The company “Doctor Web” reported the spread of malware for the Mac operating system. Virus analysts note the growing number of various advertising installers for OS X — not least this is due to the emergence of new partner programs, including those focused on Mac users. The new program was seen over the spread of the Trojan.Crossrider.
Installer Adware Adware applications.Mac.MacInst.1 was created using the resources of an affiliate program to monetize apps macdownloadpro.com. Sites numerous “partners” of the system, usually teeming with various ads that automatically open additional tabs, and the installer offers to download under the guise of some “useful” apps or even music MP3 file. In some cases, the download of the installer is using automatically redirect the user to the appropriate web page.
The image installer Adware.Mac.MacInst.1 has a very remarkable structure: it contains two hidden folders will not be shown on the computer with a standard operating system settings, if the user chooses to view the contents of a DMG file in the Finder.
The directory location of the application contains the binary file that starts the installation program, and the folder in which you placed an image with the logo of this application and the encrypted configuration file. The installer itself shows on the computer screen corresponding to the window, where the first displays information about the user requested the file that it originally was going to download.
By clicking the button “Next” the installer demonstrates a partnership proposal, implying that in addition to the desired file, the program will install and some additional components. If the user clicks on a barely noticeable link “Decline” at the bottom of the window on his computer will be loaded initially only the selected file, but clicking on the “Next” button with it, the program will download from the Internet and run another program Trojan.VIndinstaller.3.
This application, in turn, installs a malicious add-ons for browsers Safari, Firefox and Chrome, detected as a Trojan.Crossrider. All downloaded from the Internet Adware components.Mac.MacInst.1 copy in folder “~/Library/Application Support/osxDownloader”.
To date, there are over 900 sites involved in the distribution of this installer for Windows, Mac, Linux and Android.