OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

InstallCore adware proliferates

Published April 8th, 2015 at 11:42 AM EST , modified May 23rd, 2015 at 9:58 AM EST

InstallCore is adware that began with a couple simple browser extensions. (One of these took the same name as a Spigot extension, “Searchme”, leaving questions about whether InstallCore might be related to Spigot in some way or whether this is purely coincidence.) Recently, however, new variants of InstallCore have been appearing like poop on a lawn full of geese. And some of the strategies it’s using stink just as badly!

Back in February, a colleague from a security company brought my attention to a fake Adobe Flash Player installer that was installing adware. The adware it installed for me looked like the familiar Searchme component of Spigot, albeit with very different code internally than the older Spigot extension. However, this resulted in some confusion and miscommunication between us, and it finally turned out that he was getting an extension called “searchtab,” with the same code as my “Searchme” extension.

It turns out that this installer behaved differently based on location. In the US, it installed Searchme. For my friend in France, it installed searchtab. Otherwise, the behavior was the same.

Then, last weekend, when checking the latest adware-riddled Softonic installer (see Continue to boycott Softonic), I found that it currently installs a Safari extension named jbsearch. Examining the code for this extension, it turns out to be the same as the latest Searchme and searchtab extensions.

In addition, earlier variants of this adware in its Searchme/searchtab form tended to be accompanied by a Firefox extension called Set Search Settings. This extension, however, was a major fail, as it was installed into a “staged” folder in Firefox’s extensions folder, which meant it never became active and was deleted by Firefox next time it opened. This latest Softonic installer, dropping the jbsearch Safari extension, also improperly installed this Set Search Settings extension in Firefox in exactly the same way.

Then, yesterday, someone tipped me off to being redirected to a web page that was reporting that Safari was out-of-date on his computer. The page itself was down before I could see it, but he had the presence of mind to send me the installer that was downloaded from this site. fake Safari installerThe resulting installer tries to look like a Safari installer, but not too hard… it’s a pretty poor imitation, as the installer icon doesn’t look anything like any installer Apple has ever used.

On running the installer, which is actually an application rather than a file made to be opened with Apple’s own Installer app, a window will appear imitating the Apple installer. This window strongly suggests that it will be installing Safari, which it absolutely does not do.

fake Safari installer 2If you click the Continue button, the second step of the process requires you to accept changing your homepage to Yahoo and the installation of a “Search-Assist extension.” Of course, the actual extension is called nothing of the sort. In addition, although the agreement claims in one spot to install the extension in Safari, Chrome and Firefox, only Safari is actually affected. There’s no sign of any Chrome extension, and as with previous versions of this adware, the Firefox extension is a flop.

It’s also worth noting that this makes it look an awful lot like Yahoo is responsible for this adware. In reality, though, there’s no evidence that Yahoo is involved, and I strongly doubt that they would be. This is undoubtedly an abuse of their “Search BOSS” program which allows people to create their own custom search page and get a portion of the ad revenue generated through that page.

The “installer” then proceeds to ask you if you want to install the junkware apps MacKeeper and ZipCloud – neither of which should be used, of course. Accepting these offers allows the installer to proceed to completion.

The end result was the installation of yet another new variant of InstallCore, called “mtsearch.” Based on the recent pattern (jbsearch and mtsearch), I’d guess that there may be many other “XXsearch” variants of InstallCore out there.

Examining the code for all of these recent InstallCore extensions shows that they change the search URL to a Yahoo URL ending in:

?hspart=iry&hsimp=yhs-fullyhosted_011&type=safExt&stype=4

The “hspart” and “hsimp” parts appear to be used for identification of the scammers behind the adware, so that Yahoo knows who to pay a share of the ad revenue, which is the end goal of these kinds of scams.

fake Safari installer 3Interestingly, upon completion, the installer had one last trick up its sleeve. It opened Safari to a page claiming that both Java and Flash were required. Clicking either install button redirected to another page saying that something called “Media Player HD” was required to continue. Clicking the Install button there resulted in the download of an adware-infected MPlayerX installer, which installed a fairly typical variant of the Downlite (aka VSearch) adware.

All this is interesting to techies, but how does it help normal Mac users? Because this is an excellent illustration of the kinds of scams that exist these days. The scams used in this case all involved telling the user that something was outdated and needed updating in order to see whatever it was that the user was looking for. Other scams may tell you that you have a virus, or “junk files,” in order to try to scare you into installing whatever they’re pushing.

In any case, if some web page appears with promises or scary threats to entice you into installing something, close it immediately. If anything is downloaded automatically, don’t install it; throw it in the trash instead.

This has been reported to Apple, along with samples of the installer and adware, and I plan to try to report the offending URL to Yahoo as well.

