OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Downlite adware blocked by Apple

Published November 21st, 2014 at 7:24 AM EST , modified November 21st, 2014 at 7:25 AM EST

Happy Mac

Macs infected with the Downlite adware have been prevented from accessing my AdwareMedic site and portions of The Safe Mac for several weeks now. (See Adware blocking AdwareMedic downloads!.) This appears to have been done in an attempt to prevent people from removing this adware from their Macs. Fortunately, this also may have led to Downlite’s demise: it is now identified as malware by Apple!

Yesterday, an update to Apple’s XProtect definitions appeared on Apple’s servers. (XProtect is the anti-malware protection built into Mac OS X.) This update adds a definition for “OSX.Downlite.A” that matches the Downlite installer that I submitted to Apple three weeks ago, along with a description of the behavior that this particular variant was exhibiting with regard to my site. I have reason to believe this behavior was what led Apple to classify Downlite as worthy of including in XProtect.

Downlite cert revokedIn addition to adding this to XProtect, it would appear that Apple has revoked the certificate used to sign this Downlite installer (disguised as an MPlayerX installer). Attempting to open the installer at this point results in an error message saying that it can’t be opened.

Apple has yet to take action on most adware out there. Some of the worst offenders, such as Genieo or Conduit, remain active and unblocked. These are just as prevalent as Downlite. They also install themselves far more deeply in the system, and are harder to remove, than Downlite, which has always been fairly simple to remove. The only major difference between this other adware and Downlite has been Downlite’s active interference with the user’s ability to load pages from my websites.

It is my belief that this was the last nail in Downlite’s coffin; not specifically because my sites were the ones affected, but because of the general behavior of preventing the user from visiting certain sites. This is malicious behavior, and is likely to be why Apple finally acted in this case.

Hopefully, this will serve as an example to the adware community. A message, so to speak, that they are being watched by a giant who can squash them in an instant if it chooses. As much as I would like to see Apple squash every single piece of adware out there, I don’t think that’s ever likely to happen. Adware is too much of a gray area, and some can argue that it allows for software to be distributed for free by being ad-supported. However, I am encouraged by this recent development, and I now believe that Apple is likely to take action against any adware that crosses the line as Downlite did.

Tags: , , ,

50 Comments

  • Fox says:

    You’re Awesome, Thomas!! Yay!

  • MacMark says:

    You can inspect the XProtect list easily with https://itunes.apple.com/app/wallsoftroy/id443987849

  • fetch says:

    Really? Why would you pay for app if you can simply use any text editor?

    • MacMark says:

      It is better to read than XML. Promo codes:
      [removed – I don’t want to get into promoting third-party apps, as that could cause questions as to my objectivity]

  • Grant says:

    Knowing that Apple is prepared to block adware that exhibits obviously malicious behaviour, do you believe there may now be a rationale for including Genieo in X-Protect’s definitions? The fact that it is adware may not be sufficient, but what about the fact that its uninstaller leaves a hidden process behind, or the fact that it blocks you from changing your search provider while it’s installed, or the fact that it uses unsafe methods for hooking into the system such that the computer will brick if they are not removed correctly? I’m sure you’ve already submitted such a rationale to Apple but just thought I’d throw that out there.

  • Ofelia says:

    Well done Thomas!!!!!!! 🙂

  • Paul says:

    @MacMark, Thanks for the info on WallsOfTroy. I have downloaded it, its a great little App.

  • Rattlehed says:

    I can’t get rid of this. Can you help? I’ve tried with your guide to no avail!

  • Roberto says:

    I’ve obviously been infected as I cannot access those pages. It also seems like my time machine has been disabled, but I’m not sure as I had only tried to use it once before, and it seemed to work. Now it will not allow me to turn it on. If I install OS x yosemite (just the regular installation) will this solve the problem? I’m currently using mavericks.

    • Thomas says:

      No, installing Yosemite will not solve your adware problem. See my response to Rattlehed.

