OSX/FkCodec-A in action
Published April 26th, 2012 at 10:31 AM EDT , modified April 26th, 2012 at 10:33 AM EDT
On April 23, 2012, Sophos quietly added a definition for something they called OSX/FkCodec-A to their database. However, details about this malware have been sparse. The description initially contained only a single sentence. Sophos has since expanded it, but the details are still sparse. Fortunately, I got my hands on a copy yesterday, and here’s what I found.
This malware is downloaded from sites as a “video codec” required to view videos. One such site was brought to my attention by a colleague:
After clicking on the ‘play’ button in the middle of the “video,” the following message is displayed:
If you click the Download Now! button, you will be sent to the following page:
Clicking the Download Now! button here downloads a file named download.dmg into your Downloads folder. (Could I have said “download” more times in that sentence?)
Opening the downloads.dmg disk image shows that its contents consist of two files: Codec-M Installer and Codec-M Uninstaller. If you run the installer, the first thing you’ll see is a request to change your web browser’s home page and search engine:
If you leave those boxes in their default checked states, then they will do just what they say. Your home page and search engine will be set to a dodgy-looking search site. Searching on that site results in a lot of advertising links and a bunch of results that don’t closely match what a real search engine would give you. In addition, with those boxes checked, a Safari extension will be installed:
It’s unclear exactly what this extension does. Sophos’ page describing this malware claims that the extension serves ads, though I did not see this behavior in my testing. So I can’t comment on what conditions might cause those ads might be served or what form they would take.
Interestingly, if you uncheck those boxes, your preference is actually obeyed! Your browser home page and search engine are left alone, and in addition, the Safari extension is not installed.
Once the installer completes, in addition to the changes mentioned above, an application named Codec-M.app is installed in your Applications folder. This application, when opened, appears to provide translation service:
The interface is very basic, but it appears to work. Though, why something that is supposed to be a video codec might offer translation is beyond me. Clearly this is not what it is advertised to be.
The only other files of note that get installed are an executable named codecm_uploader, placed in ~/Library/Application Support/Codec-M/, and a LaunchAgent to keep this file running, installed as ~/Library/LaunchAgents/com.codecm.uploader.plist. What this process is doing is unclear, though Sophos says that it keeps the software updated and reinstalls it if it is removed.
In my brief testing, the malware only tries to call out once, at the time of installation. It connects to update.codecm.com on port 80, and from examining the packets transmitted, it appears that all that is done is download of the latest version of the software. Most of the transactions consist of binary data being downloaded… very little data is actually sent to the server, and none of it looks particularly interesting. In addition, the Codec-M.app application will connect to a variety of servers: www.whitesmoke.com, which appears to be a very dodgy site and is flagged red by WOT, and a variety of other servers (www.google-analytics.com, upload.wikimedia.org and bits.wikimedia.org), from which it likely downloads its content.
Perhaps the most interesting thing about this malware is the uninstaller. Believe it or not, the uninstaller actually appears to work! It will remove the Safari extension, Codec-M.app, codecm_uploader and the LaunchAgent keeping it running. I have not discovered any other potentially dangerous files left behind after running the uninstaller!
For now, I am not too concerned about this malware. It does not appear to be particularly dangerous. The worst thing it seems to do is direct users to dodgy sites, probably in an attempt at click fraud – an attempt at increasing revenue from click-throughs on ads. And though I am reluctant to tell people to rely on an uninstaller provided by malware, the uninstaller seems to remove all the files that I would tell you to remove anyway. But, here’s what you need to delete in order to manually remove this malware:
~/Library/Safari/Extensions/codec-M.safariextz ~/Library/Application Support/Codec-M ~/Library/LaunchAgents/com.codecm.uploader.plist /Applications/Codec-M.app
Note that the ‘~’ in the paths above represent your user folder. Also note that the Library folder in your user folder is invisible by default in Mac OS X 10.7 (Lion). To get to that folder, choose Go -> Go to Folder in the Finder and enter “~/Library” (without the quotes) in the box. Alternately, you can hold down the option key while the Go menu is open, which will cause a Library item to appear… select that to open the user Library folder. Finally, note that the codecm_uploader process if found inside the Codec-M folder that you need to remove from Application Support. You won’t be allowed to empty the trash until you make that process quit, which you can do from Activity Monitor (select codecm_uploader and click the Quit Process button) or by logging out and then logging back in.