Tuesday, September 22, 2015

Feedly:Virus alerts. Dangerous adware distributes Trojans for OS X



from Virus alerts

September 22, 2015

The sample of Adware.Mac.WeDownload.1, analyzed in Doctor Web virus laboratory, is disguised as a distribution package of Adobe Flash Player containing the following digital signature: "Developer ID Application: Simon Max (GW6F4C87KX)". This downloader is distributed via an affiliate program focused on generating income from file downloads.

screen Adware.Mac.WeDownload.1 #drweb

Once launched, Adware.Mac.WeDownload.1 prompts the user to grant it administrator privileges and sends consecutive requests to three command and control servers, whose addresses are hard coded in its body, to get data for the main application window. If none of the servers responds, the downloader terminates its work. If Adware.Mac.WeDownload.1 gets a response, it sends the command and control server a POST request containing the downloader's configuration data in JSON format (JavaScript Object Notation). As a reply, the program receives an HTML page with the contents of the main window. The downloader adds a current time mark and a digital signature, which is generated based on a special algorithm, to all future GET and POST requests.

Once an appropriate request is sent, Adware.Mac.WeDownload.1 receives a list of applications that the user will be prompted to install. The list includes not only unwanted programs but also malicious ones, including Program.Unwanted.MacKeeper, Mac.Trojan.Crossrider, Mac.Trojan.Genieo, Mac.BackDoor.OpinionSpy, various Trojans belonging to the Trojan.Conduit family, and some other dangerous applications.

screen Adware.Mac.WeDownload.1 #drweb

The total number and types of programs depend on the victim's geolocation. If the list of applications is empty, the user will not be offered to install anything else except for their original choice.

Doctor Web security researchers would like to remind users of Apple computers to be careful and to download applications only from reliable sources. The signature of Adware.Mac.WeDownload.1 has been added to Dr.Web virus database for OS X, and, therefore, this downloader poses no threat to our users.

More about this downloader

Web Analytics