2) b.scorecardresearch.com (??why ?malware)
3) ds.serving-sys.com (??why ?malware)
Other web site indicate it's an ad-serving site.
Not malicious but clearly not critical for a download.
Thanks for that. I had come across some of that information in my google-ing.
This would all be fine if the connection to these sites were coming from Safari, Firefox, (or some other ad-enabled program such as Evernote). But really, these connections should not be coming from Software Update.app, surely?
these connections should not be coming from Software Update.app, surely?
That's what I would have thought. I have Little Snitch setup to only allow swscan.apple.com. I have never seen it contact those sites. I would be suspicious too. It sounds like Little Snitch is doing its job. I don't want applications like Software Update, running as root, to go to random sites on the web. No good can come from that.
Yeah, don't know what's up. Ditto what etresoft said. Wonder if it's a DNS changer Trojan. Could scan for it.
Don't know if this one is relevant, but takes a few seconds to scan.
There are no viruses for Macs, but ClamXav looks for some of the OSX Trojans.
Also, put these numbers for DNS in Sys Prefs>Network for the Interface you're using and apply. They are from OpenDNS and patched against DNS poisoning.
Hmm. Thanks for the links.
Tried all the virus scanners (including full version of macscan and clam x av) - nothing found.
It's all being blocked by Little Snitch - but I don't like the feeling of having something lurking on my computer.
Thinking on it further, It seems to have only happened since I upgraded to 10.6.6. Do you guys think it could be related to the new App Store?? (maybe running scripts from these sites?). Does anyone else running 10.6.6 try to connect to these domains?
I can't answer this definitively since I haven't updated to 10.6.6 yet, but I don't see ds.serving-sys.com, a site which is especially noted for malware, being integrated into Software Update. In fact, I rather doubt SU should be going anywhere besides swscan.apple.com, not even scorecardresearch.com, even on 10.6.6. Did you try putting in those numbers for OpenDNS? (You should be getting this message if it's working. http://www.opendns.com/welcome/ )
- yes, I have been using OpenDNS at the router level for over 12 months now
- yes, it still confirms that I'm using OpenDNS when I go to http://www.opendns.com/welcome/
I temporarily removed all rules for Software Update from Little Snitch and ran again to follow what was happening. Little Snitch requested permission in the following order:
swcdn.apple.com port 80 (accepted once)
which interestingly on Little Snitch appears as a connection to 'ds.serving-sys.com'
(didn't ask to specifically connect to 'ds.serving-sys.com')
(didn't ask for b.scorecardresearch this time)
doing a TraceRoute on swcdn.apple.com ends up after 16 hops as akamaitechnologies.com
16 a204-2-160-16.deploy.akamaitechnologies.com (188.8.131.52) 307.173 ms 298.943 ms 306.822 ms
doing a TraceRoute on ds.serving-sys.com ALSO ends up after 16 hops as akamaitechnologies.com
16 a204-2-160-16.deploy.akamaitechnologies.com (184.108.40.206) 261.007 ms 352.034 ms 307.811 ms
After some googling, it appears akamaitechnologies.com is a CDN which apple may use (http://forums.whirlpool.net.au/archive/350920).
Running Software Update while only allowing connections to swscan.apple.com, completes the check but shows 'All Software Is Up To Date'.
Running Software Update while allowing connections to swscan.apple.com + swcdn.apple.com (appearing as ds.serving-sys.com in Little Snitch connection history) shows that there are Garage Band Instrument updates (which would be expected as I told Garage Band to download the other available instruments).
Perhaps it is just a CDN used by Apple for users (after all, I am in Australia). It still bothers me that it shows up as ds.serving-sys.com - especially given the nature of that company.
Any other Australian Apple users seeing the same appear on there Little Snitch??
Any other ideas? Am I just being paranoid?
Thanks again for input guys.
I see akamai quite often. I think it's quite normal. I have no explanation for ds.serving-sys.com ending up at akamai or why it should appear at all. I don't know how SU is distributed so don't know why it's only checking thoroughly when you allow everything. Here, I'm only allowing swscan.apple.com and I get a full report. I'd be a bit paranoid too until I have a decent explanation for this.
broadly, I think swscan gives a catalog of available updates - like http://swscan.apple.com/content/catalogs/index-1.sucatalog
while swcdn has the actual items, to judge from the list above...
I'd suppose that the dns LS is using returns ds.serving... for that ip address.
scorecardresearch.com is a domain related to the comScore company.
They were involved in that Mac threat last year:
Where do you find either scorecardresearch.com or comScore (the owner of scorecardresearch.com) related to Opinion Spy? I don't see anything in that Intego article about either and extensive searching doesn't turn up any hits.
They forgot to remove one comScore word in that EuLA: http://www.premieropinion.com/privacy.aspx
The comScore network is huge.
"... Which is owned by VoiceFive Networks. Which is owned by comScore"