Apple Event: May 7th at 7 am PT
I have just requested a download of all my Facebook information from Facebook. The download contains a Trojan OSX/FkCodec-A which was detected by my Sophos AV as athreat. Has anybody else encountered this?The trojan was not on my Mac before as the AV only detected it when I downloaded the file from Facebook. Is it a real threat?
iMac, Mac OS X (10.7.2)
Could it be the sort of suspicious but actually harmless kind of software whose existence promotes AV companies products?
No idea who would make such stuff...or why... 😉
Ahh, I also just noticed that it installs a Safari extension - but, apparently, only if you leave the checkboxes in the installer checked:
If you uncheck those boxes, the extension does not get installed. And the extension gets deleted when you run the uninstaller. No idea what the extension does, though Sophos's page is now reporting that the extension serves ads... No idea how or where, as all the sites I visited with that extension installed and active looked just like I would have expected them to.
Here's a full write-up of my findings: OSX/FkCodec-A in action.
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
Thomas A Reed wrote:
Here's a full write-up of my findings:
In addition to what Thomas currently has posted, it will also install (and uninstall) extensions to Firefox and Chrome, if you have them.
@thomas A Reed
Interesting read and this has been quite an interesting experience generally. In the end it does appear not particularly malicious.
I am sure that I never actually selected a link to download the codec. If you google whitesmoke.com you will find references to something very similar on Windows going back some time. It also appears that the download.dmg file may be downloaded when downloading from a site such as Frostwire or Pirate bay. Whereas it used to be possible to inspect, and select from, the contents of a torrent, Pirate Bay now uses 'Magnet links'. which do not enable this. Therefore it is not possible to see what will be downloaded before starting the download. It is therefore quite possible that malware such as this could be included in the download. Checking in detail the contents of the download folder could minimse this risk. NOTE THAT I AM IN NO WAY ENDORSING THE USE OF SUCH SITES!
Whitesmoke.com sell an application for "World-Leading English Writing Software"
available for Mac windows and iPhone. It includes translation and the website looks very similar to the tranlation screen shot in your write-up. The opinions expressed on this software are either 'I'ts wonderful' or 'it's a rip-off POS'. So I am wondering if this whole thing is some ruse to get people to the Whitesmoke website to buy the software???
Yes, there can be a number of ways this could get on your hard drive. I can only document one that I know of, but the ones you mention are also quite plausible. That's one reason I like to recommend keeping your Downloads folder empty... then, if something you don't recognize pops in there, you'll notice it right away and be appropriately suspicious.
As to the purpose being to get people directed to whitesmoke.com, I'm not so sure. I only knew it was connecting to that site because I had Little Snitch running. Nothing else seemed to direct users to that site. I'm not sure what whitesmoke's role is in all this... they could be behind the whole thing, or they could simply have something on their site that the malware is loading without their direct involvement.
mvaug10087 wrote:
It also appears that the download.dmg file may be downloaded when downloading from a site such as Frostwire or Pirate bay. Whereas it used to be possible to inspect, and select from, the contents of a torrent, Pirate Bay now uses 'Magnet links'. which do not enable this. Therefore it is not possible to see what will be downloaded before starting the download.
I can't say for other Torrent clients (but I'd be surprised if it wasn't the same), but if you use Transmission you can inspect and deselect the files being downloaded in the Inspector panel. This works on magnet links as on all others.
mvaug10087 wrote:
NOTE THAT I AM IN NO WAY ENDORSING THE USE OF SUCH SITES!
There's also nothing inherently illegal or unethical about using torrents, torrent sites and torrent clients. It depends on what you do with them (i.e., whether what you're downloading is copyright protected or not). 🙂
Facebook download contains Trojan
