We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Malicious Genieo installers persist

Posted on June 21st, 2013 at 4:06 PM EDT

I wrote about the problems with Genieo a couple times last month, when it was discovered that Genieo was being downloaded through fake Flash Player update pop-ups on some sites. Further research showed suspicious code inside the Genieo installer. Following those developments, Dr. Web and Intego both decided to add detection of Genieo as malware to their anti-virus products. Folks from Genieo’s support informed me that these problems would be taken care of. Unfortunately, one month later, it looks like problems with Genieo persist.
Read the rest of this entry »


More details on Genieo adware

Posted on May 23rd, 2013 at 4:16 PM EDT

On Tuesday, I posted an article about a potentially malicious Genieo installer. This has resulted in a couple anti-virus companies labeling the Genieo software as a trojan. Intego revealed an interesting discovery, and I’ve also been pursuing some interesting points myself. There are some interesting developments that call into question whether this is just an isolated incident involving one of Genieo’s partners, or a problem with Genieo itself.
Read the rest of this entry »


Genieo adware downloaded through fake Flash updates

Posted on May 21st, 2013 at 9:41 PM EDT

For at least a couple months now, I have been hearing a lot of reports of fake Flash update notices appearing on a variety of different web sites, and resulting in the download of a Genieo installer. It has been difficult to track down a source, so that I could see this in action, but I finally found one. Although I still don’t believe that Genieo is actually malware, there is definitely some monkey business going on.
Read the rest of this entry »


New Mac spyware found at freedom conference

Posted on May 17th, 2013 at 6:42 AM EDT

F-Secure announced yesterday the discovery of a new piece of Mac malware, which was discovered at the annual Oslo Freedom Forum on a freedom of speech activist’s computer. This malware, which they are calling OSX/KitM.A, appears to take screenshots about every 20 seconds, and presumably (though they did not say this outright) uploads them to a remote server. Most interestingly, this malware is signed with an Apple Developer ID!
Read the rest of this entry »


CallMe malware persists

Posted on April 25th, 2013 at 1:59 PM EDT

F-Secure has blogged today about a slightly new variant of CallMe that has been seen in the wild. Everything about the malware seems to be the same, except for file names and the command server that the malware “calls home” to. This is certainly small news, but it does show that this malware is still in active distribution, at least.
Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.

Yontoo: adware or malware?

Posted on March 22nd, 2013 at 12:18 PM EDT

There has been a lot of talk in the last week about a new bit of adware for the Mac, called Yontoo. Adware is never popular, whether it is legit or not, and is a frequent source of disagreement in the security community. It is very rare that anti-virus companies manage to come to agreement on this topic. Even a program like FkCodec (aka Codec-M), which is without a doubt designed to trick users into installing it to earn ad revenue, is not detected by many anti-virus programs. (One of my FkCodec samples earned the lowest detection rate in my recent testing, being identified by only 7 of 20 anti-virus engines.) So why has Yontoo gotten so much attention?
Read the rest of this entry »


Has GetShell been trojanized?

Posted on March 11th, 2013 at 7:44 PM EDT

An interesting file was posted to VirusTotal today: a Mac disk image file containing what appeared to be a copy of Adium. This file was recognized by a small handful of anti-virus engines as the GetShell malware, however. This surprised me a bit, as GetShell had previously (as far as I know) only been installed as a drive-by download through Java vulnerabilities. So I decided to do a little investigation.
Read the rest of this entry »


New Minecraft password-stealing trojan

Posted on March 1st, 2013 at 4:46 PM EST

Minecraft has been targeted by malware before (see Cross-platform malware Jacksbot found in the wild), and with Minecraft and Minecraft modifications continuing to be popular, it’s no surprise that it has happened again. Intego announced today the discovery of a new trojan that it has named Minesteal.
Read the rest of this entry »


New CallMe malware discovered

Posted on February 13th, 2013 at 2:11 PM EST

Intego announced today the discovery of a new Mac trojan, which they are calling OSX/CallMe.A. This malware is spread through maliciously-crafted Microsoft Word documents that, when opened, result in a backdoor being installed. The backdoor in question sounds very simple, giving the hackers the ability to run commands (through a bash shell) and steal the user’s Address Book data.

Read the rest of this entry »


Fake installer trojan targets Mac users

Posted on December 13th, 2012 at 12:38 PM EST

Dr. Web announced the discovery of a new Mac trojan, which they call SMSSend, on Tuesday. This latest trojan masquerades as an installer for the legitimate VKMusic application. Rather than install malicious software on your computer, however, the malicious installer requests a cell phone number in order to complete the install process. Users who provide a cell phone number, and then enter the activation code that is texted to that phone, will be subscribed to a “service” that applies charges their cell phone account.
Read the rest of this entry »