Why block MacUpdate.com?

[emendelson]

Can someone explain why Malwarebytes keeps blocking Macupdate.com? It seems to be a completely innocent site, widely known, widely used, not blocked by anything else. It's very annoying to have all its pages blocked - and so thoroughly blocked that even a web-address exception doesn't seem to allow it.

This seems to be a mistake. Is there any reason to believe it isn't? Exactly what is Macupdate.com supposed to be doing that makes Malwarebytes block it?

Edward Mendelson
Contributing Editor
PC Magazine/PCMag.com

[Aura]

Hi Edward

According to hpHosts and VirusTotal, MacUpdate.com isn't blocked by Malwarebytes Anti-Malware. Are you able to take a screenshot of the warning you get when visiting the website and post it here? Or copy/paste the line from the Protection log where the protection kicks in against it? It'll help the Staff see what's wrong with it. The block could come from somewhere else on the website.

[emendelson]

2 minutes ago, Aura said:

Hi Edward

According to hpHosts and VirusTotal, MacUpdate.com isn't blocked by Malwarebytes Anti-Malware. Are you able to take a screenshot of the warning you get when visiting the website and post it here? Or copy/paste the line from the Protection log where the protection kicks in against it? It'll help the Staff see what's wrong with it. The block could come from somewhere else on the website.

Hi Aura,

Here's a typical popup that I get when I visit or the site, or even when I view an e-mail notification that I get from Macupdate.com. It's a major annoyance, as Macupdate.com is the only site that you ever block on my system - and you always block it!

[Aura]

It seems like MacUpdate.com is a "freeware and shareware" website, so it might be possible that it uses bundled installers that drops malware.

https://www.virustotal.com/en/ip-address/64.188.61.169/information/

I have no idea about it, this is just a rough guess. We'll wait for a Malwarebytes employee to step in

[emendelson]

 

Actually, that guess is absolutely not correct at all. I know all about those shady sites that use bundled installers that drop malware. MacUpdate.com isn't one of them. It's a central location for finding commercial and other free software. I use it to distribute some open-source Mac applications that I've written myself, so I know exactly how it works and have been relying on it for years.

Edward Mendelson
Contributing Editor
PCMag.com/PC Magazine

Edited September 23, 2016 by emendelson

[Aura]

Hence why I said it was a "rough guess", based on what I can see from VirusTotal We'll just wait. I also asked your thread to be moved in the Web False Positive section.

[emendelson]

Thank you. It's been consistently annoying not to be able to access the site I use for distributing my own open-source software because Malwarebytes thinks the site is distributing malware.

[MysteryFCM]

There's still malicious files on that site (e.g. hxxps://www.macupdate.com/app/mac/20526/7zx)

/edit

I've added the missing entry to hpHosts (not sure why it wasn't in there)

/edit 2

Related:

https://blog.malwarebytes.com/cybercrime/2015/11/has-macupdate-fallen-to-the-adware-plague/

Edited September 23, 2016 by MysteryFCM

[emendelson]

7 minutes ago, MysteryFCM said:

There's still malicious files on that site (e.g. hxxps://www.macupdate.com/app/mac/20526/7zx)

/edit

I've added the missing entry to hpHosts (not sure why it wasn't in there)

/edit 2

Related:

https://blog.malwarebytes.com/cybercrime/2015/11/has-macupdate-fallen-to-the-adware-plague/

Why not block specific pages rather than the entire site? I can't speak to current accuracy of your November 2015 blog post except to say that I've never experienced that behavior, and I sometimes download software from the site without bothering to sign in.

For those of us who distribute software there, a whole-site block is basically telling the world that we're complicit in malware distribution. But we aren't. Our downloads are exactly the open-source downloads that we created.

Edward Mendelson
Contributing Editor
PCMag.com/PC Magazine

[treed]

28 minutes ago, emendelson said:

Actually, that guess is absolutely not correct at all. I know all about those shady sites that use bundled installers that drop malware. MacUpdate.com isn't one of them.

Actually, it is. They are known to have installers that drop the IronCore adware on the user's system. Not all of them do, and if you have a paid membership you don't see any of that because they exempt you. This has all been documented since late last year.

I'm the person who wrote the article referred to by MysteryFCM above. If you have any specific questions about this, please feel free to ask.

