New Adware Facilitates the Distribution of Trojans for Mac Users

Status
Not open for further replies.
S

sinu

Thread author
A new piece of adware that serves as an entry point for future trojan infections was discovered by Dr.Web security researchers.

This new malware was named Adware.Mac.WeDownload.1 because it was first spotted on the WeDownload.com domain, packed with a modified version of Adobe Flash Player.

As Dr.Web researchers found out, the package was signed with "Developer ID Application: Simon Max (GW6F4C87KX)" and was being actively distributed as part of one of those shady affiliate programs that reward developers based on the number of file downloads.

Taking a closer look at the file, researchers found out that, once double-clicked, the adware would first want administrator privileges on the infected machine, with the purpose of installing the Flash Player package.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Mac OS X defaults Standard accounts for all users. Mac has varies built-in defences, but not an Antivirus.
Windows defaults Admin account for all users. Windows has Defender as basic Antivirus protection, but it's protection against Adware has yet to improve.

Distributing Adware through Fake Adobe Flash Player updates, requires the user to click Run (on Windows) or Password (with UAC), or Enter Admin credentials (on Mac).

@Secondmineboy How do you suggest OS X to improve? And Windows for that matter?
 
  • Like
Reactions: Secondmineboy

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Currently, I cannot think of a filter better than Safe Browsing, and even Firefox uses it. So Safari users can enable Google Safe Browsing, or they can use a different browser.

How GateKeeper works - OS X: About Gatekeeper - Apple Support
I'll ask again, in what way can GateKeeper be improved?

As with Windows and other Antivirus software, Adware protection is still poor.

Mac OS X does not currently protect you very well against adware. There are a number of adware programs out there these days, which get installed through devious methods. Sometimes they are included with installers downloaded from unscrupulous download sites, such as Softonic or Download.com. Sometimes they are found on sites offering Adobe Flash Player updates, video plug-ins, video streaming apps and other assorted junkware, but what you end up downloading is really just an adware installer with no signs of the promised software. Often they are found when downloading files from torrents or from piracy sites (like Pirate Bay).

Unfortunately, most adware is not detected by XProtect in Mac OS X, nor is it blocked by Gatekeeper. In fact, most anti-virus apps won’t even detect adware at all, and if they do, they only call it a PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program) rather than actually calling it adware.
Source: The Safe Mac » Mac Malware Guide : How does Mac OS X protect me?

What part of this Adware bypasses the default security?
once double-clicked, the adware would first want administrator privileges on the infected machine, with the purpose of installing the Flash Player package.
 
  • Like
Reactions: Secondmineboy

Secondmineboy

Level 26
Verified
May 25, 2014
1,559
Regarding Gatekeeper if you look in that PDF i linked in my last post you can see that almost all security features on a Mac can be bypassed due to issues.

Gatekeeper can be gone around by external developer certs, XProtect can be bypassed by just renaming files..........
Their sandbox has 20+ bugs to escape it, AVs can be gone around as well.........

https://s3.amazonaws.com/s3.synack.com/RSAC+2015+Final.pdf

^^All listed inside that PDF with examples
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top