suspicious metadata suggests possible malware...
I have this
really weird problem that just came up, and I don't know what to think except "malware?".
I run an old program called Business Sense using Classic. I have several copies of the application on my machine, and I recently noticed some strange behavior: if I open a Business Sense file (not the application directly), it opens the program (no problems). But if I try to open the application itself, the computer instead tries to open it as a file in Script Editor. Get Info reveals that the kind is listed as "application" instead of "Application (Classic)". The "Open With" panel shows up, and the Memory panel does not. Two copies of the program have this problem, and the other 5 or so do not. Other Classic apps do not have this problem as far as I can see. Sometimes the Business Sense icon changes to a weird "color glitch" square (sort of like TV noise but with color). If I use SetFileInfo (from the developer tools) to turn off the custom icon flag, the weird icon goes away.
Here's the really weird part. I used an Automator workflow that I cobbled together from macosxhints.com to view all of the metadata for the file (it uses the mdls command in the command line). The funky copies of Business Sense show this metadata:
*/Documents/BS Data/B $‚Ñ¢ 2.3 -------------*
*kMDItemAttributeChangeDate = 2007-11-25 19:33:02 -0800*
*kMDItemContentCreationDate = 1993-12-22 09:00:00 -0800*
*kMDItemContentModificationDate = 2007-11-25 19:33:01 -0800*
*kMDItemContentType = "com.prospa.manpage"*
*kMDItemContentTypeTree = ("com.prospa.manpage", "public.data", "public.item")*
*kMDItemDisplayName = "B $‚Ñ¢ 2.3"*
*kMDItemFSContentChangeDate = 2007-11-25 19:33:01 -0800*
*kMDItemFSCreationDate = 1993-12-22 09:00:00 -0800*
*kMDItemFSCreatorCode = 1112755795*
*kMDItemFSFinderFlags = 9472*
*kMDItemFSInvisible = 0*
*kMDItemFSIsExtensionHidden = 0*
*kMDItemFSLabel = 0*
*kMDItemFSName = "B $‚Ñ¢ 2.3"*
*kMDItemFSNodeCount = 0*
*kMDItemFSOwnerGroupID = 80*
*kMDItemFSOwnerUserID = 501*
*kMDItemFSSize = 411634*
*kMDItemFSTypeCode = 1095782476*
*kMDItemID = 208135*
*kMDItemKind = "application"*
*kMDItemLastUsedDate = 2004-12-11 16:34:45 -0800*
*kMDItemUsedDates = (2004-12-11 16:34:45 -0800)*
Don't mind the funky file name (it's named "B $™ 2.3" in the Finder). The weird part is what are in the ContentType and ContentTypeTree fields. For comparison, here's the metadata from one of the normal Business Sense applications:
*/Documents/BS Data/Empty DDS/B $‚Ñ¢ 2.3 -------------*
*kMDItemAttributeChangeDate = 2007-06-25 20:10:46 -0700*
*kMDItemContentCreationDate = 1993-12-22 09:00:00 -0800*
*kMDItemContentModificationDate = 2002-07-13 16:52:09 -0700*
*kMDItemContentType = "com.apple.application-file"*
*kMDItemContentTypeTree = (*
"com.apple.application-file",
"com.apple.application",
"public.executable",
"public.data",
"public.item"
)
*kMDItemDisplayName = "B $‚Ñ¢ 2.3"*
*kMDItemFSContentChangeDate = 2002-07-13 16:52:09 -0700*
*kMDItemFSCreationDate = 1993-12-22 09:00:00 -0800*
*kMDItemFSCreatorCode = 1112755795*
*kMDItemFSFinderFlags = 8448*
*kMDItemFSInvisible = 0*
*kMDItemFSIsExtensionHidden = 0*
*kMDItemFSLabel = 0*
*kMDItemFSName = "B $‚Ñ¢ 2.3"*
*kMDItemFSNodeCount = 0*
*kMDItemFSOwnerGroupID = 80*
*kMDItemFSOwnerUserID = 501*
*kMDItemFSSize = 408262*
*kMDItemFSTypeCode = 1095782476*
*kMDItemID = 208691*
*kMDItemKind = "Classic Application"*
*kMDItemLastUsedDate = 2002-07-13 16:52:09 -0700*
*kMDItemUsedDates = (2002-07-13 16:52:09 -0700)*
Whereas the normal one has metadata values one would expect ("com.apple.application-file", "com.apple.application", "public.executable", etc.), the funky one has a value that doesn't make any sense: "com.prospa.manpage"
Where the heck did that come from? I tried going to that website (prospa.com) and it's just a placeholder for a domain squatter. Interestingly, manpage.prospa.com does exist, and redirects to prospa.com. On that website, a contact address is listed: DomainNamesOwner@gmail.com, but the words "contact us" to the right of that send the user to http://paty-poker.net/ which looks almost exactly the same as the first site.