[chadatmacupdate]

Edward - in the last 10 years there have been 2 or 3 cases where we have posted downloads that contain malicious code, because the virus scanners had not been updated at the time we check the download and posted the link. In all such cases, we removed the link or page from the site as soon as the malicious code was reported to us. The site does use an installer for some downloads which we use to a) make it easier for novice Mac users to install apps and b) generate additional offers that users can opt in to install. We do not allow for installers that install adware or malware. We have discussed this issue with Thomas here at Malwarebytes, and it is a shame that they continue to treat MacUpdate.com with continued skepticism and dissension. We urge anyone that discovers suspicious looking downloads to report them to our support staff so that we can investigate and remedy any issues.

[Porthos]

19 minutes ago, chadatmacupdate said:

The site does use an installer for some downloads which we use to a) make it easier for novice Mac users to install apps and b) generate additional offers that users can opt in to install. We do not allow for installers that install adware or malware.

Hi @chadatmacupdate

I am not a Mac user but the above is just as wrong in the Mac world as it is in the Windows world. Many Mac users believe there Mac is "bullet proof" and of course don't read fine print just like Windows users.

There are other ways to monetize your business without foisting bundled installers upon your visitors. It makes NO difference if it opt or opt out.

Might want to take a look at Majorgeeks and see how they do it. They inform you in each description if the installer is bundled or not. They test each one.

The above is my opinion and I do NOT work for Malwarebytes but I am a strong believer in what Malwarebytes does for the computing community.

Edited September 23, 2016 by Porthos

[MysteryFCM]

55 minutes ago, emendelson said:

Why not block specific pages rather than the entire site?

Unfortunately, I don't currently have that functionality available to me.

[emendelson]

Well, this is a serious disappointment. I think bundled installers are bad things. I don't like it when the Java updater keeps urging me to install this or that on Windows, and I don't like it anywhere else. I'm a reasonably alert user, but I support many users who aren't and am constantly clearing up things that they never intended to install.

I've relied on Macupdate.com for years and years, and wasn't aware (though I should have been) that I was uploading items to a site that distributes bundled installers. I very much hope you're reconsider the policy of using such things, and instead, only use the installers or downloads provided by the original authors.

[Porthos]

27 minutes ago, emendelson said:

I've relied on Macupdate.com for years and years, and wasn't aware (though I should have been) that I was uploading items to a site that distributes bundled installers. I very much hope you're reconsider the policy of using such things, and instead, only use the installers or downloads provided by the original authors.

@emendelson Why don't you put your hard work up on http://mac.majorgeeks.com/

Edited September 23, 2016 by Porthos

[treed]

36 minutes ago, chadatmacupdate said:

The site does use an installer for some downloads which we use to [...] generate additional offers that users can opt in to install. We do not allow for installers that install adware or malware.

Those "special offers" are, in fact, adware. This has been documented by myself and others. As I previously found, some MacUpdate installers will offer to install the "Search-Assist" browser extension, supposedly from Yahoo!.

However, this "Search-Assist" extension is actually the IronCore adware, and is not actually affiliated with Yahoo!. It is made by a third-party who abuses Yahoo!'s affiliate program to get paid.

On the MacUpdate site, there are actually instructions for removing this "Search Assist" adware:

http://support.macupdate.com/support/solutions/articles/5000703727-remove-yahoo-search-assist

It's important to note that this is not just Malwarebytes' opinion. Consider the example of one such MacUpdate installer, which is detected as malicious by 6 other anti-virus companies:

https://www.virustotal.com/en/file/aa6dbcf6252c7fd42f59c2835e25df19e4dec068915c8961abcb595402ee6022/analysis/

[treed]

1 hour ago, emendelson said:

Why not block specific pages rather than the entire site?

I can't speak for the Windows product, so I can't say whether that's possible or not. However, it's important to note that this behavior changes over time. (Meaning, they change which installers are bad.) Further, if the owners of the site are involved in distributing adware, it's hard to call any page on the site safe.

Quote

For those of us who distribute software there, a whole-site block is basically telling the world that we're complicit in malware distribution. But we aren't. Our downloads are exactly the open-source downloads that we created.

They may not be. There were a number of developers whose legit apps were found last year to be bundled in an adware-laden installer on MacUpdate. They had not consented to this, nor had they been informed. The same thing could happen to your software, if you're not careful.

Our own software was packaged in a MacUpdate installer at one point. It took a couple strongly-worded e-mails to Joel Mueller to correct that situation.

Edited September 23, 2016 by treed