Okay, here's what I've figured out so far. The download.dmg file contains an installer and an uninstaller for something called Codec-M. The installer seems to install a file "codecm_uploader" (which will be visible in Activity Monitor) and a LaunchAgent to keep it running "com.codecm.uploader.plist". The only connection I ever logged codecm_uploader making was immediately after installation, wanting to connect to update.codecm.com on port 80. I don't yet know what data was sent/received, though. It never tried to connect again in my testing.
Also installed is an app called Codec-M. Despite this supposedly being a video codec, opening Codec-M reveals a very basic translation function:
The only suspicious thing it does, beyond not being what it advertises itself to be, is connecting to www.whitesmoke.com on port 80 at launch. Which could be no more than its way of loading an HTML-based interface.
It also changes your Safari home page to a rather dodgy-looking search page that serves up a lot of ads related to searches, also on dodgy-looking sites. Interestingly, it doesn't do this if you simply uncheck a couple boxes in the installer!
And, most interestingly of all, the uninstaller actually seems to function! It removes codecm_uploader, the LaunchAgent .plist and Codec-M.app. Which I find to be quite strange. I'm not sure yet whether all this is just a smokescreen to cover some other activity, but I doubt that's going to be the case.
Ahh, I also just noticed that it installs a Safari extension - but, apparently, only if you leave the checkboxes in the installer checked:
If you uncheck those boxes, the extension does not get installed. And the extension gets deleted when you run the uninstaller. No idea what the extension does, though Sophos's page is now reporting that the extension serves ads... No idea how or where, as all the sites I visited with that extension installed and active looked just like I would have expected them to.
Here's a full write-up of my findings: OSX/FkCodec-A in action.
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
@thomas A Reed
Interesting read and this has been quite an interesting experience generally. In the end it does appear not particularly malicious.
I am sure that I never actually selected a link to download the codec. If you google whitesmoke.com you will find references to something very similar on Windows going back some time. It also appears that the download.dmg file may be downloaded when downloading from a site such as Frostwire or Pirate bay. Whereas it used to be possible to inspect, and select from, the contents of a torrent, Pirate Bay now uses 'Magnet links'. which do not enable this. Therefore it is not possible to see what will be downloaded before starting the download. It is therefore quite possible that malware such as this could be included in the download. Checking in detail the contents of the download folder could minimse this risk. NOTE THAT I AM IN NO WAY ENDORSING THE USE OF SUCH SITES!
Whitesmoke.com sell an application for "World-Leading English Writing Software"
available for Mac windows and iPhone. It includes translation and the website looks very similar to the tranlation screen shot in your write-up. The opinions expressed on this software are either 'I'ts wonderful' or 'it's a rip-off POS'. So I am wondering if this whole thing is some ruse to get people to the Whitesmoke website to buy the software???
Yes, there can be a number of ways this could get on your hard drive. I can only document one that I know of, but the ones you mention are also quite plausible. That's one reason I like to recommend keeping your Downloads folder empty... then, if something you don't recognize pops in there, you'll notice it right away and be appropriately suspicious.
As to the purpose being to get people directed to whitesmoke.com, I'm not so sure. I only knew it was connecting to that site because I had Little Snitch running. Nothing else seemed to direct users to that site. I'm not sure what whitesmoke's role is in all this... they could be behind the whole thing, or they could simply have something on their site that the malware is loading without their direct involvement.
It also appears that the download.dmg file may be downloaded when downloading from a site such as Frostwire or Pirate bay. Whereas it used to be possible to inspect, and select from, the contents of a torrent, Pirate Bay now uses 'Magnet links'. which do not enable this. Therefore it is not possible to see what will be downloaded before starting the download.
I can't say for other Torrent clients (but I'd be surprised if it wasn't the same), but if you use Transmission you can inspect and deselect the files being downloaded in the Inspector panel. This works on magnet links as on all others.
NOTE THAT I AM IN NO WAY ENDORSING THE USE OF SUCH SITES!
There's also nothing inherently illegal or unethical about using torrents, torrent sites and torrent clients. It depends on what you do with them (i.e., whether what you're downloading is copyright protected or not).