(Or, more accurately, installs an MPlayerX installer that you still have to run to install MPlayerX.) The first time, it is installed in a Parallels Virtual Machine running Mac OS X 10.11 (El Capitan), and it installs nothing but MPlayerX. The following video shows the MPlayerX installer being downloaded from the official MPlayerX site and being installed twice. Sure enough, although the installer had been updated, it still exhibited the same analysis avoidance behavior, this time installing IronCore, MacKeeper, and MegaBackup. Recently, we decided to re-evaluate MPlayerX for possible detection as a PUP (potentially unwanted program). When opened on a "real" system, however, it would install the IronCore adware, as well as (at that time) the junk apps MacKeeper and ZipCloud. When run in a virtual machine, it installed nothing but MPlayerX. The MPlayerX installer, it turned out, was doing exactly that. Using a virtual machine is a good way to keep the malware isolated from a real system, so that the infection is easier to contain. For example, a researcher may install Mac OS X within a virtual machine run by a program like Parallels, VMWare, or VirtualBox. The most common method of analysis avoidance that malware uses is to detect whether it is running within a virtual machine - in other words, a full system running entirely within a piece of software. Thus, if a researcher or tool is not aware that the program is malicious, it avoids sending up any red flags that would trigger a more thorough analysis. This means that if it feels that it is being analyzed by a security researcher or automated security software, it will act innocent, showing none of its malicious behaviors. Malware will frequently exhibit analysis avoidance behavior. The official MPlayerX installer began to attempt to defy analysis! The bad behavior didn't stop there, however. Unfortunately, this didn't turn out to be good news, as it was soon discovered that the official MPlayerX installer, downloaded directly from the MPlayerX website, had started to include the IronCore adware. In early 2015, MPlayerX wasn't being distributed with VSearch anymore. MPlayerX began to be so synonymous with the VSearch adware that Google searches for "MPlayerX" began to show prominently-featured hits for "MPlayerX removal." Worse, it eventually became apparent that MPlayerX was not simply an innocent victim. At the time, many people assumed that MPlayerX was being used in the same manner that Adobe Flash Player often is - innocent software used to trick people into running a shady installer. Back in 2014, an emerging piece of adware that soon crossed the line to malicious behavior, called VSearch, was frequently associated with MPlayerX installers. MPlayerX began to be associated with malware about two years ago, or possibly even longer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |