The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


ChatZum adware added to VLC on Softonic

Posted on April 16th, 2013 at 4:44 PM EDT

e-biohazard

It was brought to my attention today by an astute reader that there is a copy of VLC, currently being hosted on Softonic, which has had adware added to it. Of course, I had to investigate, and what I found is very concerning. That report turns out to be completely true, and worse, the adware installs components on your system even when you opt out of installing it!

I won’t provide a link to the installer, but it was trivially easy to find on Softonic. It was immediately evident that something was up, as the download contained a single item: an installer, named VLC.pkg. This does not match the contents of the real VLC download, which can be obtained from www.videolan.org.

real VNC download

Running the installer, I was immediately greeted with another warning, indicating that something was wrong. Apple’s Installer app complained that the package was signed with an invalid certificate, and that it may not be what I was expecting:

chatzum 1 bad certificate

 

As I proceeded with the installation, in the face of all these warning signs, I was met with a screen allowing me to opt out of installing ChatZum:

chatzum 2 opt out

 

This seemed fairly innocuous so far, as other apps also install such things. Except, of course, that I knew that VLC does not. As I would ordinarily do in such circumstances (assuming that I was inclined to install software that includes such cruft), I disabled the installation of these items, then clicked Continue.

Immediately after doing that, Little Snitch caught the Unix download tool curl calling home to a ChatZum server:

chatzum 3 phone home

 

I don’t know what was sent or downloaded, as I did not do detailed packet captures and analysis.

Eventually, after asking for my admin password, the installation was done, and I opened up Safari to check things out. I had been told that the adware would be installed regardless of opting out of the installation, and it turned out that this was true, in part. I immediately noticed that my search engine had been changed to ChatZum:

chatzum Safari

 

I opened Safari’s preferences, and noticed two rather surprising things. I expected to see that my home page and/or my search engine settings had been changed, but they were still set to the same default values that they had been before. I also checked out the Extensions pane of Safari’s preferences, and was further surprised to find nothing there!

This was a bit of a mystery now, so I dug a bit deeper. I found that there were several things installed. First was a pair of files placed in the /Library/Internet Plug-Ins/ folder, named uid.plist and zako.plugin. These did not seem to be responsible, as removing them made no difference in the search engine being used by Safari.

I then discovered that it had also installed SIMBL, a bit of legitimate third-party software that allows modifications to Mac OS X applications through SIMBL plug-ins. Sure enough, not only was SIMBL installed, but there was a SIMBL plug-in named SafariOmnibar.bundle in the /Library/Application Support/SIMBL/Plugins/ folder. Looking in Activity Monitor, the SIMBL Agent process could be seen, being kept alive by a LaunchAgent named net.culater.SIMBL.Agent.plist in /Library/LaunchAgents/. Disabling SIMBL Agent brought Safari back to its senses.

Interestingly, there was also an item named ChatZumUninstaller.pkg that had been placed in the Applications folder. Upon running it, on a fresh and un-tampered-with copy of the software, I found that it did indeed remove SIMBL and all evident signs that ChatZum was installed. However, it left the uid.plist and zako.plugin files in place, so it obviously didn’t remove everything.

I also ran the installer without opting out of ChatZum installation. The result was mostly the same, except for the addition of a ChatZum extension to Safari, and changing of the home page to search.chatzum.com.

chatzum extension

 

What is still unclear is where this rogue installer came from, and how it got on Softonic. One highly concerning thought is that Softonic may be wrapping some applications in custom installers, in order to include adware that will profit Softonic. This technique has been used in the past by less-reputable download sites, such as Download.com, so that would not be particularly surprising. Still, even if this is not the direct action of Softonic, it certainly does show that downloading software from such sites is hazardous, and that you cannot guarantee what you’re going to get. I strongly advise never downloading software from sites like Download.com or Softonic. There’s no reason to subject yourself to such ad-riddled sites and risk the addition of adware or other undesired content to your download.

