OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Apple cracks down on adware

Published February 13th, 2015 at 7:25 AM EST , modified February 27th, 2015 at 8:56 AM EST

Apple has used the XProtect anti-malware protection in Mac OS X to block a few pieces of adware in the past. Yesterday, they cracked down on adware again, adding a slew of new items to XProtect’s signatures, used for identifying and blocking malicious apps. Three are updated signatures, while one is for adware never before blocked by XProtect.

For the first time now, Apple has taken a stance against the long-time adware pest Genieo, adding a signature called OSX.Genieo.A to XProtect. I’m a bit unclear as to which specific variant of Genieo this blocks, though… testing against the current version of Genieo available directly from the Genieo website shows that it is not blocked. Still, it’s encouraging to see Apple finally deciding that Genieo is worthy of an XProtect signature.

The new OpinionSpy variant I wrote about on Monday has also been added. OSX.OpinionSpy was already found in XProtect’s signatures, and had been for some time, but it has now been joined by a new OSX.OpinionSpy.B entry. Testing the variant of OpinionSpy that I submitted to Apple on Monday shows that it is, as I would expect, prevented from opening.

The other changes are the renaming of OSX.Downlite.A to OSX.VSearch.A and renaming of OSX.FlashImitator.A to OSX.InstallImitator.A, along with the addition of a number of new signatures for these two entries. All of these new signatures are based on an application name plus a hash of the application (ie, a large number calculated from the application itself, that can be used to uniquely identify that particular application).

This means that these new definitions are for specific adware install apps, and that the coverage is a bit hit-and-miss. I have samples that are prevented from opening by each of these new entries, and other samples of the same adware that are not. So, although it’s definitely a very positive step to see Apple taking this kind of action, coverage is not at all complete.

If your system is set to automatically install these security updates, which is the default, you should get the XProtect update soon, if you don’t have it already. Mountain Lion and above should have version 2058 of the XProtect signatures. Lion should be updated to version 1068 and Snow Leopard to version 83.

You can see what version of XProtect you have by executing the following command in the Terminal:

defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version

If your system seems to be sluggish to update, you can force it to update. On Mac OS X 10.9 (Mavericks) or later, enter the following command in the Terminal:

sudo softwareupdate --background-critical

This must be done from an admin account. You will be asked for your password, and should be aware that nothing will appear when you type.

For older systems, go to the Security preference pane in System Preferences. Uncheck the box reading “Automatically update safe downloads list” and then check it again. (You may need to click the lock icon in the lower left corner of the System Preferences window to unlock it in order to make this change.)

Tags: , , , , ,

50 Comments

  • Bill Boak says:

    Thank you for this wonderful, informative site and the very valuable information you provide.

  • N. H. says:

    Hmm, I’m on Yosemite and my version number seems to be 2055 even after I forced it to update.

  • Kay Gillett says:

    Thank you. The problem is that I don’t have space for Apple’s automatic downloads and pop-ups prevent me from using tsm or adwaremedic or anything. Also, I want to delete the cache of my hulu movies and can’t find them.What to do. I let someone I thought was an Apple technician into my computer, so am very concerned.

    • Thomas says:

      If you let a scammer have remote access to your computer, you need to erase the hard drive and reinstall everything from scratch. See:

      How to reinstall Mac OS X from scratch

      • David says:

        A scammer was allowed access to my computer. Don’t ask. Someone gave him the IP address. I shut down the computer as quickly as I could and then I called Apple. They helped me restart and install AdwareMedic (through which I later found you) and run through some checks to delete unwanted items in the registry. We also cleared out Safari history and checked for unwanted plugins in Safari (there were no plugins). Deleted the trash and rebooted and all seems fine. Do I really, REALLY need to erase the hard drive and reinstall everything from scratch? Are there any other reputable pieces of software out there that can do a more thorough scan for malware/spyware? What else should I be worried about? A reinstall is painful.

