Previous 1 2 Next 16 Replies Latest reply: Feb 1, 2013 8:48 PM by nomulous
MarkeMark Level 1 Level 1
Hi Guys,

Being a little cautious - I like to run Little Snitch on my MacBook to see the network connections each program makes.

I've just noticed Software Update trying to connect to:

1) swscan.apple.com (to be expected)
2) b.scorecardresearch.com (??why ?malware)
3) ds.serving-sys.com (??why ?malware)

If I block access to these domains (2 & 3) using Little Snitch - the software update still appears to work normally -so they are obviously not 'required'.

Does anyone else's Software Update on 10.6.6 try and connect to these sites. Any further info anyone?

MacBook, Mac OS X (10.6.6)
  • Limnos Level 9 Level 9
    2) b.scorecardresearch.com (??why ?malware)

    http://www.scorecardresearch.com/Priv.html

    3) ds.serving-sys.com (??why ?malware)

    http://discussions.apple.com/thread.jspa?threadID=2410972
    Other web site indicate it's an ad-serving site.

    Not malicious but clearly not critical for a download.
  • MarkeMark Level 1 Level 1
    Thanks for that. I had come across some of that information in my google-ing.

    This would all be fine if the connection to these sites were coming from Safari, Firefox, (or some other ad-enabled program such as Evernote). But really, these connections should not be coming from Software Update.app, surely?
  • Limnos Level 9 Level 9
    I don't know, but, for example, the Ghostery plugin tell me Omniture is being used to analyze the Discussions so perhaps others are being used to see how many people use Software Update, etc.
  • etresoft Level 7 Level 7
    MarkeMark wrote:
    these connections should not be coming from Software Update.app, surely?


    That's what I would have thought. I have Little Snitch setup to only allow swscan.apple.com. I have never seen it contact those sites. I would be suspicious too. It sounds like Little Snitch is doing its job. I don't want applications like Software Update, running as root, to go to random sites on the web. No good can come from that.
  • WZZZ Level 6 Level 6
    expertise.macosx
    Mac OS X
    Yeah, don't know what's up. Ditto what etresoft said. Wonder if it's a DNS changer Trojan. Could scan for it.

    http://www.dnschanger.com/

    Don't know if this one is relevant, but takes a few seconds to scan.

    http://macscan.securemac.com/free-iservices-trojan-removal-tool-11-released/

    There are no viruses for Macs, but ClamXav looks for some of the OSX Trojans.

    http://clamxav.com/

    Also, put these numbers for DNS in Sys Prefs>Network for the Interface you're using and apply. They are from OpenDNS and patched against DNS poisoning.

    208.67.222.222
    208.67.222.220
  • MarkeMark Level 1 Level 1
    Hmm. Thanks for the links.

    Tried all the virus scanners (including full version of macscan and clam x av) - nothing found.

    It's all being blocked by Little Snitch - but I don't like the feeling of having something lurking on my computer.

    Thinking on it further, It seems to have only happened since I upgraded to 10.6.6. Do you guys think it could be related to the new App Store?? (maybe running scripts from these sites?). Does anyone else running 10.6.6 try to connect to these domains?
  • WZZZ Level 6 Level 6
    expertise.macosx
    Mac OS X
    I can't answer this definitively since I haven't updated to 10.6.6 yet, but I don't see ds.serving-sys.com, a site which is especially noted for malware, being integrated into Software Update. In fact, I rather doubt SU should be going anywhere besides swscan.apple.com, not even scorecardresearch.com, even on 10.6.6. Did you try putting in those numbers for OpenDNS? (You should be getting this message if it's working. http://www.opendns.com/welcome/ )

    http://www.mywot.com/en/scorecard/ds.serving-sys.com
  • MarkeMark Level 1 Level 1
    Hi WZZZ

    - yes, I have been using OpenDNS at the router level for over 12 months now
    - yes, it still confirms that I'm using OpenDNS when I go to http://www.opendns.com/welcome/

