The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


MacDeals adware found on file sharing site

Posted on July 6th, 2014 at 8:45 AM EST

e-biohazard

A reader brought a new piece of adware to my attention last week, called MacDeals. This adware appears to be fairly simple, consisting of nothing more than Chrome and Firefox extensions. More interesting than the adware (which I have added to my Adware Removal Tool) is the distribution method.

datafilehostThis adware is distributed through the datafilehost file sharing site. This site appears to allow you to upload files, then give people links to this file so they can download it. (I see no capacity for searching the site… downloads appear to be by referral with a hard link only.)

I uploaded a small test file, called “untitled text.txt”, and then tried to use the link to download the file. Note, as shown at right, the checkbox offering a download manager.

Clicking the Download button resulted in a file named “untitled text.dmg” being downloaded. This disk image file contained an application named “Downloader” with a datafilehost logo. Opening that application revealed something looking like an installer, offering first to download the file, then offering to install MacDeals (with no opt out options).

MacDeals ends up being installed in Firefox and/or Chrome (depending on which you have installed). There appears to be no corresponding Safari extension that gets installed, and no files appear to be installed elsewhere on the computer. Interestingly, these extensions already appear to be identified as a variety of different malware/adware programs on VirusTotal. (See the results for the MacDeals Chrome extension and the MacDeals Firefox extension.)

In addition to installing MacDeals, the downloader also created a file named “untitled test.txt” on my desktop. One would imagine that this file would be the original file that I uploaded. One would be wrong. The file ended up being an HTML file, not containing anything from the single short line of text that uploaded file had originally contained. A .zip file downloaded in the same manner suffered the same unpleasant fate. None of the downloads from this scam site appear to be functional.

It would appear that the entire purpose of this site is to distribute adware. Unfortunately, this isn’t particularly unusual these days. Most file sharing sites – which are mostly used for illegal purposes, such as software piracy – are actively involved in the distribution of adware, or even malware. As such, stealing software or other media (music, movies, etc) has become an extremely hazardous pastime. I strongly advise avoiding such activities entirely – if not for reasons involving ethics, for your own safety!

Tags: ,


26 Comments

  • Ian MacGregor says:

    Another informative post, thank you! Shared to my blog, Feacebook, and Twitter :)

  • BomC says:

    Today I found out there is a Safari extension, as well. Looks like I inadvertently downloaded it through a file exchange service, too.

    • Patrick says:

      That make 2 of us and I am thinking of trashing Safari!

      • Thomas says:

        Trashing Safari would not be advisable. That would be like sawing your foot off to treat a hangnail! Plus, Safari’s a part of the system, and as such, shouldn’t be deleted.

        • Patrick says:

          I followed your advice Thomas and used the TSM Adware removal tool app. and it worked like a charm cleaning both Safari and Chrome from anoying Pop Ups. and intrusive additions to my system. I am relieved and no longer afraid of my Browsers anymore. Again thank YouThomas…..

  • RJ Cruz says:

    Hello, I do not know if this is related

    but just during the last week, in both Safari and Chrome, if my connection is even a little slow, I have had a major problem with a redirect to badpage.org. If I refresh the good link 2-15 times, even tually I get the page I was looking for, so it was NOT a Bad page

    the badpage(dot)org site says (including the mispelling of “applictaion”;

    Oooops
    this is a bad page and does not exist !
    * one of the softwares you installed has our bundle applictaion and once you visit a badpage we show a custom bad page
    * one of our affiliates is redirecting your bad pages to our badpage.org custom bad page .

    Ronning Maverick on a 2011 Macbook Pro

    [Ed: Link modified to prevent indexing by search engines]

    • Quin says:

      I have the same problem with my computer for about 2 weeks now. And when I share my internet with other computers they display the same problem. It slowed down browsers on all my computers and it is very annoying. I tried a couple of anti-malware and anti-virus softwares, but no result.

      The security suit companies gotta do something about it.

  • brf says:

    Use “TSM Adware Removal Tool” to get rid of this. It’s available in the usual places.

  • Reem says:

    Thank you for the Adware Removal tool, it worked and removed the offending red dot. Much appreciated

  • Steve says:

    The file sharing site works properly if you uncheck that little box before you click the download button.

