Where is the list of known adware/malware that effects Macs?

mike11218 wrote:

Since Malwarebytes took over I don't want to use that software anymore. I used it when Thomas Reed was still writing the scripts.

I'm still directing the development at Malwarebytes, and am still the one primarily responsible for writing all the detection rules in our signatures file.

To answer the original question, Apple no longer tries to maintain those manual removal instructions. They've replaced the page with this:

Stop pop-up ads in Safari - Apple Support

To be honest, manual removal instructions simply don't work anymore. Many adware variants these days are pretty much impossible to detect by name only. I saw people trashing their systems while trying to follow manual removal instructions, back when those instructions were fairly straightforward. These days, the names used by some adware are so widely varied that there's no way to give average folks a reliable way to identify those files manually.

Identifying adware by name is destined to fail, since the names are always changing in an effort to circumvent automatic detection and elimination. The only way to avoid adware is through recognition of its characteristics.

All adware variants have the same overall appearance, but if a user isn't experienced enough to know what that looks like, then all he or she needs to do is to read the "terms and conditions" that accompany it. I have yet to encounter a single example of adware that doesn't do exactly what those terms and conditions say it's going to do... which, when translated from their generally tortured attempts at legalese, essentially say it's going to hijack your Mac so as to inundate it with a flood of advertisements for junk, incessantly open countless new windows or tabs, redirect your search preferences to whatever makes money for the advertiser, and basically make your Mac difficult or impossible to use.

Why do they do this? Follow the money. Merely clicking an advertisement earns the advertiser clickthrough revenue. Actually purchasing the advertised product earns a lot of revenue. It doesn't take much of an investment to distribute adware, and the returns are practically guaranteed.

Briefly stated, the above can be summarized as "think before you click". If some message or unsolicited popup window spontaneously appears alleging your Mac is infected with some ick, or if your video player is out of date, or generally seems too insistent that you do something right now this instant, it should be summarily ignored and dismissed. Apple does not provide those kinds of warnings. No legitimate company does, so your immediate response should be not only no, but h*ll no, and if you remain concerned then solicit answers from legitimate sources.

Education regarding such junk will hasten its inevitable demise. Read How to install adware for my perspective. The reason I chose that title is that I could not comprehend how anyone would be so gullible as to fall for such obvious scams, and literally had to work at learning how to become a victim. In retrospect I realized that not everyone has that ability, so a "how to" guide followed naturally.

My interpretation, which includes the reading of the whole sentence and the sentence's paragraph plus the entirety of the post, is that the post advises on how to avoid installing adware. Thus John Galt's:

Briefly stated, the above can be summarized as "think before you click".

I don't want to interrupt the tangential discussion. I'm just trying to clarify and eliminate any possible confusion.

Hello Mike,

There is no such listing anymore. It was never correct to begin with, so it is no great loss. Thomas Reed is still in charge of MalwareBytes' Mac software and MalwareBytes is a highly-regarded company. There is no reason to avoid it.

I can tell you that it is futile to go looking for such a list. A similar question came up today in another forum and I checked the EtreCheck deletion logs. Since the last time I checked 12 days ago, EtreCheck users have deleted over 2500 pieces of adware. The vast majority of that adware is automatically generated. Unless you really know what to look for, you won't be able to tell it apart from legitimate software.

Etrecheck and Malwarebytes are my most trusted tools for checking my Mac. Between the two pieces of software and the invaluable help both etresoft and Thomas Reed continue to provide on this forum, I feel as if I have as good a handle on the matter as is possible.

mike11218 wrote:

So in theory both these softwares that you mention perform a search for known file names and the delete them. Where are they getting this information from ?

You'd need to ask Thomas and etresoft those questions. I'm merely a satisfied end user.

Hello again Mike,

No. It doesn't work that way. Most antivirus software uses a database of "signatures". A signature could include the file name, but usually goes deeper than that. Some of the more modern tools use machine learning techniques.

Names of Malwares are frequently changing , for a user who could not find out manually the location of malwares in system library and user library they can use Malware byte Anti Malware for Mac or can use etrecheck .

But , if one is eager to delete malwares manually , Apple support is the best option , they are expert in removing malwares manually and hardly take 4 - 5 min to remove .

jnoronha91 wrote:

etresoft and thomas_r. it would be real great help if you could atleast list out a few adware inducing software's.

I'm not sure I know what you're looking for, but some names of common adware on the Mac are Genieo, VSearch (aka Pirrit), Crossrider and IronCore. Those are kind of the "big four"... been around forever, still around today and going strong.

If you're looking for filenames... well, let me give you an illustration of why that's pointless. Some variants of VSearch take a word at random from the file here:

/usr/share/dict/words

They use this random word in their file names. This words file contains more than 235,000 different words, and although some are a bit weird and obviously fishy, others are not easy to identify as unusual for the average user.

Genieo is known to use nearly 100 different names that I know of. Crossrider and IronCore also come in a wide variety of different names. Filenames simply don't work for such threats anymore. The threat landscape has changed completely since I wrote my first manual removal instructions.

All adware variants have the same overall appearance

That is actually not at all true. Many will use launch agents or daemons, if one is inclined to call that having the same appearance, but many also do not. Many use browser extensions, but many do not.

Yes, there are certain patterns that are fairly common, but they are not universal. I've seen adware that works by directly modifying the Chrome or Firefox apps, for example. I've seen adware that doesn't actually install any files, it just changes browser settings and then tries to make it difficult to change those settings back. I've seen adware that creates hidden users and adds custom firewall rules to redirect web traffic through a malicious app.

We're rapidly leaving behind the days of simple, easy-to-remove Mac malware and adware.

thomas_r. wrote:

All adware variants have the same overall appearance

That is actually not at all true. Many will use launch agents or daemons, if one is inclined to call that having the same appearance, but many also do not. Many use browser extensions, but many do not.

I took that statement to mean, given one piece of Adware, all of its variants are similar, not that all Adware is similar.

I suppose John Galt can defend his statement himself, but I didn't interpret the way I think you did.

Barney-15E wrote:

I took that statement to mean, given one piece of Adware, all of its variants are similar, not that all Adware is similar.

Well, that wouldn't really be true either. A lot of the long-standing adware families, like Genieo, VSearch and Crossrider, have undergone many changes over the years. They typically will be the same for a while, then will undergo a metamorphosis and change again, sometimes dramatically.

They typically will be the same for a while, then will undergo a metamorphosis and change again, sometimes dramatically.

Given one type in a current state, do all of the variants in that current state appear the same, short of the components might have different names?

Even knowing that, I agree there is no simple way to manually hunt down the parts.

Barney-15E wrote:

Given one type in a current state, do all of the variants in that current state appear the same

Yes, but that's sort of a simplified definition of a variant. When the files change in some non-superficial way, that's a different variant of the same malware or adware.