        • Thomas says:

          As the article says, no, there’s no reliable way to ensure that there are no malicious changes that have been made after an untrustworthy person has had remote access. It’s entirely your choice whether to do a clean reinstall, but that is the course of action I recommend.

    • DONNA SMITH says:

      I almost did they same thing when I got a pop-up claiming to be apple/mac stating I could buy this program MacKeeper. The logo even mimics some of apples stuff! My system was slow and I thought it was legitimate. Sneaky bastards! But as I was giving access I realized I have so much private information on my laptop and it just didn’t feel right so I immediately ended my phone call, closed the communication with them and changed my password. I also put a claim in to Paypal stating the fees were a scam and I got a full refund. I was able to get rid of my adware myself by downloading adwaremedic, which was a chore due to the constant influx of re-direction to other sites. But it was a success and It cleaned the adware out of my system without having to do a reboot!!!

  • Curt Vaughan says:

    Don’t know if this is exactly relevant, but when I was dumb enough to apply the Yosemite 10.10.2 patch to my iMac a week ago, it broke my USB ports (this is a fairly new late 2013 iMac, 8 GB memory, TB disk, Apple USB keyboard, USB mouse attached to USB on keyboard) so I had no mouse or keyboard upon reboot. I moved the mouse from the keyboard USB to one of the 4 ports on the back of the Mac, and got mouse control again. I had to reseat the keyboard a /few times and (perhaps that had nothing to do with it) I eventually got the keyboard back. I then discovered that Safari had been infected with some malware called “quick-start” which constantly inundated one with pop-ups to MacKeeper and other crapware. After several hours of research, I finally was able to fix Safari by deleting a crapware file in /System/Library and then reboot. The USB problem still persists sporadically.

    My main thrust in this: I retired as a computer analyst (Unix, VMS, DEC Alpha NT/Unix/VMS, Cyber/Cray stuporcomputers, even old PDP-11s) some 7 years ago. I migrated to Macs after I retired, as I was tired of Windows and malware/viruses, etc. This has worked fine until about two years ago (after Jobs died). Now, Apple has become very popular and a real target for computer criminals, while at the same time they 1) don’t support their hardware older than 4 years (I have a 2006 intel MBP now running Linux, as Apple refused to update the system two years ago – great hardware, no support from Apple); 2) they have made Mac users and OSX support the ugly stepsister to their iPhones and iOS devices. This has caused quality control to suffer in OSX releases in the attempt to integrate OSX with iOS. These are generally two different user bases, with different needs. The consequence, finally, is OSX Yosemite, the worst OSX release in Apple history. Additionally, Apple has been totally unresponsive to the vast user complaints about this broken system.

    Ah. That feels better.

    • Thomas says:

      Your USB problems probably don’t have anything to do with the Yosemite 10.10.2 update. A software update wouldn’t cause a USB problem that could be fixed by unplugging and replugging the devices. This is likely to be a hardware issue with the computer or the keyboard that just coincidentally reared its head at the same time as the update. People don’t like coincidences, but in my line of work they can be seen more often than you’d realize, in cases just like this.

      As for Yosemite being the “worst OS X release in Apple history,” someone has said the same thing about almost every single update and upgrade in OS X history. The real issue is typically not the OS, but the crap third-party software you’ve got installed that is incompatible with the new version of the OS. And from what I’ve seen, a computer that has adware is very likely to also have at least one piece of crap software on it.

      For more information about why your system is acting up, see: Understanding upgrade nightmares.

    • Animacs says:

      1) don’t support their hardware older than 4 years

      That’s wrong. My main mac is 2009 17″ MBP so that’s 6 years old now – absolutely no need to use the 2012 i7 MBP that I bought to replace it! I still have a 15″ MBP from 2007 that runs Yosemite.
      So to claim they don’t support Macs older than 4 years is just silly.
      What you have, no doubt is a Core Duo that’s stuck on 10.6.8 and is not being supported… do you really think that Apple should be wasting resources on a 9 year old Mac that should have been updated at least once in that time?
      So when you “migrated to Macs some 7 years ago” you bought a 2 year old Mac at a knock down price and seriously expect Apple to be concerned about you…?! Unreal.

