March 3, 2016
The Mac.Trojan.VSearch Trojans begin their malicious activity with an application installer that Dr.Web detects as Mac.Trojan.VSearch.2. It is spread masquerading as various utilities or software—for instance, as the Nice Player application. Users can download it from different websites offering free OS X software.
Once the installer is launched, the user sees a standard greeting on the screen. When they click “Continue”, Mac.Trojan.VSearch.2 should display a list of components that the user can install in addition to the desired application. This dialog usually prompts the user to choose necessary modules from the list. However, in fact, it is not the case because the installer skips this step and moves to the next stage prompting the user to specify the installation folder. At that, the Trojan is set as if the user themselves checked all offered components. Among them, we can mention the Mac.Trojan.VSearch.4 Trojan and such dangerous and unwanted applications as MacKeeper (Program.Mac.Unwanted.MacKeeper), ZipCloud (Program.Mac.Unwanted.ZipCloud), and Mac.Trojan.Conduit.
After Mac.Trojan.VSearch.4 is installed on the infected computer, the Trojan downloads a script from the server. This script is used to set another default search engine—the Trovi server. In addition, applying this script, Mac.Trojan.VSearch.4 can download and install a search plug-in for Safari, Chrome, and Firefox. Dr. Web detects this plug-in as an unwanted application named Program.Mac.Unwanted.BrowserEnhancer.1. And, finally, the Trojan downloads and installs another malicious program—Mac.Trojan.VSearch.7.
Doctor Web specialists found that 1,735,730 malicious programs were downloaded from the cybercriminals’ servers. At that, they also registered 478,099 unique IP addresses that requested these servers. This fact allows to make certain assumptions about the distribution area of the threat. Dr.Web for OS X successfully detects Trojans belonging to the Mac.Trojan.VSearch family; therefore, they do not pose any threat to our users.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.