web's only evidence of these claimed existence of these MacBot computers is that they had setup a "honeypot" server to intercept the infected Macs as they called home for instructions and compiled a list of the UUIDs of those infected Macs.

Big problem. The list that Dr. Web had on their honeypot included OS X Macs that never had JAVA installed, a requirement to run the Trojan carrying the malware, UUIDs of Macs that had not yet been manufactured, and UUIDs that had never even been connected to the Internet to download the Trojan (I had two of those at my office). What Dr. Web had was merely a list of UUIDs of Macs. . . none of which were ever infected!

Now they are introducing their anti-Adware software for Mac. . . and they are claiming an epidemic of Adware trojans for OS X Macs.

1 posted on 05/29/2015 11:45:37 AM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; altair; ...
Dr. Web, the Russian A/V company that loves to cry wolf to sell their Mac products, is claiming that Apple OS X is being targeted with AdWare as they introduce their new Dr. Web anti-Adware product. — PING!


Apple Security NOT Ping!

If you want on or off the Mac Ping List, Freepmail me.

I challenge the members of the Apple ping list to each donate at least $10 each to the latest Freepathon. I HAVE donated $100. Many members of the Apple Ping list are already rising to the challenge. Join them. Let's show the power of the Apple Ping list in supporting Freerepublic!

If you have ordered an Apple Watch,
MAKE A DONATION TO THE FREEPATHON!

2 posted on 05/29/2015 11:51:08 AM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users contnue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

Your Mac has built in protection that will warn you if you attempt to download, install, or run Adware.Mac.WebHelper. Mac.Trojan.Crossrider, or any of the other 57 known trojan horse program or any variants in the eight known families since these are recognized by the OS X malware database.


3 posted on 05/29/2015 11:59:16 AM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users contnue...)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker

I swear that 99% of malware -for all platforms - is written by or on behalf of the “anti-malware” companies.


4 posted on 05/29/2015 12:23:17 PM PDT by kevkrom (I'm not an unreasonable man... well, actually, I am. But hear me out anyway.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: kevkrom

Using Linux Mint 17.1 right now.
Fastest OS I ever used. And on a single proc. All the windoze boxes I have are dual proc. And the Linux box does circles around them.


5 posted on 05/29/2015 2:50:14 PM PDT by bicyclerepair (Ft. Lauderdale FL (zombie land). TERM LIMITS ... TERM LIMITS)
[ Post Reply | Private Reply | To 4 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson