Q: Is MacBooster safe

I realise this is an old thread but I thought it would be worth relating my experience this morning.

I got a notification that something called MacBooster2 "wants to make changes to this computer".

i have never knowingly installed MacBooster2, and no-one else has access to, let alone admin privileges, to my iMac. Naturally I denied access.

I looked for the app, found it in my apps folder, no evidence of an installer or image file which might have contained it.  However the file creation date was "today, 12.41".

This is exactly the time at which I upgraded my Divx10 installation. The only explanation I can see is that MacBooster either piggybacked the DivX installer, or disguised itself as a legit DivX installer. 

I found the install dmg hiding in /private/tmp

Such tactics lend the developer no credibility, but slapped wrists for me for taking my eye off the ball.

However I wonder how this could have happened. My security settings allow installation of apps from the Mac App store and identified developers. So is Iobit (who's name sounds suspiciously similar to Zeobit, frankly) considered a legitimate developer? If so, why do they need to sneak their software onto users machines in this manner?

I also never installed MacBooster, but found MacBooster 2 installed and running right after I updated to DivX 10.

Being highly highly suspicious I removed it immediately, but now I wonder what other changes it made to my work machine.

Where did you download DIVX from, a 3rd party (like cnet or similar) or from the vendor.

Vendor, which is why it was so surprising.

That's disturbing

I've had DivX on my machine since the PPC days and I would have downloaded it from the DivX vendor site.

This is similar to what happened with Mac Defender, which didn't fool me for a second, but MacDefender was different in that it used a poisoned URL which force-downloaded an installer .pkg. you then had to go through a number of authorisation levels before it would actually install,  whereupon it created a "fake" full screen desktop (which would have convinced anyone who doesn't rename their hard drive something other than Macintosh HD) apparently teeming with viruses; but it was really just a browser window rendered in Java.  I actually did a walkthrough somewhere which involved me installing it on a machine I use for testing in order to prove to people how many time they would have to authorise the install of the malware themselves, but this is quite a different experience.

In this case I just did what I'd done a hundred times before and authorised an update to software I knew I had installed, had my security settings at a "sensible" level, and at no point did it appear that I was doing anything other than running a DivX update. All the messages were genuine which makes me think that the installer somehow piggybacked a genuine installation.

What I found most alarming was that the .dmg file containing the payload was delivered to a folder with a root level filepath rather than the downloads folder; if I hadn't known where to look for it I would have had a hard time finding it. i got rid of Parallels because it was downloading update disk images to areas other than my downloads folder...

I also have two AV services running - ClamX AV Sentry and Sophos and neither picked up on a potential threat. A scan of the .dmg file found no threat, and neither did a scan of the installer it contained.

The update manager in DivX shows no updates available, but this may because it was actually a legit update that had been "tainted" but I don't know enough about malware propagation to know if this is possible.

Either way, there needs to be an intensive and concerted boycott of developers like IObit and Zeobit for the use of these tactics.

I just downloaded DIVX from divx.com, it contained nothing beyond the DIVX software.

So we are left with the possibility that this was a fake installer, downloaded from a redirected FTP source, and a fake software update alert?

I'm going to see if the same thing happens on my MacBook Pro which should still have the older DviX version installed.

Go to divx.com and download a copy, see what you get.

I'm more interested to see what happens if I try to replicate what happened this morning

I wouldn't anticipate that it has "done" anything to your machine. I'm still not aware of any malware that can wreak the kind of havoc on a Mac that it does on windows; this is just a form of scareware and I think their tactic is just installing it and then hoping that most people will pay them rather than cope with the problem of uninstalling it.  However you can uninstall it...

After getting rid of the app in your app folder, check /private/tmp and get shot of the installer disk image and anything else in there with Mac Booster or iobit in the name.

Check /library/launchagents and /library/launchdaemons for any iobit or macbooster.plist files. I also found a folder in ~/library/ApplicationSupport called MacBooster2 so I shredded that as well.

I'm not very technical but that seems to have done the job for me but I'm sure there are power unix users on here who could tell you where to look for further hidden files.

Eltham Jones wrote:

 

I wouldn't anticipate that it has "done" anything to your machine. I'm still not aware of any malware that can wreak the kind of havoc on a Mac that it does on windows;

Most of the "alleged" cleaners are capable of stopping a Mac in its tracks, MacCleaner being probably the worst (but MacKeeper is right up there)

Post back and tell us what transpired

I had MacKeeper installed for a while. It didn't do any harm, just didn't do anything I couldn't do without it. When it failed to run one day (the irony of a Mac maintenance tool falling victim to this didn't escape me) I took the opportunity to delete it and learn from my mistake. Currently my iMac doesn't seem to be suffering any ill effects from it's brief dalliance with MacBooster2 but I'm keeping an eye on it. The moment I saw "Mac Booster 2 wants to make changes to this computer" I clicked deny and uninstalled it, so that's my basis for assuming that it won't have done any harm to my - or Iggy's - machine, assuming Apple's security protocols are strong enough, as long as you don't explicitly authorise a change, I don't think it will make any changes. That's my default assumption anyway, and why I use Macs.  

Unfortunately I haven't been able to duplicate the experience of this morning on my Mac Book Pro. The Divx installation was too old and downloading it from the DivX website didn't result in a MacBooster2 install. I have a clone of my iMac on an external disc though and I may see if I can boot my MacMini from it and reproduce the problem but I don't know whether the Mac Mini will run Yosemite; App Store seems to think it can...

I have a comprehensive backup strategy for all my computers - which allows me to take a few risks, fortunately!

The biggest issue for me was having to force kill it after double DivX finished installing. It ran a few extra processes and it took me a while to find the parent and get rid of it with a

sudo kill -9