If you have been affected by something like this, see my Adware Removal Guide for help getting rid of it.

Updates

Saturday, May 23, 2015 @ 10:00 am EST: As I’ve been continuing to analyze recent samples of this adware, I’m less convinced that this is a variant of the older Spigot adware. I’m not ruling out some kind of unknown connection between Spigot and InstallCore, but to avoid confusion, I’m now referring to these extensions by the InstallCore name being used by the rest of the security industry.

Tags: , ,

34 Comments

  • iDrBacon says:

    Interesting. While its not surprising some of these adwares are attempting a comeback, they’ll most likely end up how they ended last time. That’s just my opinion, though.

  • Ofelia says:

    Loving those goose poop metaphors 😀 So, I assume that if you ignore pop-ups and keep “Open safe files” turned off, you should be good to go?

    • Thomas says:

      As long as you aren’t tricked into opening something yourself, yes. There’s currently no known method for “drive-by downloads” (ie, installing something from a website without user assistance) on the Mac.

      (I wasn’t sure whether many folks would get the goose metaphor… I’m sure anyone who has ever had Canada geese in their yard will know what I’m talking about, though!)

  • Barbara Grace says:

    haha! I was rolling on the goose poo… I’m in California, so they only pass by twice a year for a month, but seem to congregate at Commnity Centers where water and grass are present, those little gypsies! My dog had a penchant for diving into that goose litter like it was a pool of perfume. Ugg… A little walk that turns into having to bathe my dog…double ugg.. If before I could she shares it with the sofa!

    I just found your site in hopes I can figure out what’s being done to my almost brand new Mac. (Rec’d it 12/14). The program didn’t pull any adware, but I will try again. I am rolling through some other thoughts on your page such as the router issues. I see action such as redirecting my IP address to ones that aren’t mine. I have a 5th gen AirPort Extreme. I’ve tried resetting it to factory, and hadn’t set it back up, but the next day the computer would be connected via wifi…to the old address. I am not techy to the degree of knowing Who, What, When, Where, or Why, but we did have a roommate who is odd and did have people over. With no lock on my door, and my computer always on, I now realize that could have been a big mistake. Every action I have tried seems to work for only one day. My console is tired of relentlessly posting pages at a time for a 30 second span. The only thing that seems to give the console a break is to not only turn off the computer (no internet and in off mode it continues), but to UNPLUG the computer. Maybe someone who reads this might have a finger to point me in the direction of Mac Happiness again…I love my new Mac, and my old one is a dinausaur, but served me so well since I got it in ’06.

    • Thomas says:

      Be wary of trying to interpret Console messages. Those are not written for the average person to read, and the presence of messages in the Console does not necessarily indicate that there is a problem. I’m unclear on what the problem is beyond that, but I can tell you that I’ve never heard of an Apple AirPort router being hacked. If you’re not having any problems beyond repeating Console messages, I’d say you probably don’t have a problem. If you are having a problem, a better place to seek help would be here:

      https://discussions.apple.com

  • I guess it's the Wine says:

    Hi Thomas

    Are you referring to what SentinelOne reversed as OSX.IronCore, later renamed by Apple as OSX.InstallImitator?

    Here you have a full threat analysis:
    http://www.sentinelone.com/osx-ironcore-a-or-what-we-know-about-osx-flashimitator-a/

    Too bad this didn’t reach you interest sooner. Targeting a $1.5B is probably out of this blog scope.

    • Thomas says:

      That is indeed the February variant I was referring to. At the time, we had all seen fake Flash Player installers numerous times, and the payload was things that I was already familiar with, so I didn’t give it much thought. A fake Safari installer hits a bit closer to home, though, and the payload is changing in a way that seems to be aimed at avoiding detection.

  • Richard Johnson says:

    Does any current Malware-discovering software like VirusBarrier or AdwareMedic detect Spigot versions, or is there a list of items we could search for on a home computer to be sure we have nothing from Spigot present? Thanks.

    • Thomas says:

      AdwareMedic will remove all variants of Spigot to my knowledge. Most anti-virus software doesn’t do so well with adware. Some may detect it, some may not, and those that do may not detect all components.

  • Chris says:

    Somehow I had a bogus Firefox, and kept getting a spinning wheel whenever I tried to log on to gmail, and fake security-credential warnings when I tried to navigate to some other sites. I only realized it was bogus when it prompted me to update, and that window looked different. Firefox’s support suggests this may be a variant of the vundo trojan, which can slip under virus programs. I bought Intego’s after reading your comparison report from last year – and after installing, it did identify one malware on my computer and backup disk – before this new problem surfaced. I’m ready to update (finally) to Yosemite, but am not wanting to do a clean install, if my Time Machine – or Carbon Copy Cloner backup will still have the trojan in it. Do you recommend another anti-malware program? Also, it seems 10-15% of my outgoing gmails are disappearing, so I am leaving that company behind.

