Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to the news list

Dangerous adware distributes Trojans for OS X

September 22, 2015

Over the course of the month, we have published a number of reviews on Trojans that install adware and unwanted programs on computers running Windows. However, cybercriminals remain interested in other operating systems as well—recently, Doctor Web security researchers have examined a sample of adware for OS X dubbed Adware.Mac.WeDownload.1.

The sample of Adware.Mac.WeDownload.1, analyzed in Doctor Web virus laboratory, is disguised as a distribution package of Adobe Flash Player containing the following digital signature: "Developer ID Application: Simon Max (GW6F4C87KX)". This downloader is distributed via an affiliate program focused on generating income from file downloads.

screen Adware.Mac.WeDownload.1 #drweb

Once launched, Adware.Mac.WeDownload.1 prompts the user to grant it administrator privileges and sends consecutive requests to three command and control servers, whose addresses are hard coded in its body, to get data for the main application window. If none of the servers responds, the downloader terminates its work. If Adware.Mac.WeDownload.1 gets a response, it sends the command and control server a POST request containing the downloader's configuration data in JSON format (JavaScript Object Notation). As a reply, the program receives an HTML page with the contents of the main window. The downloader adds a current time mark and a digital signature, which is generated based on a special algorithm, to all future GET and POST requests.

Once an appropriate request is sent, Adware.Mac.WeDownload.1 receives a list of applications that the user will be prompted to install. The list includes not only unwanted programs but also malicious ones, including Program.Unwanted.MacKeeper, Mac.Trojan.Crossrider, Mac.Trojan.Genieo, Mac.BackDoor.OpinionSpy, various Trojans belonging to the Trojan.Conduit family, and some other dangerous applications.

screen Adware.Mac.WeDownload.1 #drweb

The total number and types of programs depend on the victim's geolocation. If the list of applications is empty, the user will not be offered to install anything else except for their original choice.

Doctor Web security researchers would like to remind users of Apple computers to be careful and to download applications only from reliable sources. The signature of Adware.Mac.WeDownload.1 has been added to Dr.Web virus database for OS X, and, therefore, this downloader poses no threat to our users.

More about this downloader

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments