Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

InstallMac trojan (also called ZipDevil) - incomplete removals by MWB for Mac


Recommended Posts

Hi,

 

I work as IT helpdesk at a medium sized nonprofit that has a lot of macs deployed. Recently we have been seeing a rash of people whose computers have the InstallMac trojan running on it. This trojan waits 30-45 minutes after the computer starts up and then launches a process that appears as AppSO in the Activity Monitor process list. It proceeds to eat all the processing power on a single CPU, and does nothing but fill up the computers RAM, eventually turning the entire hard drive into Swap space... which then causes everything to lock up until you hard-reboot the computer.

 

MalwareBytes Anti-Malware for Mac seems to identify ONE of the source files for this trojan, but ignores the rest of them and the application it is usually bundled with (ZipDevil.app).

 

There is a good post on the Apple forums that describes where the other files hide and how they are named. It would be nice if MWB could have it's detection system updated so that it checks for the other known files, since I currently have to root everything out by hand.

 

https://discussions.apple.com/thread/7230519?start=0&tstart=0

Link to post
Share on other sites

  • Staff

Malwarebytes Anti-Malware for Mac actually should already detect everything mentioned in that post on Apple's forums, as well as many other Genieo (aka InstallMac) variants not mentioned there.

 

Can you provide more information on what specific things are being missed? If we're missing something that we should be catching, I definitely want to know about it.

Link to post
Share on other sites

Malwarebytes Anti-Malware for Mac actually should already detect everything mentioned in that post on Apple's forums, as well as many other Genieo (aka InstallMac) variants not mentioned there.

 

Can you provide more information on what specific things are being missed? If we're missing something that we should be catching, I definitely want to know about it.

 

Zip Devil.app was ignored (seems to be the primary installation source, an advertisement hijacks the persons browser bringing them to zipdevil.com and gets them to download it, which results in the Genio infection), and MWB missed a bunch of files in the LaunchAgents folder (they were all something.something.plist, the middle part started with tiv or til, but I didn't think to write it down before I cleaned everything up). If I get another one of these in after the holidays, I'll make sure to grab a complete file list and upload the files.

Link to post
Share on other sites

  • Staff

ZipDevil is software whose developers have made the poor choice of bundling adware. It in itself is not harmful, although there could be some argument for detecting it as a PUP (potentially unwanted program). If we did that, though, it would be unfair not to detect things like FileZilla and Java, both of which have also been bundled with adware by their owners. It's a bit of a slippery slope.

 

As for the files that were missed in the LaunchAgents folder, I can't say why they were missed without more information. One possibility is that they were not actually malware or adware at all, but belonged to some other app. Another is that they are something new that we have not seen yet. I'd invite anyone to report things like this to us before deleting them, so that we can either tell you whether they are legit - and shouldn't be deleted - or add detection of them to our signatures.

 

In the future, if you choose Contact Support from the Help menu in Malwarebytes Anti-Malware for Mac, that will allow you to submit a snapshot of your system and enter a message for our support techs, and we will work with you to identify any possible threats on your machine.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.