    • Thomas says:

      As far as I’m aware, Vundo is Windows-only and cannot affect a Mac. I’m not sure what you mean by “a bogus Firefox,” either.

      As for the trojan that Intego found, what was it called? Be aware that you should NEVER allow your anti-virus software to remove e-mail messages, as that can corrupt your mailboxes! For more information on proper malware removal, see How to remove infected files.

      I don’t generally recommend use of anti-virus software. See my Mac Malware Guide for details.

  • researcher says:

    Hi,
    Do you have the download link for that installer?

  • Chris says:

    On Firefox, I kept getting a spinning wheel whenever I tried to log on to gmail and similar sites, with repeated promptings to put in my passwords, and unexpected security-credential warnings when I tried to navigate to other sites. When this Firefox program prompted me to update, that window looked different than the update window I am used to seeing, so as I suspected it was a bogus program, I went back to the Firefox website to get a secure update.

    Firefox’s support suggests this spinning wheel problem may indicate a variant of the vundo trojan, which can slip under virus programs, see below.

    https://support.mozilla.org/en-US/kb/websites-show-spinning-wheel-never-finish-load?redirectlocale=en-US&redirectslug=Firefox+never+finishes+loading+certain+websites

    “Search for malware
    A variant of the Vundo trojan is known to cause Firefox to have problems loading certain high-traffic sites, including Google, Yahoo, MySpace, Facebook, and more. Not all variants of the Vundo trojan can be detected or removed by malware scanners.
    However, you should scan your computer for infections first. For detailed instructions, see Troubleshoot Firefox issues caused by malware.”

    The infection found on my Mac in early January by Intego was on a program called MPlayerX in my downloads folder (which I never consciously downloaded). Intego’s scanning log does not tell me what kind of malware it was.

    • Thomas says:

      It’s very unlikely that you had a fake Firefox app installed. It’s far more likely that you had some kind of adware installed that was affecting Firefox, or perhaps something like a network compromise that would have affected any browser. This is especially likely given the presence of an MPlayerX installer in your downloads folder, which is a common adware installer these days. (Most of the time, it installs Downlite, aka VSearch, but not always.)

      See my Adware Removal Guide for help finding and removing any adware that might be installed.

      • Pat Knight says:

        I found a fake Firefox (much smaller than the real one) when I fixed someone else’s computer. He had done a Google search for Firefox and got tricked into downloading and installing it. I should have saved more info to share with you.

  • Derek Currie says:

    A friend and I were conversing about Torrent clients and he recommended uTorrent. I pointed out that uTorrent has a bad reputation for foisting adware. I decided to do my own testing and found that the ‘installer’ (or should I say ‘infector’) for uTorrent demands to download an installer for Spigot adware before it even begins to allow your to actually download and install uTorrent. If you block the phone-home to the Spigot installer, the uTorrent installer shuts down. Incredible.

    Fortunately, after the ‘installer’ for uTorrent has downloaded the Spigot installer, you have to opt-in to install the Spigot adware. Let’s hope it stays that way. Opting out of the Spigot adware then allows you to actually download and install uTorrent, which is a mere application you could have simply dropped into your Applications folder all on your own without all this rubbish.

    Needless to say, I trashed uTorrent after installing it.

    • XTC says:

      Out of curiosity, I thought I’d have a look at this uTorrent installer to see how they were accomplishing this. Surprisingly, I couldn’t find uTorrent when I downloaded it. Apparently Microsoft Endpoint Protection for Mac (a rebranded ESET) deleted it instantly as known to be infested with OSX/Adware.Spigot.A. Impressed. One less thing to worry about with my users.

      • Thomas says:

        Don’t rely on that, though. Adware isn’t well detected by anti-virus software.

      • Derek Currie says:

        The uTorrent ‘installer’ is essentially a script that triggers two steps:
        1) It downloads the Spigot adware installer. This is downloaded separately from the uTorrent installer. As I pointed out, if you block this download via Little Snitch etc., the uTorrent ‘installer’ shuts down, the end.
        2) After the uTorrent ‘installer’ has separately downloaded the Spigot adware installer and offered to infest your Mac with the garbage, THEN the actual, real uTorrent installer is downloaded and you are allowed at that point to actually install uTorrent.

        The result is three downloads, the third of which is the actual uTorrent installer. Therefore, you won’t find any sign of uTorrent inside the first of three installers. It’s not going to be there. It’s just a script for the further two downloads. This sort of trickery is very common among the adware installers. Downloads.com uses a very similar fake ‘installer’ scheme whereby the first download does NOT include the actual software you’re attempting to install. It’s more like a generic adware installer that gets around to offering you want you really want as an afterthought. The primary purpose of the initial ‘installer’ is to shove the adware at you.

