Windows 10 News and info | Forum
April 26, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Mac OS X Isnít Safe Anymore: The Crapware / Malware Epidemic Has Begun  (Read 10873 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 29943

I Do Windows

WWW Email
« on: March 14, 2015, 04:41:20 AM »

OS X users like to make fun of Windows users as the only ones that have a malware problem. But thatís simply not true anymore, and the problem has increased dramatically in the last few months. Join us as we expose the truth about whatís really going on, and hopefully warn people about the impending doom.

Since it is actually Unix under the hood, OS X has some native protection against the worst types of viruses. But the problem these days isnít viruses that completely break your computer, itís spyware, crapware, and adware that sneaks onto your computer, hijacks your browser, inserts ads, and tracks what you are looking at. And much of it is legal, because you get tricked into clicking the wrong thing during an installer.

And now download sites, fake ads for software on search engines, and sketchy applications are bundling adware and crapware into installers for legitimate software. You canít just assume you are safe anymore because youíre on OS X. You need to be careful what you download and what you click.

If you donít think this is a big deal, think again. These pieces of adware insert themselves directly into the browser, and they are analyzing and running even on secure sites like your bank, credit card site, and email, sending back data to their servers. They arenít using an http hijacking proxy quite yet from what we can tell during our research, but itís only a matter of time, and they might already be doing it and we havenít found the proof yet.

Since we are primarily Mac users ourselves here at How-To Geek, weíre really hoping that Apple takes a different tactic with this problem than Microsoft has with Windows and doesnít allow these scam artists to destroy their platform.

Bundled Crapware for OS X is Getting Worse Every Day

It wasnít that long ago that you could install almost anything for OS X from almost any website, and you didnít really have to worry about what you clicked on. Thatís just not true anymore, and while things are better than they are on Windows, itís only a matter of time at this point.

You still have a safe source for software with the Mac App Store, but the problem is that not all vendors sell their software through the App Store, and many of them are selling older versions there and have the latest version on their own website. If you do stick to the App Store, you have nothing to worry about. Weíd love to see Apple fix some of the App Store issues and make everybody use it.

Just like on Windows, you donít have to look any further than CNET Downloads to find bundled crapwareÖ even for Mac. Thatís right, theyíve gone cross-platform with this nonsense. And theyíve made it worse, because you either have an Install button, or a Close button. Thereís not even a Decline anymore! When you click Close, the installer shuts down entirely. So you either have bundled crapware that hijacks your browser, or you donít get to install that app.

The one in the screenshot installs Spigot and a bunch of other nonsense that redirects your browser to Yahoo, installs a bunch of unwanted plugins, and generally makes the flying spaghetti monster cry. Itís amazing how much money Yahoo must be sinking into these things to hijack your browser to their search engineÖ when itís not even theirs. Yahoo Search is really just a rebranded version of Bing. Oh well.

Oh my! On the next screen, the installer finally allows you to Decline something again! Maybe the thing in the screenshot is so bad even CNET Downloads doesnít want to force it on you. Not a good sign.

Of course, itís not just CNET Downloads doing the bundling ó we found a number of other apps being distributed on freeware download sites that are doing their own bundling. For instance, YTD that loads http-hijacking adware for Windows has a Mac version. And they are also bundling Spigot. Want to torrent something? Why donít you go download uTorrent from their website? Seems like people love using that. Ohhh.

The problem gets much, much worse when you try to search for freeware using your favorite search engine. Itís worth noting here that Google has just recently starting trying to ban bundled crapware from their results and ads, but sadly Yahoo and Bing donít have the same level of awesome. In fact, they are just terrible.

If you are an average, regular user and you search Yahoo for ďvlc download,Ē you would be presented with something that looks like the next screenshot. And every single thing on the page is actually a link to a bundled crapware installer for VLC, and almost all of them are cross-platform and work on OS X. And the text that says ďadĒ is almost invisible.

When an unsuspecting user tries to use one of these installers, they will be presented with a screen similar to this oneÖ which installs the InstallMac awfulness that hijacks everything and puts adware into your system ó itís terrible. And, of course, the next screen tries to get you to install something else that you donít need. And then something else. Itís so much crapware.

Weíve found a lot more software thatís being served up this way, with a ton of installers from almost every bundled crapware installer company. Hereís an install wrapper for OpenOffice bundled with a really lousy piece of adware that just takes over your browser. Yeah, we searched Yahoo again for OpenOffice, and clicked on what we actually thought was the real site because their ďadĒ text was so small that we couldnít tell the difference. And this is what came up.

Itís about to become an epidemic for Mac users. So what do we have to look forward to?

Adware and Malware on OS X is Almost as Awful as on Windows

When you do manage to get infected with something, most of the adware, malware, and spyware on OS X is going to try to infect your browser somehow, hijacking your New Tab, search, and home pages, injecting ads into pages, and randomly popping up obnoxious tech support alerts. Most of it wonít wipe your hard drive or anything really terribleÖ but based on the increasing sophistication that weíre seeing, itís only a matter of time.

Many of these browser hijackers will insert ads that pop up messages that cannot be dismissed no matter what you do, as you can see in the screenshot above. And theyíll randomly show up all the time while youíre browsing, and you have to CMD + Q to close the app out entirely to get rid of them. Essentially, your browser becomes completely useless.

The simplest adware will install itself into your browser as an extension, and reset all of your pages to go through their awful, terrible search engine. And by that we mostly mean YahooÖ but there are a ton of others like searchmoose, search-quick, and searchbenny that use their own fake search engines. A few of them will redirect you to Bing, but never directly. Itís always through an intermediary like Trovi.