A whois inquiry of prospa.com is shown below. It reveals that the owner is in South Korea, and lists a different contact email address (kerryweb@gmail.com)
*Tue Dec 04 08:00 PM*
*cybertoothdog $ whois prospa.com*
*Whois Server Version 2.0*
*Domain names in the .com and .net domains can now be registered*
*with many different competing registrars. Go to http://www.internic.net*
*for detailed information.*
*Domain Name: PROSPA.COM*
*Registrar: CYDENTITY, INC. D/B/A CYPACK.COM*
*Whois Server: whois.cypack.com*
*Referral URL: http://www.cypack.com*
*Name Server: NS1.HOSTNAME.NET*
*Name Server: NS2.HOSTNAME.NET*
*Status: clientDeleteProhibited*
*Status: clientTransferProhibited*
*Status: clientUpdateProhibited*
*Updated Date: 12-jul-2007*
*Creation Date: 14-jun-2001*
*Expiration Date: 14-jun-2008*
*>>> Last update of whois database: Wed, 05 Dec 2007 04:00:42 UTC <<<*
*The Registry database contains ONLY .COM, .NET, .EDU domains and*
Registrars.
*Welcome to CyDentity, Inc. dba CyPack.com's WHOIS Service*
*Domain Name: PROSPA.COM*
*Domain Status: LOCK*
*Registrar: CyDentity, Inc. dba CyPack.com*
*Referral URL: <a class="jive-link-external-small" href="http://">http://www.CyPack.com*
*Domain Registration Date....: 2001-06-14 GMT.*
*Domain Expiration Date......: 2008-06-14 GMT.*
Registrant:
kimtaeho
*17-211, Maewol-dong, Seo-gu*
*Gwangju, Gwangju 502153*
KR
*Administrative, Technical, Billing Contact:*
*kimtaeho kerryweb@gmail.com*
*17-211, Maewol-dong, Seo-gu*
*Gwangju, Gwangju 502153*
KR
*(PHONE) +82-11-226-2899 (FAX) +82-62-603-0969*
*Domain Name Servers in listed order:*
NS1.HOSTNAME.NET
NS2.HOSTNAME.NET
I don't know Korean. I don't go to Korean websites. Where in the heck did my computer get the information to put "com.prospa.manpage" into the metadata of a random Classic application on my computer? I can't think of any reason that makes any sense other than malware. I looked up "com.prospa.manpage" and "prospa.com" on Google, Yahoo, and Altavista; nothing comes up for the first one, and nothing that seems relevant comes up for the second one. I also tried searching for "prospa.com", "com.prospa" and "prospa" in Spotlight - not a single result listed. Not even the funky Business Sense application.
Does anyone have any idea what this could be? I hate bringing up the idea of "malware", but that's the only thing that makes any sense to me. What else would it be?
So far, the only thing I could think of to do was to email the DomainNamesOwner@gmail.com address using a junk email account saying that I was "interested" in the prospa.com website. I just did that this evening, so I don't expect to hear anything back for a while - although I don't know what good it's going to do. Does anyone know how to report this to Apple directly?
Any help or suggestions greatly appreciated!