  • Matthew says:

    What is the URL (or are there many) that leads to the fake Safari installer?

  • U.N. Owen says:

    I’m a long-time Mac person (since System 6, and My LC), and, even though it’s been a long time, one can never – ever feel too cocky, self-confident.

    Whilst I do go to places which would seem ‘risky,’ and I have – in the early days of my 1st OS X intel machine did get caught once or twice by these … things… I try to stay on my toes.

    I only go to places I know, feel comfortable with (that DOESN’T mean, I let my guard down, just – I know them and they’ve been ok. So far.

    I have PACIFIST – a gr8 application, which is like having an ‘x-ray’ machine. It lets you see inside any package b4 you open it,and, you can open JUST what you want, or, nothing at all. Terrific.

    I also have – quite frequently – had to download something, and, even though the site I started at I’m comfortable with, one get’s ‘passed off’ to the download site (places like ObOOM, RapidGator, etc., and I have STOPPED proceeding when I feel it’s kinda ‘pinky.’

    I also have ‘COOKIE< which, whilst not exactly in this area, I have it set to delete any cookies, and FLASH cookies, any databases not in a very limited list every few minutes – this way any of these ‘download’ middlemen are G-O-N-E. (then, I also use Little Snitch, to block them).

    One important thing: I ALWAYS come here – at least once every couple of weeks – to check in – see what’s up, etc. – KEEPING INFORMED.

    For The Safe Mac, just being in existence, I am so happy.

  • Michael says:

    “MacKeeper and ZipCloud – neither of which should be used, of course.”

    I was aware that MacKeeper was nothing but trouble, but I thought that ZipCloud was a legitimate backup program. It is mentioned nowhere else on your blog. So what’s it’s status?

    • Thomas says:

      ZipCloud has been installed alongside adware by a number of different nasty little installers lately. I’ve seen this happen myself with a number of different installers I’ve tested. Any company that will pull this kind of trick is not one to be trusted, in my opinion.

  • Megan says:

    I just want to thank you so much. I clicked on an install that led me to getting crazy MacKeeper and other popups every time I tried to go to a different link or click anywhere in the window. I thought I was going to lose my computer which terrified me because I have my previous computer for 7 years and this one is not even a year old! After about two hours of trying to figure out if there was any way to salvage use of my computer, I came across your AdwareMedic. I was a little nervous, after all I had just messed up royally and already gotten something onto my computer that I didn’t understand. I installed it and sure enough, there was that spigot adware that I was now able to see and get rid of. Now, a half an hour later, my computer is running like new (as it should be, it’s a baby!) Again, thank you so much, I’m not super savvy about computers and I’m not sure what I would have done if I didn’t find your site.

  • Gabriel says:

    I am wondering if I have this – I have some form of adware that results in browser redirects in chrome, typically seems to be to a variety of search sites or sites that want me to install something and I can only force-quit chrome to exit it. adwaremedic doesn’t pick it up, neither does intego antivirus. I had DivX installed and removed everything i could find from hidden folders and trashed and deleted them. reset chrome browser, have no unknown extensions (and they are basically google extensions + adblock). Reset the DNS of router and computer to the google DNS servers….not sure what to try next!

    • U.N. Owen says:

      THAT is WAY – W-A-Y overdoing it.

      Gabriel, if I may say so, you seem to be relatively new to either computers, in general, or Macs, in particular.

      VERY rarely would one EVER have to go to such exorbitant lengths as you seem to go (as well as others).

      The problem is almost always confined, contained – in a small area.

      Resetting, Reinstalling… N-O.

      Just LEARN – from places like here (use his awesome ‘AdWareMedic tool), and – hopefully, you won’t ever run into places where you could get such garbage, but, if perchance you do, u’ll see you’ll be fine in minutes – not hours, not after having (basically) ‘lobotomising’ your computer – all to just remove a couple of bad little things.

  • Finnie says:

    Hi Thomas,
    I usually stream my favorite tv shows like “Game of Thrones” on Vodly.to or watchseries, but every time I click on the search bar, a popup comes up and says I need MplayerX or “Install Flashware.” Some times I get other random ones too like “cook book recipes” and what not. This only happens when I go on these websites that have illegal streaming. My friend’s computer works when I go on the websites but it looks like it’s just mine. I already deleted my extensions, check my pathway folders, and installed Adware. It still pops up! PLEASE HELP!

    • Al Varnell says:

      Anybody that helps you to obtain illegal media here could be arrested along with you. If you don’t want to see these popups, pay for the right to view it as any honest person would.

This post is more than 90 days old and has been locked. No further comments are allowed.