  • Al Varnell says:

    In addition to needing to be logged in as admin, you must have the following choices enabled in System Profile->App Store before running the Terminal Command:
    “Automatically check for updates” and “Install system data files and security updates”

  • Mac says:

    Thanks, Al.

    I opened System Prefs>App Store and checked those boxes.

    And then I ran sudo softwareupdate –background-critical.

    And then I waited 15 minutes.
    When I checked xprotect meta plist again (using Easyfind, since xprotect files don’t show up in the Finder or Spotlight), it was 2058.

    Mac

    • RickT says:

      This worked for me too.

    • Gary says:

      Same here, and I think Apple needs to fix something here. I have a MB pro on Yosemite 10.10.2. I prefer to do a Time Machine backup before loading any updates. So I have it tell me when backups are available first. If there is an update, then I hook up my TM backup disk, and after I do the backup I tell it to do the updates. So the only thing I had checked in the System Prefs screen was “Automatically check for updates”. And it has been telling me when there are updates to load. I don’t think that is such an unusual situation, many others may also just want it to let them know when updates are available. But until reading this info on this site, I wasn’t aware that it wasn’t really telling me about ALL of the available updates. The only clue I had that something wasn’t being loaded was messages I saw in the Console, under Diagnostic and Usage Messages. When it checked for the updates, the console would always show:
      SWU: scan found 5 products:
      031-04978
      031-14180
      031-17328
      031-17477
      031-17882
      But when I went to the app store it would show “no updates available”. But now that I have checked the “Install system data files and security updates” box, and then ran the “sudo softwareupdate -background-critical” command, the console now shows that it loaded and installed those 5 updates(including the 2 XProtect plists). If you just have it set to check for the updates then it should tell you about ALL the updates, apparently it doesn’t. I’m gonna look up the url to report bugs to Apple and complain about this.

      • Al Varnell says:

        It’s been that way since XProtect was introduced with the release of Snow Leopard OS X 10.6.7 in Mar 2011, so I doubt that Apple is going to change it for you and they certainly don’t consider it to be a bug. Those five updates are deemed “Critical Updates” which Software Update will check for once a day and install that are found, as long as you allow it to. Those five updates were changes to krdl on 7/7/14, AppleKextExludeList on 12/10/14, GatekeeperConfigData on 2/11/15, ChineseWordList on 2/10/15 and XProtectPlistConfigData on 2/12/15. None have ever been made available via MAS. I can speculate on why Apple does it this way, but I’ve not seen it in writing. Such changes are only to databases, small downloads and I have never read of or experienced any issues resulting from such updates. The biggest mystery to me is why they allow a user to opt-out of receiving them without giving them some idea of the consequences.

        The only update with a higher priority was the OS X NTP Security Update back in December where they did not give users any choice.

        • Gary says:

          Thanks for the info. If its been that way for that long, then I guess they aren’t gonna change it. I do consider this a bug or at least a very badly constructed update plan. I had no intentions of opting out of installing anything, just wanted it to tell me about any updates so I could do a TM backup before doing the updates. By just having “automatically check for updates” checked off, it gave me the impression that I was being informed of all available updates. Apparently thats not the case, except for the messages in the console. And I had no way of knowing what those updates were or how to get them. Just thought they must be files not applicable to my hardware config. After installing them (based on the info on this site) I could see what they were by looking at the installhistory.plist. I’m glad I found this site. By the way, with it setup just to check for updates, I did get informed about that NTP security update, it showed up on the app store update list, and I told it to install. It didn’t automatically install it. I wonder why the ChineseWordList update is mixed in with critical updates?

  • Chip says:

    Running Mountain Lion, last update was 2/12. Since XProtect works differently in 10.6-10.8 I followed the instructions here (https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/) and entered

    /usr/libexec/XProtectUpdater

    into Terminal. Terminal responded, “Ignoring new signature plist: Not an increase in version” so I assume my update will come… soon?