I run an old program called Business Sense using Classic. I have several copies of the application on my machine, and I recently noticed some strange behavior: if I open a Business Sense file (not the application directly), it opens the program (no problems). But if I try to open the application itself, the computer instead tries to open it as a file in Script Editor. Get Info reveals that the kind is listed as "application" instead of "Application (Classic)". The "Open With" panel shows up, and the Memory panel does not. Two copies of the program have this problem, and the other 5 or so do not. Other Classic apps do not have this problem as far as I can see. Sometimes the Business Sense icon changes to a weird "color glitch" square (sort of like TV noise but with color). If I use SetFileInfo (from the developer tools) to turn off the custom icon flag, the weird icon goes away.
Here's the really weird part. I used an Automator workflow that I cobbled together from macosxhints.com to view all of the metadata for the file (it uses the mdls command in the command line). The funky copies of Business Sense show this metadata:
*/Documents/BS Data/B $‚Ñ¢ 2.3 -------------*
*kMDItemAttributeChangeDate = 2007-11-25 19:33:02 -0800*
*kMDItemContentCreationDate = 1993-12-22 09:00:00 -0800*
*kMDItemContentModificationDate = 2007-11-25 19:33:01 -0800*
*kMDItemContentType = "com.prospa.manpage"*
*kMDItemContentTypeTree = ("com.prospa.manpage", "public.data", "public.item")*
*kMDItemDisplayName = "B $‚Ñ¢ 2.3"*
*kMDItemFSContentChangeDate = 2007-11-25 19:33:01 -0800*
*kMDItemFSCreationDate = 1993-12-22 09:00:00 -0800*
*kMDItemFSCreatorCode = 1112755795*
*kMDItemFSFinderFlags = 9472*
*kMDItemFSInvisible = 0*
*kMDItemFSIsExtensionHidden = 0*
*kMDItemFSLabel = 0*
*kMDItemFSName = "B $‚Ñ¢ 2.3"*
*kMDItemFSNodeCount = 0*
*kMDItemFSOwnerGroupID = 80*
*kMDItemFSOwnerUserID = 501*
*kMDItemFSSize = 411634*
*kMDItemFSTypeCode = 1095782476*
*kMDItemID = 208135*
*kMDItemKind = "application"*
*kMDItemLastUsedDate = 2004-12-11 16:34:45 -0800*
*kMDItemUsedDates = (2004-12-11 16:34:45 -0800)*
Don't mind the funky file name (it's named "B $™ 2.3" in the Finder). The weird part is what are in the ContentType and ContentTypeTree fields. For comparison, here's the metadata from one of the normal Business Sense applications:
*/Documents/BS Data/Empty DDS/B $‚Ñ¢ 2.3 -------------*
*kMDItemAttributeChangeDate = 2007-06-25 20:10:46 -0700*
*kMDItemContentCreationDate = 1993-12-22 09:00:00 -0800*
*kMDItemContentModificationDate = 2002-07-13 16:52:09 -0700*
*kMDItemContentType = "com.apple.application-file"*
*kMDItemContentTypeTree = (*
"com.apple.application-file",
"com.apple.application",
"public.executable",
"public.data",
"public.item"
)
*kMDItemDisplayName = "B $‚Ñ¢ 2.3"*
*kMDItemFSContentChangeDate = 2002-07-13 16:52:09 -0700*
*kMDItemFSCreationDate = 1993-12-22 09:00:00 -0800*
*kMDItemFSCreatorCode = 1112755795*
*kMDItemFSFinderFlags = 8448*
*kMDItemFSInvisible = 0*
*kMDItemFSIsExtensionHidden = 0*
*kMDItemFSLabel = 0*
*kMDItemFSName = "B $‚Ñ¢ 2.3"*
*kMDItemFSNodeCount = 0*
*kMDItemFSOwnerGroupID = 80*
*kMDItemFSOwnerUserID = 501*
*kMDItemFSSize = 408262*
*kMDItemFSTypeCode = 1095782476*
*kMDItemID = 208691*
*kMDItemKind = "Classic Application"*
*kMDItemLastUsedDate = 2002-07-13 16:52:09 -0700*
*kMDItemUsedDates = (2002-07-13 16:52:09 -0700)*
Whereas the normal one has metadata values one would expect ("com.apple.application-file", "com.apple.application", "public.executable", etc.), the funky one has a value that doesn't make any sense: "com.prospa.manpage"
Where the heck did that come from? I tried going to that website (prospa.com) and it's just a placeholder for a domain squatter. Interestingly, manpage.prospa.com does exist, and redirects to prospa.com. On that website, a contact address is listed: DomainNamesOwner@gmail.com, but the words "contact us" to the right of that send the user to http://paty-poker.net/ which looks almost exactly the same as the first site.