    • Thomas says:

      Even if that’s the case, do you really feel that it’s wise to trust a site that exhibits this kind of behavior?

  • annie says:

    THANK YOU!!!! your adware removal tool worked perfect. we had conduit and something d—lite, can’t quite remember. husband defied me and downloaded a movie viewer from racer.com. that’s what he gets for looking at nascar. lol
    i tried to donate, because…well, we need more people like you, but your link required me to set up a paypal account, and i prefer not to. sorry. if you change that preference to opt out of paypal sign-up i will donate.
    Thanks again. kisses and such

  • Heather says:

    Just wanted to say thank you for your simple and quick adware removal tool. I took my macbook to an apple “specialist” that told me I just had pop-ups and it was normal even though I never had them before and my browser was redirecting me to other pages…..2 minutes with your tool and I’m back to new!!! Thanks so much.

  • tatiana says:

    I just wanted to thaaaaank you !! i downloaded a file and shortly after my homepage on safari had changed to bing and mac keeper pages popped up whenever i opened a new page or tab. I don’t know how I found your website but i’m glad I did. Because I had downloaded a bad file I was a little apprehensive about downloading safe mac but I thought what’s the worse that could happen. I’m glad I did. It fixed the problem in literally 2 seconds. Your the **** and you saved my mac from ad hell ! Thanks so much again !!!!

  • Rena says:

    I just want to thank you so much! Unfortunately, I thought I would try watching free movies, but shortly after watching, I started getting pop-up ads that I didn’t have before. My computer redirected my search engine to bing & mac keeper kept popping up. I went to the apple store and they told me that I would need to back up all my files & that for $70 they would wipe my OS clean. Instead, I did some research and found your information. I’m glad I did because it cleaned everything up!
    So, thanks a million!
    I have 1 question, how do I download the updated version? It seems to download the old one.

  • Iris says:

    Hi, I can’t open the link http://www.thesafemac.com/downloads/TSMART.zip. It is just a black page. Am I not doing something right? Please help as I have been getting interrupting tlbsearch.com links and macKeeper pop-ups.

    • Thomas says:

      Check your Downloads folder (or whatever folder you have your web browser set to download to) for a TSMART.zip file. If it isn’t there, something is blocking you from connecting. Try restarting in safe mode and downloading it while in that mode.

  • Sammy says:

    Thank you!!!!! It works!

    Sammy.

  • Pablo says:

    I do not know if this is related or not, but I downloaded the untitled text file in July and eventually all what has been said in this post happened to me, particularly macdeals behaving as addon for chrome, firefox and safari and filling my pages with google-like ads. I used avast! to remove this, apparently it did, not sure. Now the other thing that just happened to me is that the details of my credit card have been used and I have been the object of a fraud of about 2000 Euros. Not sure this is related but I have a got feeling that it is. Would this be a possibility? In other words could it be that after I installed this trojan/virus/whatever someone could get access to my bank details in any way? Thanks.

    • Thomas says:

      No Mac adware has ever been documented to have any keylogging capabilities or to do anything more malicious than push ads in your face and track your browsing behavior. However, anything is possible. I would consider it very unlikely that the credit card fraud would have been caused by MacDeals, but I cannot completely rule it out.

  • Pablo says:

    Thanks for your quick response Thomas! And also thanks for keeping this site update, so useful.
    Could you perhaps explain what other online ways exist for credit card fraud? I am just wondering where/how/when I f* up?!
    Thanks

  • Ada says:

    Thomas, thanks so much for providing such a valuable resource.

    My Macbook seems haunted. Every so often, I hear sounds but when I’d go to it, there would be nothing… just my screensaver. A few nights ago, I happened to sitting in front of my MAC and it happened again so I was able to experience what I had been hearing.

    It was a very quick ad (video) that popped up but immediately closed. I went into Chrome history and was able to find that it was advertising from outclick.com and it’s been happening for quite some time.

    I followed your advice, I ran the TSM tool and Sophos. The TSM tool found Spigot which I then removed.
    I thought I was in the clear.

    But’s happened again. I’m unsure of what to do next. Any advice?

    many thanks!!

  • Tyler says:

    Thanks a ton! Great article and great removal tool.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.