Removal Instructions

To remove ChatZum, if you have installed this modified copy of VLC, first open Safari’s preferences. In the General pane, change the Homepage setting to whatever page you want to use. Then go to the Extensions pane, select the ChatZum extension and click the Uninstall button. (If you use Firefox or Chrome, you will need to do the same thing there. Chrome’s extensions can be managed from the Extensions link on the settings page. Firefox extensions can be managed by going to Tools -> Add-ons, then selecting Extensions in the list.)

(Note that, as mentioned earlier, if you opt out of installing ChatZum, there won’t be an extension installed. So if you don’t find one, just move on to the next steps.)

Once that is done, you need to manually delete a few files. First, open your applications folder and delete the following items:

ChatZumUninstaller.pkg
VLC.app

Next, choose Go -> Go to Folder in the Finder (or press command-shift-G) and enter “/Library” in the box (without the quotes), then click Go. In that folder, find and delete the following items:

Application Support/SIMBL/Plugins/SafariOmnibar.bundle
Internet Plug-Ins/uid.plist
Internet Plug-Ins/zako.plugin

(Note that I am including the VLC app on the list of things to remove, as I don’t know at this time if it is the “real” VLC app or not.)

After deleting these files, make sure to quit Safari and reopen it, otherwise the changes will not take effect immediately.

You will probably also want to remove SIMBL, which can cause problems, since it allows all manner of unexpected modifications to applications. If you did not have SIMBL installed already, and want to get rid of it, while still looking in the same Library folder as above, remove the following files:

Application Support/SIMBL/
LaunchAgents/net.culater.SIMBL.Agent.plist
ScriptingAdditions/SIMBL.osax

Updates

I was contacted today by Ezequiel Galli from Softonic. He apologized for “the bug where some users have had their default search changed to ChatZum even if they opted out of the toolbar installation” (to quote his words). However, he also said, “In this case, we were testing an Installer for Mac on selected software and thanks to your post and other users information, we have immediately stopped the distribution of this installer until our provider corrects the error.” This indicates, to me, that Softonic does not see a problem with adding their own adware to freeware programs. I have a very serious problem with that behavior, and am still recommending boycotting Softonic. It seems they have not learned their lesson.

He also provided a link to the following removal instructions:

http://support.softonic.com/index.php?/english/Knowledgebase/Article/View/425/35/how-to-uninstall-zako-and-monotizer

It’s important to note, though, that these instructions do not work completely. Since they rely on the ChatZumUninstaller.pkg file, following these instructions will leave behind the uid.plist and zako.plugin files, as mentioned above.

Intego has also posted their own comments on the matter today, and have classified these ChatZum installers as an adware trojan, naming it OSX/Okaz.A.

Post to Twitter

Tags: , ,


44 Comments

  • CARLY says:

    THANKYOU!!

  • akshar says:

    Thank youuuuuu!!!

  • Sinisa says:

    Great post, thanks…

  • Karthik says:

    Thanks a lot!

  • Per says:

    Thanks! It was also added to UnRarX on Softronic

  • lucy says:

    sorry, but how do you delete those ‘library/…’ files?

    • Thomas says:

      There seems to have been some confusion as to how to find the proper Library folder, so I made some changes that will hopefully make it clearer.

  • Farah says:

    I followed your steps, does this mean its completely gone? Although im not sure how i got it. I have vlc installed a very long time ago. This just suddenly popped up. I did download a bitorrent installer a few days ago…how can i double check to make sure its complety off my mac?

  • zak says:

    hi i got this **** **** chatzum when i downloaded unrax wish i could punch the **** who make it I’ve tried the above but nothing hase come up in extenshions it empty and i cant find libary please help me rid the ****

  • D. M.Sumpter says:

    Thank you very much for this post – I’ve been pulling my hair out over this. Neither ClamXav or Nortons picked this up, is this correct?

  • Brendan says:

    Thank you so much for this.

  • Gavin says:

    Excellent post. Genuine thanks for this.

  • eric says:

    I am trying to uninstall this program after installing the bloated VLC player. When I go to the extensions tab in the Safari preferences, nothing shows up. We know the program is on the computer as chatzum shows up when we search. I want to make sure to completely get rid of these files. What should I do if the extension does not show up?