    I temporarily removed all rules for Software Update from Little Snitch and ran again to follow what was happening. Little Snitch requested permission in the following order:

    swscan.apple.com (accepted)
    swcdn.apple.com port 80 (accepted once)
    which interestingly on Little Snitch appears as a connection to 'ds.serving-sys.com'
    (didn't ask to specifically connect to 'ds.serving-sys.com')
    (didn't ask for b.scorecardresearch this time)

    doing a TraceRoute on swcdn.apple.com ends up after 16 hops as akamaitechnologies.com
    16 a204-2-160-16.deploy.akamaitechnologies.com (204.2.160.16) 307.173 ms 298.943 ms 306.822 ms

    doing a TraceRoute on ds.serving-sys.com ALSO ends up after 16 hops as akamaitechnologies.com
    16 a204-2-160-16.deploy.akamaitechnologies.com (204.2.160.16) 261.007 ms 352.034 ms 307.811 ms

    After some googling, it appears akamaitechnologies.com is a CDN which apple may use (http://forums.whirlpool.net.au/archive/350920).

    Running Software Update while only allowing connections to swscan.apple.com, completes the check but shows 'All Software Is Up To Date'.

    Running Software Update while allowing connections to swscan.apple.com + swcdn.apple.com (appearing as ds.serving-sys.com in Little Snitch connection history) shows that there are Garage Band Instrument updates (which would be expected as I told Garage Band to download the other available instruments).

    Perhaps it is just a CDN used by Apple for users (after all, I am in Australia). It still bothers me that it shows up as ds.serving-sys.com - especially given the nature of that company.

    Any other Australian Apple users seeing the same appear on there Little Snitch??
    Any other ideas? Am I just being paranoid?

    Thanks again for input guys.
  • WZZZ Level 6 Level 6
    expertise.macosx
    Mac OS X
    I see akamai quite often. I think it's quite normal. I have no explanation for ds.serving-sys.com ending up at akamai or why it should appear at all. I don't know how SU is distributed so don't know why it's only checking thoroughly when you allow everything. Here, I'm only allowing swscan.apple.com and I get a full report. I'd be a bit paranoid too until I have a decent explanation for this.
  • andyBall_uk Level 7 Level 7
    Hi

    broadly, I think swscan gives a catalog of available updates - like http://swscan.apple.com/content/catalogs/index-1.sucatalog

    while swcdn has the actual items, to judge from the list above...


    I'd suppose that the dns LS is using returns ds.serving... for that ip address.
  • WZZZ Level 6 Level 6
    expertise.macosx
    Mac OS X
    Hi, I've asked your question over on another board. You're welcome to join the discussion there.

    http://x704.net/bbs/viewtopic.php?f=17&t=5119
  • joblard Level 1 Level 1
    scorecardresearch.com is a domain related to the comScore company.

    They were involved in that Mac threat last year:

    http://blog.intego.com/2010/06/01/intego-security-alert-osxopinionspy-spyware-in stalled-by-freely-distributed-mac-applications/
  • WZZZ Level 6 Level 6
    expertise.macosx
    Mac OS X
    Where do you find either scorecardresearch.com or comScore (the owner of scorecardresearch.com) related to Opinion Spy? I don't see anything in that Intego article about either and extensive searching doesn't turn up any hits.
  • joblard Level 1 Level 1
    WZZZ wrote:
    Where do you find either scorecardresearch.com or comScore (the owner of scorecardresearch.com) related to Opinion Spy? I don't see anything in that Intego article about either and extensive searching doesn't turn up any hits.


    They forgot to remove one comScore word in that EuLA: http://www.premieropinion.com/privacy.aspx

    The comScore network is huge.

    http://www.geekazine.com/news/franks-thoughts/malware-in-mac-world-premier-opini on

    "... Which is owned by VoiceFive Networks. Which is owned by comScore"

    http://www.google.fr/search?q=comScore+premieropinion
Previous 1 2 Next