OSX_VSEARCH

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:

If running in OS X Yosemite (version 10.10), it drops a shell script /var/tmp/se10395.sh. The said shell script exploits the DYLD_PRINT_TO_FILE vulnerability by writing the following string to the file /etc/sudoers:

• echo "$(whoami) ALL=(ALL) NOPASSWD:ALL"

where $(whoami) is replaced by the shell with the user name of the currently logged in user. This enables the user to run any command with elevated privileges without being required to enter a password.

The shell script then executes the following command-line with elevated privileges to install the VSearch adware:

• sudo -s /Volumes/SmartInstaller/.resources/VSInstaller.app/Contents/MacOS/VSInstaller --agreetolicense

The shell script then deletes itself.

If this adware is running in other versions of Mac OS X, it executes the following command-line with elevated privileges using Authorization Services API to unstall the VSearch adware:

• {bundle's parent directory}/.resources/{VSearch application bundle name}/Contents/MacOS/VSInstaller --agreetolicense