Most of the ads that get injected will try to trick you into installing even more ads using fake Java plugin messages, or messages that tell you to install a codec or a new version of Flash. All of these are fake, of course, and will just install even more crapware and malware on your computer. Every now and then one of them will try to serve up a piece of Windows adware, but for the most part they are smart enough to know youíre a Mac user and serve up the appropriate piece of crapware.

A lot of the adware will redirect your search engine to a fake search engine that looks a lot like Google or Bing, but all of the results are nothing but ads.

And then it will randomly start talking to you. Literally. It plays audio ads through your speakers. We heard an ad for Northrup Grumman. How crazy is that? (Weíre quite certain that they donít know about this.)

We just showed off some of the annoying adware, but much of the bundled crapware is pretty lousy stuff as well, and almost every single crapware bundler that we found, and almost every single adware ad tried to get us to install MacKeeper. We donít know much about it, although we do plan to look into how it works because these tactics are questionable.

The biggest trend that weíve noticed in adware is that almost all of it tries to redirect your browser and search engine to Yahoo. Somebody over there at Yahoo needs to get fired.

Digging Deeper: How Some of This Malware Actually Works

The simple adware works the way most adware does, by installing itself into Safariís extensions, which is pretty easy to uninstall. The problem is that only a few pieces of adware worked this way in our research.

All of the search engine hijacking, home page redirecting, and extensions injecting ads are one thing. The bigger problem is the serious malware, which installs itself deep into the operating system, and the average person would never be able to remove it. Thereís no uninstaller, thereís no Startup item, thereís no plugins in your browser, extensions, or anything else that appears to be installed.

What there are, however, are really awful ads injected into everything you do, making your computer slower than dirt. Your search engine will be hijacked, and itís possible that your browser will be routed through a proxy. This is outright malware, itís not just adware anymore, even if you accidentally forgot to uncheck a box somewhere. It works the same way the Trovi malware does on Windows, by injecting itself into processes.

These more serious pieces of malware install themselves as a daemon, or service, that runs in the background and behind the scenes. You can find these things in the /Library/LaunchAgents or /Library/LaunchDaemons folder, which will have some really weird looking items that just donít belong. This folder could also be used for real things from real applications, so donít go cleaning out this folder entirely or anything.

An examination of the plist file will show you where the actual malware resides, which is usually in a completely separate folder.

When you head into that folder and examine the Version.plist file, youíll get some more information about whatís actually going on. This thing is called Search-Quick and it supports hijacking Chrome and Safari, as well as the Webkit nightly build for some reason.

Examining further comes up with something curiousÖ the person who wrote this malware wanted to give special thanks to his mom.

Once the malware is launched by OS X as a daemon, it then uses a little-known piece of functionality in OS X that allows one process to inject itself into another process. You can see how it works by opening a terminal and running the agent executable directly. Whatís actually going on is that it will attach itself to your web browser and load itself as a hidden extension. In the screenshot below you can see that it activated for process ID 544, which was Google Chrome. Itíll do the same to Safari if it is open.

This means that adware or malware is running inside of your web browser, injecting itself into every page that you visit. It doesnít matter if you are visiting a secure banking site or not, they are already inside. One of the side effects of this malware is that your entire computer will be extremely slow, all the time, no matter what youíre doing.

For some tips on removing adware and malware in OS X, you can read the Apple support document, or just wait for our upcoming articles on the subject. Weíll be doing a lot more research into all of these things.

So What Does This All Mean, and How Do You Protect Yourself?

Even though weíve shown that malware, adware, crapware, and spyware is getting increasingly worse on OS X, that doesnít mean that you necessarily need to worry or go out and install Linux or do something drastic. OS X is still not being targeted as much as Windows is, and there are still some security measures in place that make it more difficult for malware to get through.

The safest thing that you can do is use the Mac App Store to install your applications whenever possible. These applications have been verified by Apple and should be just fine to use, and definitely wonít come with any bundled crapware or adware.

Restrict Apps that Arenít From the App Store

This wonít entirely fix the problem, but you can configure OS X to automatically restrict any executables that donít come from the App Store. This wonít apply to applications already installed on your computer, no matter where they come from. It will simply apply to new downloads.

Head to System Preferences -> Security & Privacy, click the Lock icon at the bottom, and then flip the setting over to Mac App Store instead of the default.

Once you do this, trying to run anything that isnít in the App Store will automatically show a block message. You can choose to still open it if you right-click and choose Open and then choose Open again, but by default everything is blocked.

This doesnít solve the issue of applications that you do want to install having bundled crapware that requires opting out by default. But it is a great security setting for your relatives.

When you do need to install an application from elsewhere, make sure itís really a trusted source, and not a fake site serving up open source freeware with a bundleware wrapper.

You should also consider disabling your browser plugins ó for Chrome and Firefox, thatís pretty easy, for Safari itís a little more complicated. The biggest thing you can do is disable your Java plugin, because itís pretty rare for you to need that, and because Java was responsible for 91% of attacks in 2013. This will reduce your likelihood of being targeted with a zero-day attack.

It might even be time to start considering an antivirus for OS X, at least if you like to install a lot of software from sources outside of the App Store. If you donít, itís probably not quite as big of a deal, but weíre getting closer to the point where it will be needed. What weíre not sure quite yet is what antivirus for Mac is even worthwhile and blocks this type of stuff ó on Windows, most antivirus doesnít block bundled crapware and adware at all, because they are legal since you had to agree during the install process. So donít just go pay for some antivirus right now. Just keep it in mind for the future.

Other than that, just be careful what you click on, and donít trust error messages that pop up in your web browser window. If you see something that says your computer is infected and pops up a message, hold down that CMD + Q shortcut key combination to close out of everything immediately.

Thereís no better time for Windows users to switch to Mac. With this much crapware and adware being developed, theyíll feel right at home! (Weíre joking, of course.)


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 12, 2019, 08:54:36 AM