欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

被指向中国服务器提供数据,Mac App Store下架排名第一的付费安软

来源:本站整理 作者:佚名 时间:2018-09-11 TAG: 我要投稿
"~/Library/WebTools",
"/Applications/WebTools",
"/Applications/WebTools.app",
"/Applications/SmartShoppy",
  "/Applications/ShopTool",
"/Applications/ShoppyTool",
"/Applications/EasyShopper",
  ...
launchPathMatchPatten = (
  "com.WebShoppers.agent.plist",
  "com.WebShoppy.agent.plist",
  "com.webshoppers.agent.plist",
  "com.SoftwareUpdater.agent.plist",
  ...      
whitelist =  (
  "~/Library/LaunchAgents/com.spotify.webhelper.plist",
"/Library/LaunchDaemons/com.intel.haxm.plist",
  "/Library/LaunchDaemons/net.privatetunnel.ovpnagent.plist",
"/Library/LaunchDaemons/com.mixlr.MixlrAudioLink.plist",
  "/Library/LaunchDaemons/com.mcafee.ssm.Eupdate.plist",
  "/Library/LaunchDaemons/com.mcafee.ssm.ScanFactory.plist",
  "/Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist",
  "/Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist",
"/Library/LaunchDaemons/com.microsoft.autoupdate.helper.plist",
"/Library/LaunchAgents/com.microsoft.update.agent.plist",
"/Library/LaunchDaemons/com.crashplan.engine.plist"
...                                      
这些特征看起来是一款反广告软件,并且哈希值确实与已知的广告软件匹配:

例如Adware.MAC.Pirrit:

回到Adware Doctor应用界面,它已准备好清理用户的系统:

直到上面一步并没有出现异常,但后面对不对了。
首先,在运行文件监视器(例如MacOS内置的fs_usage)和对包含历史记录的文件进行过滤(不区分大小写)后,一些异常的文件访问历史显现出来:
# fs_usage -w -f filesystem | grep "Adware Doctor" | grep -i history
Adware Doctor.44148  open  ~/Library/Application Support/CallHistoryTransactions
Adware Doctor.44148  open  ~/Library/Application Support/CallHistoryDB                                                                                                                
Adware Doctor.44148  RdData[A]  /dev/disk1s1/Users/user/Library/Safari/History.db
Adware Doctor.44148  lstat64    /Users/user/Library/Application Support/Google/Chrome/Default/History
Adware Doctor.44148  open ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history.zip
Adware Doctor.44148  lstat64    ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/psCommonInfo
Adware Doctor.44148  WrData[A]  ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/appstoreHistory
Adware Doctor.44148  WrData[A]  ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/safariHistory
Adware Doctor.44148  WrData[A]  ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/chromeHistory
Adware Doctor.44148  WrData[A]  ~/Library/Containers/com.yelab.Browser-Sweeper/Data/Library/Application Support/com.yelab.Browser-Sweeper/history/firefoxHistory
运行进程监视器(例如开源的ProcInfo实用程序),可以观察到Adware Doctor使用内建zip实用程序创建受密码保护的history.zip存档:
# ./procInfo
process start:
pid: 2634
path: /bin/bash
args: (

上一页  [1] [2] [3] [4] [5] [6] [7]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载