brian163 Posted November 29, 2016 ID:1075625 Share Posted November 29, 2016 LittleSnitch (3rd party firewall) prompted me on an outbound connection from an application I didn't recognize in ~/Library/Application Support/AppPolicy/AppBox. It was attempting to connect to www. unionsoftwareonline. com. Doing some digging this site appeared to be associated with the PUP/Adware "AppMonitor". I ran a Malwarebytes scan and it detected three components related to Adware.Spigot: 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/Application Support/Firefox/Profiles/6kxmn62h.default/searchplugins/YahooEngine.xml 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/Application Support/AppCommon 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/LaunchAgents/com.unionsoftwareonline.AppMonitor.plist However, it did not identify or offer to remove the directory or binary I noted above. Using LaunchControl (a GUI for examining your launchd configuration), I identified a User Agent was installed ( /Users/xxx/Library/LaunchAgents/com.appbox.AppBox.plist) with the following parameters: /Users/xxx/Library/Application Support/AppPolicy/AppBox" -i -c <6 digit number> -isn <string of digits and letters separated by dashes> I know malware can download and install other components. But I believe Malwarebytes should try to clean them up as well... Is this a known or possibly new variant/component of Adware.Spigot? I tried searching the Malwarebytes labs Threat Center. But I couldn't even get a hit on "Adware.Spigot" or "Spigot" and that is clearly something it identifies. (Is there a searchable compendium of all threats that Malwarebytes identifies? Sorry, new around here...) I unloaded the launchd agent and disabled it but held onto the binary for the moment in case it is of use for further analysis. Link to post Share on other sites More sharing options...
Staff treed Posted November 30, 2016 Staff ID:1075810 Share Posted November 30, 2016 Those AppBox bits definitely are not components of Spigot that we've seen before, but they do look like they're probably parts of Spigot. Do you still have copies of the com.appbox.AppBox.plist file and the AppPolicy folder? If so, would you be willing to share them with us? Probably the best way to share them would be to go to VirusTotal: https://virustotal.com Upload the .plist file first, and when the analysis is done, make a note of the URL of the analysis page. Then compress the AppPolicy folder (control-click that folder and choose Compress "AppPolicy" from the menu that appears) and upload the resulting AppPolicy.zip file the same way. Once you've done that, reply to this post and paste in the URLs of the analysis page on VirusTotal for both of those uploads. I'll be able to download them from there. Link to post Share on other sites More sharing options...
Staff treed Posted November 30, 2016 Staff ID:1075814 Share Posted November 30, 2016 Also, do you have any idea what might have been installed on that machine that would have included that? Spigot is known to be included in a number of different popular app installers, such as the FileZilla and uTorrent installers. However, I've looked at those installers recently and didn't see anything new being dropped at that time. I'd love to find out what dropped this new variant. Link to post Share on other sites More sharing options...
brian163 Posted December 1, 2016 Author ID:1076212 Share Posted December 1, 2016 Thomas, thanks for the response. I did keep the files and willing to share. As someone with Info Sec experience my goal is to help improve any product that can help others. I'm just having a particularly hectic week and will do so as soon as possible. I too would love to know. I put a lot of effort into keeping my computer applications (as well as my OS) up to date. But that of course doesn't mean that everything I've installed over the years is as reputable (or has remained reputable) as I once thought it was. I took the clearly optimistic approach of examining the time stamps of the related files/directories and compared them to the OS software installion log (under System report) in an attempt to identify a particular install. Unfortunately, it was not going to be that easy. However, the fact that the outbound connection was something new leads me to believe it was a fairly recent install or update. So the log does provide some context and I now have a particular suspect. I just want to run a few tests before I point fingers publicly at a potential culprit. For now I'll just say it's a branch of a "free and open" media player that Malwarebytes has blogged about in the past. ;-) I'll follow up as soon as I can. Link to post Share on other sites More sharing options...
Staff treed Posted December 1, 2016 Staff ID:1076219 Share Posted December 1, 2016 Unfortunately, a lot of these adware installers are actually apps that mimic the Apple installer - sometimes even down to the icon. Because they're not actually installers, they don't show up in the installation log. If you need any assistance analyzing some installers, let me know... I can run them in a safe environment and see what files they drop. Link to post Share on other sites More sharing options...
brian163 Posted December 9, 2016 Author ID:1078505 Share Posted December 9, 2016 Apologies for the delay. .plist file: https://virustotal.com/en/file/a370c47da00b57d60cdc0b9c8e57bc9cda8c76aca9273a08a23c3f57d0eda635/analysis/1481295580/ App Policy folder: https://virustotal.com/en/file/e535bb183066c7da0013ef0ccc9cd0796410c2f319644aa815d71669d16b8545/analysis/1481295802/ I also ran an analysis of the package installer that I thought could have been involved and it came up clean. Also looked through the installer package files myself. So that lead is dead. I have a repository of over 500 installers and as I said I update frequently. So unfortunately I see no way of identifying the source. But at least this new code could be identified and included in your removal processes once validated. Brian Link to post Share on other sites More sharing options...
Staff treed Posted December 9, 2016 Staff ID:1078544 Share Posted December 9, 2016 Thanks for the help! Link to post Share on other sites More sharing options...
ajoslin103 Posted March 9, 2017 ID:1107366 Share Posted March 9, 2017 I just found those using Lingon - do we know if we should disable them? Link to post Share on other sites More sharing options...
ajoslin103 Posted March 9, 2017 ID:1107370 Share Posted March 9, 2017 I've run the MWB on my machine and removed them as directed You know, I think this came from one of two places: Vuze upgrade w/o declining extras, or java upgrade w/same Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now