Previous 1 2 Next 16 Replies Latest reply: Feb 1, 2013 8:48 PM by nomulous
MarkeMark Level 1 (0 points)
Hi Guys,

Being a little cautious - I like to run Little Snitch on my MacBook to see the network connections each program makes.

I've just noticed Software Update trying to connect to:

1) (to be expected)
2) (??why ?malware)
3) (??why ?malware)

If I block access to these domains (2 & 3) using Little Snitch - the software update still appears to work normally -so they are obviously not 'required'.

Does anyone else's Software Update on 10.6.6 try and connect to these sites. Any further info anyone?

MacBook, Mac OS X (10.6.6)
  • Limnos Level 8 (47,215 points)
    2) (??why ?malware)

    3) (??why ?malware)
    Other web site indicate it's an ad-serving site.

    Not malicious but clearly not critical for a download.
  • MarkeMark Level 1 (0 points)
    Thanks for that. I had come across some of that information in my google-ing.

    This would all be fine if the connection to these sites were coming from Safari, Firefox, (or some other ad-enabled program such as Evernote). But really, these connections should not be coming from Software, surely?
  • Limnos Level 8 (47,215 points)
    I don't know, but, for example, the Ghostery plugin tell me Omniture is being used to analyze the Discussions so perhaps others are being used to see how many people use Software Update, etc.
  • etresoft Level 7 (27,801 points)
    MarkeMark wrote:
    these connections should not be coming from Software, surely?

    That's what I would have thought. I have Little Snitch setup to only allow I have never seen it contact those sites. I would be suspicious too. It sounds like Little Snitch is doing its job. I don't want applications like Software Update, running as root, to go to random sites on the web. No good can come from that.
  • WZZZ Level 6 (12,855 points)
    Yeah, don't know what's up. Ditto what etresoft said. Wonder if it's a DNS changer Trojan. Could scan for it.

    Don't know if this one is relevant, but takes a few seconds to scan.

    There are no viruses for Macs, but ClamXav looks for some of the OSX Trojans.

    Also, put these numbers for DNS in Sys Prefs>Network for the Interface you're using and apply. They are from OpenDNS and patched against DNS poisoning.
  • MarkeMark Level 1 (0 points)
    Hmm. Thanks for the links.

    Tried all the virus scanners (including full version of macscan and clam x av) - nothing found.

    It's all being blocked by Little Snitch - but I don't like the feeling of having something lurking on my computer.

    Thinking on it further, It seems to have only happened since I upgraded to 10.6.6. Do you guys think it could be related to the new App Store?? (maybe running scripts from these sites?). Does anyone else running 10.6.6 try to connect to these domains?
  • WZZZ Level 6 (12,855 points)
    I can't answer this definitively since I haven't updated to 10.6.6 yet, but I don't see, a site which is especially noted for malware, being integrated into Software Update. In fact, I rather doubt SU should be going anywhere besides, not even, even on 10.6.6. Did you try putting in those numbers for OpenDNS? (You should be getting this message if it's working. )
  • MarkeMark Level 1 (0 points)
    Hi WZZZ

    - yes, I have been using OpenDNS at the router level for over 12 months now
    - yes, it still confirms that I'm using OpenDNS when I go to

    I temporarily removed all rules for Software Update from Little Snitch and ran again to follow what was happening. Little Snitch requested permission in the following order: (accepted) port 80 (accepted once)
    which interestingly on Little Snitch appears as a connection to ''
    (didn't ask to specifically connect to '')
    (didn't ask for b.scorecardresearch this time)

    doing a TraceRoute on ends up after 16 hops as
    16 ( 307.173 ms 298.943 ms 306.822 ms

    doing a TraceRoute on ALSO ends up after 16 hops as
    16 ( 261.007 ms 352.034 ms 307.811 ms

    After some googling, it appears is a CDN which apple may use (

    Running Software Update while only allowing connections to, completes the check but shows 'All Software Is Up To Date'.

    Running Software Update while allowing connections to + (appearing as in Little Snitch connection history) shows that there are Garage Band Instrument updates (which would be expected as I told Garage Band to download the other available instruments).

    Perhaps it is just a CDN used by Apple for users (after all, I am in Australia). It still bothers me that it shows up as - especially given the nature of that company.

    Any other Australian Apple users seeing the same appear on there Little Snitch??
    Any other ideas? Am I just being paranoid?

    Thanks again for input guys.
  • WZZZ Level 6 (12,855 points)
    I see akamai quite often. I think it's quite normal. I have no explanation for ending up at akamai or why it should appear at all. I don't know how SU is distributed so don't know why it's only checking thoroughly when you allow everything. Here, I'm only allowing and I get a full report. I'd be a bit paranoid too until I have a decent explanation for this.
  • andyBall_uk Level 7 (20,490 points)

    broadly, I think swscan gives a catalog of available updates - like

    while swcdn has the actual items, to judge from the list above...

    I'd suppose that the dns LS is using returns ds.serving... for that ip address.
  • WZZZ Level 6 (12,855 points)
    Hi, I've asked your question over on another board. You're welcome to join the discussion there.
  • joblard Level 1 (0 points) is a domain related to the comScore company.

    They were involved in that Mac threat last year: stalled-by-freely-distributed-mac-applications/
  • WZZZ Level 6 (12,855 points)
    Where do you find either or comScore (the owner of related to Opinion Spy? I don't see anything in that Intego article about either and extensive searching doesn't turn up any hits.
  • joblard Level 1 (0 points)
    WZZZ wrote:
    Where do you find either or comScore (the owner of related to Opinion Spy? I don't see anything in that Intego article about either and extensive searching doesn't turn up any hits.

    They forgot to remove one comScore word in that EuLA:

    The comScore network is huge. on

    "... Which is owned by VoiceFive Networks. Which is owned by comScore"
Previous 1 2 Next