    • Thomas says:

      Yup, as the article mentions, the extension does not get installed if you choose to “opt out” of installing ChatZum. Continue with the directions and remove all of the rest of the files.

  • eric says:

    Thank you very much! Everything seems back to normal. I must have missed the part about the extension in the article when I was in panic mode.

  • UBERKA says:

    Mr. Thomas,
    I´m writting you from Spain and I want to THANK YOU A LOT, A LOT, A LOT for your post. Finally I could get rid of CHATZUM…
    I was working on it, trying to find information to uninstall this chatzum, but for mac users there wasn´t nothing that could really help to it, until I found your article.
    It was very helpful!!!!!! instead, I didn´t know what to do

    THANKS AGAIN AND AGAIN

    Please keep helping with your articles!

  • Linuxser says:

    Hello Thomas,

    softonic always do this. Is part of the marketing strategy. This time was the time of MAC users but happens all the time with every file or installer or whatever coming form and then. Once he done the move, they carefully monitor the Internet looking for deactivate complains. Comes to apologize.

    Several friends who wrote on blogs about babylon were contacted by softonic to in order to “help and to explain it’s not malware” and to apologize.

    The only purpose of this company is to install his own hiden software and make money with that

  • vinnie says:

    thx heaps!!! it worked

  • Volvuspå says:

    Browser hijacking is a serious problem on Windows computers, and they are impossible to get rid of. That’s one of the reasons that I switched to Mac, only to find out that ChatZum hijacked my Safari. However, your explanation of how to get rid of it is clear and concise, and it worked! Thank you very much!

  • Someone says:

    So, by “cruft,” I assume you mean something along the lines of “junk?”

  • Alex says:

    Softonic needs to be sued out of existence. You do NOT do this to Mac users.

  • Gabby says:

    Can you help me please, when I went to the extension folder there was nothing in there. I’m pretty new to using Mac so I have no idea how to remove chatzum on my own!

    • Thomas says:

      As mentioned in the article, the extension is not always installed. If you don’t find the extension, continue with the rest of the instructions.

  • trackmeifyoucan says:

    thanks for providing this helpful guide

  • Mish says:

    Thank you so much, this was a huge help. I’d been going nuts trying to get rid of Chatzum. I have no idea how it ended up on my system (I don’t have VLD currently) but I’m glad to see it go.

  • StevenMcB says:

    Thank you!!!!!!!

  • LexiD says:

    Thank you SO much! You are an absolute life saver! I’ve been freaking out about it and now it’s gone. THANK YOU THANK YOU THANK YOU! Oh, and thanks for the link to the real VLC :)

  • Tobi Damaris says:

    how about Cnet.com? are they safe?

  • Stuart Rappaport says:

    Here I am sitting at my computer in appreciation and gratitude to your help and expertise. After following your sound advice, the chatzum annoyance is NO LONGER!! Hooray!!!

    I am all for being educated and now have learned the lesson in scrutinizing any downloads before initiating.

    Needless to say, I am very grateful for your advice and taking the time to give it including the expeditious response.

    Regards

    Stuart

  • Someone says:

    Thomas, do you know whether the apps Softonic is ChatZumifying are the legit apps or not?

    • Thomas says:

      They appeared to be, they just carried extra baggage along with them. Note, though, that as far as I know, Softonic isn’t doing this anymore. However, I still wouldn’t trust them as far as I could throw their server farms! :) My contact with a Softonic rep indicates that they don’t see anything wrong with what they did. I strongly advise avoiding Softonic altogether.

      • Someone says:

        Oh, for sure. I do not, have not, and will not ever have any intention of downloading from anywhere other than the App Store and the official website.

        And what’s a server farm, and approximately how much does it weigh? :)

  • FRIEND says:

    VLC IS JUST ONE OF MANY ADWARE INFECTED APPS HOSTED SOFTTONIC………
    E.G. CHECK THE RAR.DMG WINRAR FOR MAC ON SOFTTONIC….
    ;)

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.