  • John says:

    I tried (a few times) the first Terminal command and the output did not include XProtect’s version number. The output did have several references to java including stating an update to the java plug-in is available.

    I don’t have java on this machine. The only installed plug-ins are — Adobe Flash and Apple Quicktime. The only thing I can figure is the Terminal command ‘read’ a java remnant from a personal file I ‘dropped’ into my home folder.

    Yosemite 10.10.2, Mac mini (late 2014)

    • Al Varnell says:

      You have to hit the space bar to read the rest of the information. Version number is near the bottom.

      An alternative Terminal command which will return only the version number is:
      defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version

      The java information you see is what the minimum version you are allowed to use and does not have any relation to what you actually have or don’t have installed on your machine.

      • John says:

        Thank you for taking the time to teach me this.

        I got the expected results from the Terminal using both Mr. Reed’s posted command and yours.

  • cesar garcia says:

    can someone please help me on how to install this program please i need help ASAP. This is really getting on my last nerve how i can’t do anything without ads popping up.

  • Richard Berling says:

    So I ran the recommended language

    (more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist)

    and wonder what this response means:

    […]
    Version
    2058

    Thanks. RCB

    • Thomas says:

      See the version information at the end, which I have marked in your post with a bold typeface.

      • Richard Berling says:

        Yes, indeed I am pleased to be current a couple months after spending many long hours to remove adware from my MBPr with Apple. The MBPr was so clogged up I gained 200 GB of free space after following Apple’s adware delete and Yosemite reinstall directions.

        Beware adware!

        I’ll be following your website.

        Thanks.

        RB

  • Wanda says:

    I have a MacBook Pro, mid 2012 and have OS X Yosemite, version 10.10.2. In reading the comments above, I must say I am thoroughly confused. I thought my computer would download all the new updates automatically, and from what everyone is writing (in the comment section) about downloading updating versions. Am I supposed to be downloading updates myself and, if so, how am I to know what they are? I don’t have any computer gurus I can ask about this. I would appreciate any
    advice you can give me about these latest updates and what I should do to stay informed about them. Also, I have been contemplating getting an internet safety protedtion because I can’t trust that some hacker cannot get into my system. Can you pease help–I’m just not very computer savvy, as I had previously had a Windows XL until they stopped providing the usual security features. This MacBook Pro is just about too comlex for me.

    • Thomas says:

      If you haven’t disabled automatic downloading of security updates – which you shouldn’t do, but some people do anyway – then you have nothing to worry about. You’re getting the updates. You do not need internet security software. See my Mac Malware Guide for info on protecting yourself from malware.

  • Chas4 says:

    Thanks for the info on the updated XProtect, been wondering how it is done on 10.10.x & 10.9.x

    I know on the older version of Mac (like 10.6) Apple sometimes has XProtect updates with bad signature (Mac rejects the new version because the signature is bad), it is fixed when Apple releases a new XProtect or they fix the current one

    I have used http://www.brunerd.com/blog/2011/06/16/myxprotectstatus/ (still works on 10.10 tho can’t read the date(“Updated:”) & http://www.brunerd.com/blog/2013/03/05/xprotect-plugin-checker/ (shows the plug in blocking status) to see the current status of XProtect

    Tho I have been wondering why Apple has only updated part of the plug in blocker, some reason the Java JRE version is an outdated version of JRE 7

    • Thomas says:

      The plug-in blocking feature of XProtect only blocks the last versions of popular plug-ins (like Flash and Java) that are known to have vulnerabilities that could affect the Mac. It’s not meant to force people to use the absolute latest versions of these things, just to make sure they’re not going to get infected with malware by drive-by download through a vulnerable plug-in.

  • Serra says:

    My god! You guys saved my sanity! I was going crazy with all these pop ups.. Thank you thank you thank you! I highly recommend this to anyone who has the same malware problem..

