December 9, 2015

Virus makers become more and more interested in targeting Apple users. It is proved by the frequent detection of new malware for OS X. The majority of such programs are designed to advertise or covertly install various applications and utilities. Yet another suchlike malicious program detected by Doctor Web security researchers was named Adware.Mac.Tuguu.1.

Like other modifications of this malware, Adware.Mac.Tuguu.1 can covertly install various additional programs (usually useless, but sometimes even malicious) to user’s Mac computer. The commercial interest of cybercriminals is to get money for every successful installation of such applications.

Adware.Mac.Tuguu.1 is distributed under the guise of free programs for OS X. Once launched, this dangerous application reads the content of the ".payload” configuration file located in the same folder as the setup file of the application. Then it detects the address of the command and control server (C&C server) and modifies it. Using an encrypted request, Adware.Mac.Tuguu.1 refers to the C&C server for the list of additional programs that the user will be prompted to install. The server response is also encrypted and contains several fields that determine what applications should be installed to the user’s Mac. Judging from inner numeration used by the installer, there are 736 programs. Every program has its own conditional “rate” for Adware.Mac.Tuguu.1. It means that due to the limited maximum number of applications that can be installed at a time, the installer, using specific algorithm, tries to create an optimal list of compatible software with the highest “rate”.

Before the installation, Adware.Mac.Tuguu.1 checks if the offered programs are compatible with each other. For example, it will not install the MacKeeper application along with the MacKeeper Grouped application. What is more, Adware.Mac.Tuguu.1 tries to make sure that such software was not installed earlier. Then, before the end of its operation, it checks that the installation was completed successfully.

The dialog of Adware.Mac.Tuguu.1 has the Custom Installation mode, which shows check boxes that allow to refuse all the additional software. That is why, this malicious program cannot be labeled as a Trojan. However, Adware.Mac.Tuguu.1 is a typical adware that is quite able to “litter” the operation system with useless software taking advantage of the user’s carelessness. Dr.Web Anti-virus for OS X can detect and remove this program, so it does not pose any threat to Dr.Web users.

More about this threat