      I have no idea whether it will solve your Time Machine problem. Probably not, and it would be a very bad idea to install a major system upgrade without up-to-date backups. Solve the Time Machine issue first, by seeking help from Apple or on Apple’s forums:

      http://discussions.apple.com

  • shahida says:

    Thomas just followed your instructions although Downlight tried to block my access to adwaremedic, disabled java and it worked like a dream. i was shocked at how may files came up. i just wanted to say a huge thank you and as soon as i have my confidence back in terms of inputting personal information i will be donating to your site.

    thank you for being one the good guys Thomas.

    best wishes Shahida and family

  • Manfred says:

    Hi Thomas,
    and once again, many thanks for contributing to keep my Mac safe! I don’t now if you are aware of this, but the makers of Bitdefender have comme up with an adware removal tool of their own:

    I’d be very much interested in your opinion on this tool, and on how it compares to AdwareMedic.
    Cheers

  • Tony says:

    The [bleep] MacKeeper is to be killed took

  • Schalk says:

    I downloaded MxplayerX and it stuffed up my browsers completely. Could not even access your adware page properly but it showed for 1 sec before diverting and I manage to click on your download icon.

    Your adware removeal program worked 100% THANKS A MILLION!!

    NS! A program for “complete” removal of apps would be nice 🙂

    • Thomas says:

      There are programs already that claim to do “complete” removal of apps, but those don’t really work. They can’t really know what an app installs where, beyond simple things like preference files or LaunchAgents that use the app’s bundle ID. I generally don’t recommend them… if an app needs an uninstaller, use the one provided by the company. (Of course, the difficulty comes in when that app isn’t ethical, and has no uninstaller, or has one that doesn’t actually do the job properly.)

    • Tommy says:

      To make a app for “complete” removal of apps would be kinda difficult, I do believe, due to the fact like Thomas said, apps install stuff all over the place. A app removal app would have to maintain a list of popular apps, and where all the files are located from said apps, to do a complete removal. Not a impossible task, just very time consuming to keep track of everything. 🙂

  • Fox says:

    Just got Adware Medic 2.1 nice new auto update install thing. Fantastic!!!!!

  • Mr. Forgues says:

    Another one bites the dust! Congratulations you did good. Is there a (simple) way to add adware removal code to Xprotect?

    • Grant says:

      This is great! Is this a brand new article? I don’t recall seeing this before. Thomas, what do you think?

      • Thomas says:

        This is new, and it’s a pretty good reference, although not perfect. It’s missing one item in the list of files to remove for Genieo, and it doesn’t include many of the adware that can be found in my own guide, but it’s still quite good.

  • Ellie Taesali says:

    Thank you Thomas! You are a lifesaver!

  • Aono says:

    Is there a way to invoke adwaremedic from the terminal, say via osascript? I’m thinking of the possibility of regular silent scans this way with a LaunchAgent.

    • Thomas says:

      There is not at this time. However, note that if you need to regularly scan with AdwareMedic, you’re doing something wrong. AdwareMedic is only useful when you are infected with adware, in which case you should be seeing symptoms of adware (ie, ad injections in your web browser). It is not anti-virus software.

      Further, you need to exercise more caution online and not download and run suspicious installers or apps in the first place, rather than relying on AdwareMedic to protect you. There will always be adware that I haven’t seen before, and AdwareMedic won’t do anything for you if you get infected with actual malware.

      • Aono says:

        Well, it’s not “me” we’re talking about. 🙂 If caution were the silver bullet for everyone this excellent tool wouldn’t exist, right? Your tool eliminates shady stuff that gatekeeper and commercial AV inexplicably ignores.

        I’m thinking along the lines of being able to deploy this to a lot of people, and have it run an automatic silent scan/nuke on initial deployment. I’d probably re-run that silent scan on a monthly basis as well, since it is so quick, and crapware is proliferating so much these days. Executing from terminal is a capability that would be valuable in any academic/enterprise deployment.

