Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on April 16th, 2013 at 4:44 PM EDT
It was brought to my attention today by an astute reader that there is a copy of VLC, currently being hosted on Softonic, which has had adware added to it. Of course, I had to investigate, and what I found is very concerning. That report turns out to be completely true, and worse, the adware installs components on your system even when you opt out of installing it!
I won’t provide a link to the installer, but it was trivially easy to find on Softonic. It was immediately evident that something was up, as the download contained a single item: an installer, named VLC.pkg. This does not match the contents of the real VLC download, which can be obtained from www.videolan.org.
Running the installer, I was immediately greeted with another warning, indicating that something was wrong. Apple’s Installer app complained that the package was signed with an invalid certificate, and that it may not be what I was expecting:
As I proceeded with the installation, in the face of all these warning signs, I was met with a screen allowing me to opt out of installing ChatZum:
This seemed fairly innocuous so far, as other apps also install such things. Except, of course, that I knew that VLC does not. As I would ordinarily do in such circumstances (assuming that I was inclined to install software that includes such cruft), I disabled the installation of these items, then clicked Continue.
Immediately after doing that, Little Snitch caught the Unix download tool curl calling home to a ChatZum server:
I don’t know what was sent or downloaded, as I did not do detailed packet captures and analysis.
Eventually, after asking for my admin password, the installation was done, and I opened up Safari to check things out. I had been told that the adware would be installed regardless of opting out of the installation, and it turned out that this was true, in part. I immediately noticed that my search engine had been changed to ChatZum:
I opened Safari’s preferences, and noticed two rather surprising things. I expected to see that my home page and/or my search engine settings had been changed, but they were still set to the same default values that they had been before. I also checked out the Extensions pane of Safari’s preferences, and was further surprised to find nothing there!
This was a bit of a mystery now, so I dug a bit deeper. I found that there were several things installed. First was a pair of files placed in the
/Library/Internet Plug-Ins/ folder, named uid.plist and zako.plugin. These did not seem to be responsible, as removing them made no difference in the search engine being used by Safari.
I then discovered that it had also installed SIMBL, a bit of legitimate third-party software that allows modifications to Mac OS X applications through SIMBL plug-ins. Sure enough, not only was SIMBL installed, but there was a SIMBL plug-in named SafariOmnibar.bundle in the
/Library/Application Support/SIMBL/Plugins/ folder. Looking in Activity Monitor, the SIMBL Agent process could be seen, being kept alive by a LaunchAgent named net.culater.SIMBL.Agent.plist in
/Library/LaunchAgents/. Disabling SIMBL Agent brought Safari back to its senses.
Interestingly, there was also an item named ChatZumUninstaller.pkg that had been placed in the Applications folder. Upon running it, on a fresh and un-tampered-with copy of the software, I found that it did indeed remove SIMBL and all evident signs that ChatZum was installed. However, it left the uid.plist and zako.plugin files in place, so it obviously didn’t remove everything.
I also ran the installer without opting out of ChatZum installation. The result was mostly the same, except for the addition of a ChatZum extension to Safari, and changing of the home page to search.chatzum.com.
What is still unclear is where this rogue installer came from, and how it got on Softonic. One highly concerning thought is that Softonic may be wrapping some applications in custom installers, in order to include adware that will profit Softonic. This technique has been used in the past by less-reputable download sites, such as Download.com, so that would not be particularly surprising. Still, even if this is not the direct action of Softonic, it certainly does show that downloading software from such sites is hazardous, and that you cannot guarantee what you’re going to get. I strongly advise never downloading software from sites like Download.com or Softonic. There’s no reason to subject yourself to such ad-riddled sites and risk the addition of adware or other undesired content to your download.
To remove ChatZum, if you have installed this modified copy of VLC, first open Safari’s preferences. In the General pane, change the Homepage setting to whatever page you want to use. Then go to the Extensions pane, select the ChatZum extension and click the Uninstall button. (If you use Firefox or Chrome, you will need to do the same thing there. Chrome’s extensions can be managed from the Extensions link on the settings page. Firefox extensions can be managed by going to Tools -> Add-ons, then selecting Extensions in the list.)
(Note that, as mentioned earlier, if you opt out of installing ChatZum, there won’t be an extension installed. So if you don’t find one, just move on to the next steps.)
Once that is done, you need to manually delete a few files. First, open your applications folder and delete the following items:
Next, choose Go -> Go to Folder in the Finder (or press command-shift-G) and enter “/Library” in the box (without the quotes), then click Go. In that folder, find and delete the following items:
Application Support/SIMBL/Plugins/SafariOmnibar.bundle Internet Plug-Ins/uid.plist Internet Plug-Ins/zako.plugin
(Note that I am including the VLC app on the list of things to remove, as I don’t know at this time if it is the “real” VLC app or not.)
After deleting these files, make sure to quit Safari and reopen it, otherwise the changes will not take effect immediately.
You will probably also want to remove SIMBL, which can cause problems, since it allows all manner of unexpected modifications to applications. If you did not have SIMBL installed already, and want to get rid of it, while still looking in the same Library folder as above, remove the following files:
Application Support/SIMBL/ LaunchAgents/net.culater.SIMBL.Agent.plist ScriptingAdditions/SIMBL.osax
I was contacted today by Ezequiel Galli from Softonic. He apologized for “the bug where some users have had their default search changed to ChatZum even if they opted out of the toolbar installation” (to quote his words). However, he also said, “In this case, we were testing an Installer for Mac on selected software and thanks to your post and other users information, we have immediately stopped the distribution of this installer until our provider corrects the error.” This indicates, to me, that Softonic does not see a problem with adding their own adware to freeware programs. I have a very serious problem with that behavior, and am still recommending boycotting Softonic. It seems they have not learned their lesson.
He also provided a link to the following removal instructions:
It’s important to note, though, that these instructions do not work completely. Since they rely on the ChatZumUninstaller.pkg file, following these instructions will leave behind the uid.plist and zako.plugin files, as mentioned above.
Intego has also posted their own comments on the matter today, and have classified these ChatZum installers as an adware trojan, naming it OSX/Okaz.A.