Is MacBooster safe

I've had DivX on my machine since the PPC days and I would have downloaded it from the DivX vendor site.

This is similar to what happened with Mac Defender, which didn't fool me for a second, but MacDefender was different in that it used a poisoned URL which force-downloaded an installer .pkg. you then had to go through a number of authorisation levels before it would actually install, whereupon it created a "fake" full screen desktop (which would have convinced anyone who doesn't rename their hard drive something other than Macintosh HD) apparently teeming with viruses; but it was really just a browser window rendered in Java. I actually did a walkthrough somewhere which involved me installing it on a machine I use for testing in order to prove to people how many time they would have to authorise the install of the malware themselves, but this is quite a different experience.

In this case I just did what I'd done a hundred times before and authorised an update to software I knew I had installed, had my security settings at a "sensible" level, and at no point did it appear that I was doing anything other than running a DivX update. All the messages were genuine which makes me think that the installer somehow piggybacked a genuine installation.

What I found most alarming was that the .dmg file containing the payload was delivered to a folder with a root level filepath rather than the downloads folder; if I hadn't known where to look for it I would have had a hard time finding it. i got rid of Parallels because it was downloading update disk images to areas other than my downloads folder...

I also have two AV services running - ClamX AV Sentry and Sophos and neither picked up on a potential threat. A scan of the .dmg file found no threat, and neither did a scan of the installer it contained.

The update manager in DivX shows no updates available, but this may because it was actually a legit update that had been "tainted" but I don't know enough about malware propagation to know if this is possible.

Either way, there needs to be an intensive and concerted boycott of developers like IObit and Zeobit for the use of these tactics.

I just downloaded DIVX from divx.com, it contained nothing beyond the DIVX software.

So we are left with the possibility that this was a fake installer, downloaded from a redirected FTP source, and a fake software update alert?

I'm going to see if the same thing happens on my MacBook Pro which should still have the older DviX version installed.

Go to divx.com and download a copy, see what you get.

I'm more interested to see what happens if I try to replicate what happened this morning

I wouldn't anticipate that it has "done" anything to your machine. I'm still not aware of any malware that can wreak the kind of havoc on a Mac that it does on windows; this is just a form of scareware and I think their tactic is just installing it and then hoping that most people will pay them rather than cope with the problem of uninstalling it. However you can uninstall it...

After getting rid of the app in your app folder, check /private/tmp and get shot of the installer disk image and anything else in there with Mac Booster or iobit in the name.

Check /library/launchagents and /library/launchdaemons for any iobit or macbooster.plist files. I also found a folder in ~/library/ApplicationSupport called MacBooster2 so I shredded that as well.

I'm not very technical but that seems to have done the job for me but I'm sure there are power unix users on here who could tell you where to look for further hidden files.

Eltham Jones wrote:

I wouldn't anticipate that it has "done" anything to your machine. I'm still not aware of any malware that can wreak the kind of havoc on a Mac that it does on windows;

Most of the "alleged" cleaners are capable of stopping a Mac in its tracks, MacCleaner being probably the worst (but MacKeeper is right up there)

Post back and tell us what transpired

I had MacKeeper installed for a while. It didn't do any harm, just didn't do anything I couldn't do without it. When it failed to run one day (the irony of a Mac maintenance tool falling victim to this didn't escape me) I took the opportunity to delete it and learn from my mistake. Currently my iMac doesn't seem to be suffering any ill effects from it's brief dalliance with MacBooster2 but I'm keeping an eye on it. The moment I saw "Mac Booster 2 wants to make changes to this computer" I clicked deny and uninstalled it, so that's my basis for assuming that it won't have done any harm to my - or Iggy's - machine, assuming Apple's security protocols are strong enough, as long as you don't explicitly authorise a change, I don't think it will make any changes. That's my default assumption anyway, and why I use Macs.

Unfortunately I haven't been able to duplicate the experience of this morning on my Mac Book Pro. The Divx installation was too old and downloading it from the DivX website didn't result in a MacBooster2 install. I have a clone of my iMac on an external disc though and I may see if I can boot my MacMini from it and reproduce the problem but I don't know whether the Mac Mini will run Yosemite; App Store seems to think it can...

I have a comprehensive backup strategy for all my computers - which allows me to take a few risks, fortunately!

🙂

The biggest issue for me was having to force kill it after double DivX finished installing. It ran a few extra processes and it took me a while to find the parent and get rid of it with a

sudo kill -9

I just suffered from a similar install of MacBooster2 after updating DivX too, I found residual evidence in…

~/Library/Saved Application State

~/Library/Caches

~/Library/Preferences

…with a second app called MacBooster Mini.app that was inside a MacBooster folder, inside ~/Library/Application Support. Check for the associated Cache and Preference files for the Mini app too.

I think I'll also dump DivX now.

Just adding that this happened to me today also. MacBooster 2 installed (and launched). I booted into boot up from my clone to see if the same thing would happen when updating DivX, and yes, it would have, had I not slowed down and paid attention.

Here's the deal.

Under the "Optional Offer" window, there normally would have been an option to install the HVEC plug-in, which was absent this time. Now there's a third party offer, which you would have unwittingly agreed to (as I did) if you're used to just clicking the "Accept" button without reading (as I am). That will teach me to read more carefully!

From a DivX forum post: "With our most recent DivX software release we updated our installer system to now include Opencandy's advertising network which serves up a variety of third party app offers during our install process..."

They even put ads in their viewer window now!

That's very interesting; well spotted. that must have flashed up really quickly as I didn't see any of it.

In their defence, I guess their software has to be paid for somehow, but we should be able to actively opt-in, rather than be required to opt-out of a default installation. Tactics such as these are a disgrace and I wonder if a case could be made for legal action, as happened with the banks over the forced selling of PPI?

I've never been sufficiently impressed with DivX to keep it anyway and I've only done so because I can't be bothered to remove it so this is the final nail in their coffin for me.

So, all of this happened to me and I think I've successfully Hovered all the Macbooster files. Hope so. My question: DID my Divx update? MacDruid's post leads me to think it did. Or do I need to still go to the Divx site and update? I must admit, I'm reluctant to do so now. This kind of underhanded/Decepticon malware (maybe) BS really frosts me. BTW, a huge THANK YOU to all for the tips, insights and healthy debate. You rock.

i've been wondering the same thing; whether the "update" was just an excuse to slip some unwanted software onto my hard drive for which DivX would receive a healthy kickback. When I checked the "about divx" item in the menu it showed that I was running a variant of 10.4, but I'm not sure which version I had before If I'm honest. I'd have to boot from a backup to find out.

As for whether it's malware, I regard any software that uses trickery and deceit to get around the many authorisation barriers that modern operating systems put in place as malicious, regardless of how apparently benign or innocuous it is when installed.

There is already a thread on the DivX forms here https://forums.divx.com/divx/topics/macbooster

i suggest that everyone who is furious about this joins in the slagging off online and see if we can make any kind of difference. I suspect the will just shrug it off though.