Analysis by: Christopher Daniel So

ALIASES:

OSX/SearchProtect.a. (McAfee), OSX.SearchProtect (Symantec), AdWare.OSX.Vsrch.a (Kaspersky), PUA.OSX.Adware (Ikarus), OSX/VSearch-A (Sophos)

 PLATFORM:

Mac OS X

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: Varies
File Type: Mach-O
Memory Resident: Yes
Initial Samples Received Date: 05 Aug 2015

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:

If running in OS X Yosemite (version 10.10), it drops a shell script /var/tmp/se10395.sh. The said shell script exploits the DYLD_PRINT_TO_FILE vulnerability by writing the following string to the file /etc/sudoers:

  • echo "$(whoami) ALL=(ALL) NOPASSWD:ALL"

where $(whoami) is replaced by the shell with the user name of the currently logged in user. This enables the user to run any command with elevated privileges without being required to enter a password.

The shell script then executes the following command-line with elevated privileges to install the VSearch adware:

  • sudo -s /Volumes/SmartInstaller/.resources/VSInstaller.app/Contents/MacOS/VSInstaller --agreetolicense

The shell script then deletes itself.

If this adware is running in other versions of Mac OS X, it executes the following command-line with elevated privileges using Authorization Services API to unstall the VSearch adware:

  • {bundle's parent directory}/.resources/{VSearch application bundle name}/Contents/MacOS/VSInstaller --agreetolicense

  SOLUTION

Minimum Scan Engine: 9.750
FIRST VSAPI PATTERN FILE: 11.832.04
FIRST VSAPI PATTERN DATE: 05 Aug 2015
VSAPI OPR PATTERN File: 11.833.00
VSAPI OPR PATTERN Date: 05 Aug 2015

Scan your computer with your Trend Micro product to delete files detected as OSX_VSEARCH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.