OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

OSX/FkCodec-A in action

Published April 26th, 2012 at 10:31 AM EST , modified April 26th, 2012 at 10:33 AM EST

On April 23, 2012, Sophos quietly added a definition for something they called OSX/FkCodec-A to their database.  However, details about this malware have been sparse.  The description initially contained only a single sentence.  Sophos has since expanded it, but the details are still sparse.  Fortunately, I got my hands on a copy yesterday, and here’s what I found.

This malware is downloaded from sites as a “video codec” required to view videos.  One such site was brought to my attention by a colleague:

After clicking on the ‘play’ button in the middle of the “video,” the following message is displayed:

If you click the Download Now! button, you will be sent to the following page:

Clicking the Download Now! button here downloads a file named download.dmg into your Downloads folder.  (Could I have said “download” more times in that sentence?)

Opening the downloads.dmg disk image shows that its contents consist of two files: Codec-M Installer and Codec-M Uninstaller.  If you run the installer, the first thing you’ll see is a request to change your web browser’s home page and search engine:

If you leave those boxes in their default checked states, then they will do just what they say.  Your home page and search engine will be set to a dodgy-looking search site.  Searching on that site results in a lot of advertising links and a bunch of results that don’t closely match what a real search engine would give you.  In addition, with those boxes checked, a Safari extension will be installed:

It’s unclear exactly what this extension does.  Sophos’ page describing this malware claims that the extension serves ads, though I did not see this behavior in my testing.  So I can’t comment on what conditions might cause those ads might be served or what form they would take.

Interestingly, if you uncheck those boxes, your preference is actually obeyed!  Your browser home page and search engine are left alone, and in addition, the Safari extension is not installed.

Once the installer completes, in addition to the changes mentioned above, an application named Codec-M.app is installed in your Applications folder.  This application, when opened, appears to provide translation service:

The interface is very basic, but it appears to work.  Though, why something that is supposed to be a video codec might offer translation is beyond me.  Clearly this is not what it is advertised to be.

The only other files of note that get installed are an executable named codecm_uploader, placed in ~/Library/Application Support/Codec-M/, and a LaunchAgent to keep this file running, installed as ~/Library/LaunchAgents/com.codecm.uploader.plist.  What this process is doing is unclear, though Sophos says that it keeps the software updated and reinstalls it if it is removed.

In my brief testing, the malware only tries to call out once, at the time of installation.  It connects to update.codecm.com on port 80, and from examining the packets transmitted, it appears that all that is done is download of the latest version of the software.  Most of the transactions consist of binary data being downloaded…  very little data is actually sent to the server, and none of it looks particularly interesting.  In addition, the Codec-M.app application will connect to a variety of servers: www.whitesmoke.com, which appears to be a very dodgy site and is flagged red by WOT, and a variety of other servers (www.google-analytics.com, upload.wikimedia.org and bits.wikimedia.org), from which it likely downloads its content.

Perhaps the most interesting thing about this malware is the uninstaller.  Believe it or not, the uninstaller actually appears to work!  It will remove the Safari extension, Codec-M.app, codecm_uploader and the LaunchAgent keeping it running.  I have not discovered any other potentially dangerous files left behind after running the uninstaller!

For now, I am not too concerned about this malware.  It does not appear to be particularly dangerous.  The worst thing it seems to do is direct users to dodgy sites, probably in an attempt at click fraud – an attempt at increasing revenue from click-throughs on ads.  And though I am reluctant to tell people to rely on an uninstaller provided by malware, the uninstaller seems to remove all the files that I would tell you to remove anyway.  But, here’s what you need to delete in order to manually remove this malware:

~/Library/Safari/Extensions/codec-M.safariextz
~/Library/Application Support/Codec-M
~/Library/LaunchAgents/com.codecm.uploader.plist
/Applications/Codec-M.app

Note that the ‘~’ in the paths above represent your user folder.  Also note that the Library folder in your user folder is invisible by default in Mac OS X 10.7 (Lion).  To get to that folder, choose Go -> Go to Folder in the Finder and enter “~/Library” (without the quotes) in the box.  Alternately, you can hold down the option key while the Go menu is open, which will cause a Library item to appear…  select that to open the user Library folder.  Finally, note that the codecm_uploader process if found inside the Codec-M folder that you need to remove from Application Support.  You won’t be allowed to empty the trash until you make that process quit, which you can do from Activity Monitor (select codecm_uploader and click the Quit Process button) or by logging out and then logging back in.

Tags: , , ,

8 Comments

  • Al Varnell says:

    It will also install extensions for Firefox and Chrome if you have them:

    ~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/
    and the extension inside it {EEF73632-A085-4fd3-A778-ECD82C8CB297}.xpi
    /Applications/Google Chrome.app/Contents/Extensions/codec-M.crx
    ~/Library/Application Support/Google/Chrome/Default/Extensions/gmmhejnionfamfddcdbffhceihkmbdfc

    The uninstaller should take care of them, as well.

    • Thomas says:

      Thanks for the additional details, Al! I didn’t have Firefox or Chrome installed on my test system, so didn’t see that. It looks like the filenames are pretty gnarly for those browsers… is there a way to delete extensions from within Firefox or Chrome that might be easier for users to find?

  • John says:

    I take it that the video won’t play either way and by clicking it again, the download would restart? Pretty easy to be picked up as a dodgy deal.

    • Thomas says:

      Yup, that’s correct. Even with the “codec” installed, the video still just goes to the download button. There’s definitely no part of this that is legitimately a video codec.

  • Terry Reeves says:

    Their home base is here – http://codecm.com/ If you read their privacy and terms of use statements they tell you exactly what they will do, i.e track your every move, sell your personal data, and advertise! So the name is deceptive and the claim of “best streaming experience” is laughable, but they tell you up front they are adware and spyware, counting on no one to actually read this info. The uninstaller appears genuine as noted in the article, and they respect your preferences in the install as noted. I think therefore that legally they are in the clear. Malware it is, but of the sort that does nothing secret or illegal. Technically it does not infect, you just agree to install an app that does things you don’t want. The “presumption of good faith” between users and publisher is violated, of course. Kinda like hidden terms in a credit card agreement, but banks have relied more on length and complexity to hide rather than user’s habit of not reading EULAs

  • Al Varnell says:

    < is there a way to delete extensions from within Firefox or Chrome that might be easier for users to find?

    I can't speak to Chrome, but there is supposed to be a delete button in Firefox. At least one user mentioned that there was no delete button for that extension. If I get some time I'll see if I can confirm anything, but it may not work with my setup.

  • Philippe says:

    Hi Thomas,

    Thanks again for the info!

    Have you noticed the system requirements on your 3rd screenshot: XP, Vista, 7…

    • Thomas says:

      Yup, those system requirements seem to be unrelated to what actually gets downloaded. Typical sloppiness exhibited by malware authors. Significant spelling errors, atrocious grammar and irrelevant system requirements are just a few good tip-offs that you shouldn’t be downloading whatever you’re trying to download! 🙂

This post is more than 90 days old and has been locked. No further comments are allowed.