OSX_GEONEI.LP

 Analysis by: Rhena Inocencio

 ALIASES:

AdWare.OSX.Geonei.b (Kaspersky), OSX/Adware.Genieo.A (ESET)

 PLATFORM:

Mac OS X

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Manually installed by the user

This adware may be manually installed by a user.

  TECHNICAL DETAILS

File Size:

495,439 bytes

File Type:

Other

Memory Resident:

Yes

Initial Samples Received Date:

10 Sep 2014

Payload:

Displays message/message boxes, Connects to URLs/IPs, Steals information

Arrival Details

This adware may be manually installed by a user.

Installation

This adware drops the following file(s)/component(s):

  • /private/etc/launchd.conf - detected as OSX_GEONCONF.SM or OSX_GEONCONF.SMA
  • /users/{user}/Library/Application Support/com.genieoinnovation.Installer/Completer.app
  • /users/{user}/Library/Caches/com.genieoinnovation.Installer/Cache.db
  • /Library/LaunchAgents/com.genieo.competer.update.plist
  • /Library/LaunchAgents/com.genieo.competer.download.plist
  • /Applications/InstallMac/Reset Search.app
  • /users/{user}/Library/Saved Application State/info.leifertin.Ez7z.savedState/windows.plist
  • /users/{user}/Library/Saved Application State/info.leifertin.Ez7z.savedState/data.data
  • /users/{user}/Library/Saved Application State/info.leifertin.Ez7z.savedState/window_{number}.data
  • /users/{user}/Library/Preferences/info.leifertin.Ez7z.plist
  • /users/{user}/Library/Application Support/Ez7z-QuickLook
  • /users/{user}/Library/Application Support/Ez7z.prefs
  • /Applications/Ez7z.app

Other Details

This adware does the following:

  • It loads installation components from the following URLs:
    • {BLOCKED}nstaller.appspot.com/appScreen/css/installmac_default.css
    • {BLOCKED}nstaller.appspot.com /appScreen/js/utilities.js
    • {BLOCKED}nstaller.appspot.com /appScreen/dialog.png
    • {BLOCKED}nstaller.appspot.com /appScreen/recomended.png
    • {BLOCKED}nstaller.appspot.com /appScreen/installer_logo.png
    • {BLOCKED}nstaller.appspot.com /appScreen/progress_bg.png
    • {BLOCKED}nstaller.appspot.com /install/first_time?session_id={session ID}&app_id={id}&offer_id={value}&os_version={Mac OS X Version} &install_version={value}&r={value}&disable_dynamic_update={value}&keyboard_lang={available keyboard language}&chosen_lang={default language}
    • {BLOCKED}nstaller.appspot.com/monetize?session_id={session id}&emid={value}&os_version={Mac OS X Version} &predefined_app_id={value}&predefined_offer_id={value}&event_show_install={value}&is_set_hp_approved={true| false}&is_set_sp_approved=false&is_install_accepted=true&install_id={value}&event_show_offer1={value}&is_offer1_accepted={true|false}&offer1_id={value}&install_download_start={true|false}&install_download_success={true|false}&install_exe_start={true|false}&install_exe_done_status={value}&download_url={value}&download_browser={value}&active_browser={active browser} &default_browser={default browser}& keyboard_lang={available keyboard language}&chosen_lang={default language}&language={language}
  • It reports the following information:
    • default browser
    • active browser
    • keyboard language
    • default language
    • MAC OS X version
  • It connects to the following URLs to report its installation status:
    • {BLOCKED}installer.appspot.com /report?session_id={session id}&emid={value}&os_version={Mac OS X Version}&predefined_app_id={value}&predefined_offer_id={value}&event_show_install={value}&is_set_hp_approved={true | false}&is_set_sp_approved={true|false}&is_install_accepted={true|false}&install_id={value}&event_show_offer1={value}&install_download_start={true | false}

NOTES:

This malware displays the following interface upon installation:

It accesses the following webpage:

It monitors websites visited by users and posts live updates of ongoing events that the users follow.

  SOLUTION

Minimum Scan Engine:

9.700

FIRST VSAPI PATTERN FILE:

11.142.04

FIRST VSAPI PATTERN DATE:

11 Sep 2014

VSAPI OPR PATTERN File:

11.143.00

VSAPI OPR PATTERN Date:

12 Sep 2014

NOTES:

  1. Scan using Trend Micro product and take note of the detected path.
  2. If the detected file is mounted, EJECT the corresponding volume:
    • In the Finder’s menu bar, click Go > Computer.
    • In the opened window, right click on the volume where detection was seen.
    • Select Eject

  3. Identify and terminate the grayware process using the noted path in the previous step.
    • Open the Terminal:

      Applications>Utilities>Terminal or type ‘Terminal’ in Spotlight.

    • Type the following in the terminal:

      ps –A

    • Look for the detected files and take note of their PIDs. If the detected files are not found to be running, please proceed to the next step.
    • In the same terminal, enter the following commands for each grayware PIDs:

      kill {PID}

  4. Delete the grayware directories and files. In the same Terminal, type the following commands:

    sudo rm –R "{grayware path and filename}.dmg"
    sudo rm –R "/users/{user}/Library/Application Support/com.genieoinnovation.Installer"
    sudo rm –R "/users/{user}/Library/Caches/com.genieoinnovation.Installer"
    sudo rm –R "/Library/LaunchAgents/com.genieo.competer.update.plist"
    sudo rm –R "/Library/LaunchAgents/com.genieo.competer.download.plist"
    sudo rm –R "/Applications/InstallMac/Reset Search.app"

  5. Scan your computer with your Trend Micro product to delete files detected as OSX_GEONEI.LP. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files.


Did this description help? Tell us how we did.