  • Mousse says:

    Just installed, it cleaned a lot. Went almost mad, this MacKeeper made me furious. He is gone, with lots of other strange adverts. Have been looking for a week. Found a lot myself, but not everything as proved by the scan. Close to Christmas, you are my Father Christmas. Thank you very much from a dutch girl living in France.

  • Bob Minard says:

    Thomas: Just ran AdWareMedic. It not only got rid of pop up ads, it also allowed Google+ photo slide show to work properly. Before the slide show had no arrows to move through a photo album. I also did as you suggested and loaded a fresh copy of Firefox.
    I’m still having trouble with Google Docs. It can’t find a Google Docs folder on my Mac (OS 10.9.5) to sync to. Any ideas?

    Thanks so much. I was going crazy!

  • christoph says:

    Hi Thomas!
    I just want to thank you for your tremendous work you do to help us all to get rid of that annoying adware!
    i had genieo and downlite and was successful in removing them from my system manually using your instructions!
    thanks a lot!
    christoph

  • C says:

    Finally. I got downlite once and it was BAD.

  • Maurizio says:

    Hi Thomas,
    thanks a lot: dowloaded AdwareMedic and problems solved.
    Happy New Year

  • Ramki says:

    Thank you very much, Thomas!
    AdwareMedic resolved my Mackeeper problem which was so annoying.

  • macnewbie1 says:

    thank you so much! i am very new to mac and was concerned when my homepage changed and all these popup appeared! now my mac is running the way it was when i first brought her home! thank you so much!

  • davesgirl says:

    thanks so much for all this, my mother in law ended up at a website that prompted her to download the mplayerx file or she couldn’t proceed with watching some video. This thing was bad. It reset her settings to be able to download any apps from anywhere, to accept cookies from everyone and all kinds of other security sensitive things. Everytime I tried to change them, it would not save the changes and revert back to the least secure settings.

    she has been dealing with tech support from best buy who has now tried twice to get rid of it. there was no evidence of any unusual applications or folders in the library that I could see, but if she calls me again, I’ll try downloading your adaware program or go the manual route if necessary. I’m not even close to familiar with mac, as I just got my first one last year, after always having windows computers, but I think I can follow your well-written instructions! I will also donate!

  • davesgirl says:

    they once again didn’t fix it so I am going to try your instructions now!

  • AlisonR says:

    I have followed your instructions and have downloaded adware. I am trying to remove the MacKeeper and Mxplayer apps but I keep getting a message that I can’t do this because the app is open. How do I get rid of this on my Mac?

    • Thomas says:

      First, note that I have no instructions that would tell you to download “adware.” I’m guessing that you’re referring to AdwareMedic, but “adware” and “AdwareMedic” are two very different things! Adware is the bad software that AdwareMedic is meant to get rid of.

      As for whatever it is that you’re trying to remove, if something is still open and you can’t empty the trash, restart the computer. You should be able to empty the trash after that.

  • SavvyArtist says:

    Thomas,

    I recently crossed over to MAC from PC and have been wondering why it took me so long! I love it, however I am not as versed in the safe keeping of my mac as I was with my pc’s. Like many I was under the impression mac’s did not get virus’s or adware. Today after a safari crash and strange message asking for my password I discovered your site and downloaded your AdwareMedic. Thank you for your dedication to helping and educating the MAC user. I was able to remove the Genieo adware and discover I was wrong thinking mac’s immune. Keep up the great work.

  • Charlie says:

    easy to install and very effective! Thank you!

  • Kathy says:

    Thomas, I need help, at some point today on every article I look up certain words are bold and in blue and a line says “ad by unknown” I tried going to their site to uninstall but went in circles. Help. what do I have, and how do I get it out of my computer???

  • Angel Kona says:

    Hopefully, this will serve as an example to the adware community. A message, so to speak, that they are being watched by a giant who can squash them in an instant if it chooses. As much as I would like to see Apple squash every single piece of adware out there, I don’t think that’s ever likely to happen.

This post is more than 90 days old and has been locked. No further comments are allowed.