A whois inquiry of prospa.com is shown below. It reveals that the owner is in South Korea, and lists a different contact email address (kerryweb@gmail.com)
*Tue Dec 04 08:00 PM*
*cybertoothdog $ whois prospa.com*
*Whois Server Version 2.0*
*Domain names in the .com and .net domains can now be registered*
*with many different competing registrars. Go to http://www.internic.net*
*for detailed information.*
*Domain Name: PROSPA.COM*
*Registrar: CYDENTITY, INC. D/B/A CYPACK.COM*
*Whois Server: whois.cypack.com*
*Referral URL: http://www.cypack.com*
*Name Server: NS1.HOSTNAME.NET*
*Name Server: NS2.HOSTNAME.NET*
*Status: clientDeleteProhibited*
*Status: clientTransferProhibited*
*Status: clientUpdateProhibited*
*Updated Date: 12-jul-2007*
*Creation Date: 14-jun-2001*
*Expiration Date: 14-jun-2008*
*>>> Last update of whois database: Wed, 05 Dec 2007 04:00:42 UTC <<<*
*The Registry database contains ONLY .COM, .NET, .EDU domains and*
Registrars.
*Welcome to CyDentity, Inc. dba CyPack.com's WHOIS Service*
*Domain Name: PROSPA.COM*
*Domain Status: LOCK*
*Registrar: CyDentity, Inc. dba CyPack.com*
*Referral URL: <a class="jive-link-external-small" href="http://">http://www.CyPack.com*
*Domain Registration Date....: 2001-06-14 GMT.*
*Domain Expiration Date......: 2008-06-14 GMT.*
Registrant:
kimtaeho
*17-211, Maewol-dong, Seo-gu*
*Gwangju, Gwangju 502153*
KR
*Administrative, Technical, Billing Contact:*
*kimtaeho kerryweb@gmail.com*
*17-211, Maewol-dong, Seo-gu*
*Gwangju, Gwangju 502153*
KR
*(PHONE) +82-11-226-2899 (FAX) +82-62-603-0969*
*Domain Name Servers in listed order:*
NS1.HOSTNAME.NET
NS2.HOSTNAME.NET
I don't know Korean. I don't go to Korean websites. Where in the heck did my computer get the information to put "com.prospa.manpage" into the metadata of a random Classic application on my computer? I can't think of any reason that makes any sense other than malware. I looked up "com.prospa.manpage" and "prospa.com" on Google, Yahoo, and Altavista; nothing comes up for the first one, and nothing that seems relevant comes up for the second one. I also tried searching for "prospa.com", "com.prospa" and "prospa" in Spotlight - not a single result listed. Not even the funky Business Sense application.
Does anyone have any idea what this could be? I hate bringing up the idea of "malware", but that's the only thing that makes any sense to me. What else would it be?
So far, the only thing I could think of to do was to email the DomainNamesOwner@gmail.com address using a junk email account saying that I was "interested" in the prospa.com website. I just did that this evening, so I don't expect to hear anything back for a while - although I don't know what good it's going to do. Does anyone know how to report this to Apple directly?
Any help or suggestions greatly appreciated!
Dual 1.25 GHz G4, Mac OS X (10.4.11), 1 GB RAM