  • Taa says:

    What about Lion (10.7.5)
    I can’t upgrade my Mac any further and it was quite expensive. The irony is that Windows 10 runs perfectly on it..

    • Al Varnell says:

      I don’t know what aspect of Lion you are asking about. The original article gives you instructions for finding out if your XProtect is up-to-date with version 1068 to protect you against the same adware as all versions of OS X 10.6.7 and above.

  • Nicky Phillips says:

    I just want to thank you for Adware Medic. I took my iMac into the Apple store and the tech installed it for me. I had been plagued by ads popping up all over. Now my iMac is running like a dream. I made a donation, but I also wanted to thank you.

  • carl says:

    I was very pleased to see the adware on my Mac stopped. Thanks for a great product.
    It seems that about the time the adware was removed iPhoto stopped working. It opens, then the little wheel spins and spins but does not show any of my photographs – just a blank screen with the spinning wheel. Are you aware of this being related to your product in anyway?

    • Thomas says:

      No, there’s nothing AdwareMedic could do that would cause such a problem. If you got some junk software like MacKeeper, CleanMyMac, TuneupMyMac or K9-MacOptimizer installed along with the adware, that could cause problems. These programs are known for their potential to damage the system or user files in some cases.

      Alternatively, it could be a coincidental problem unrelated to anything you downloaded. People don’t like coincidences, but the longer I’ve been doing this kind of thing, the more I realize how often coincidences actually do happen.

    • Manfred says:

      Hi Carl,
      this link from Apple Support might help:
      https://support.apple.com/en-lb/HT201769
      Keep us posted!

  • Darren Kehrer says:

    Scrolling through the apple dicussion forums this week, it seems a lot of the same popup issues. What gives with that? I know Safari just updated this week, and so did flash player. Could one of those updates actually opened a new hole?
    https://discussions.apple.com/community/mac_os/safari

    • Thomas says:

      There have been a lot of pop-up issues being reported there for months… this isn’t new. There isn’t a security hole involved, just people installing the wrong things downloaded from the wrong sites.

      • Darren Kehrer says:

        Thanks. I guess I just now noticed when scrolling through how many similar threads there are. I’m assuming these types of pop ups are not covered under Safari’s block pop up option.

      • Darren Kehrer says:

        It’s amazing how many Safari users are running into the same type of thing on the forums. Does this only seem to be affecting Safari and not Firefox and Chrome? I wonder if Apple could add something to Xprotect to stop these.

        • Thomas says:

          There’s adware that affects all three browsers. Apple has used XProtect to block some of the worst offenders, but the vast majority are still unblocked.

  • Cthruu69 says:

    What is recommended for FULL SYSTEm TUNE UP, INFECTIVE SWEEP & VIRUS REMOVAL? I have been informed that the following is recommended but I am skeptical on who/what to trust? I have a MacBook Pro.

    Any Suggestions out there?

  • Virginia Winters says:

    I was working through changes made at my website host, Register.ca, which advised me to use Filezilla. When I did so, Premier Opinion was installed on my 2008 MacBook Pro, running Yosemite, fully updated. Register.ca told me it could not possibly be Filezilla and I must have got it elsewhere. Hadn’t been elsewhere. Downloaded Filezilla and it immediately showed up. The result was that every time i opened Safari, it crashed. To remove it, I followed all the instructions on this site, and it seems to be gone. Thanks very much indeed. I have MacKeeper on my computer but it is such a cpu hog that I can’t keep it on all the time. From reading your column, it seems that I should get rid of it in favour of something less expensive and more efficient. Thanks again for your excellent advice.

    • Thomas says:

      It definitely is FileZilla. That is currently known to include adware. Don’t listen to further advice from register.ca, and consider moving your site to a different host… any host that is that unaware of security issues isn’t one I would trust with the security of my website.

      Also, regarding MacKeeper, you definitely should get rid of it, but do not replace it with anything. Few of the functions MacKeeper provides are worthwhile.

This post is more than 90 days old and has been locked. No further comments are allowed.