Malware Found on MacBook

Barkley1220 wrote:

Do any of the listed programs picked up by Bitdefender and Malwarebytes possess the capability to mine encrypted/non-encrypted data on my MacBook? If not, what other kind of harm are such programs capable of causing my laptop?

Encryption is irrelevant to these apps. If you decrypt any encrypted data then any app can read, edit or otherwise alter that data in it's decrypted form. mac OS's File Vault decrypts everything when you login, the encryption is effectively useless at that point with regards to a user who install malware. The OS has to be able to read & write files to run after a user logs in which means they are in a decrypted state.

These apps appear to have jobs that run under your user account 'AE' - that means anything AE can do so can these processes.

The only thing these apps cannot change are files that were never decrypted - such as files inside a disk image with a password - it seems unlikely that you NEVER decrypt those so there is the potential from them to also read/ write and edit those too.

The solution to good security is to avoid installing junk software.

I don't know how good bitdefender is so I cannot speak to if I would trust it's output. I do trust Malwarebytes so I would review it's output first.

FYI, I don't think Macbooster or other 'Mac cleaning' apps are a good idea…

IOBit scam - YouTube-> Thomas Reed works for MalwareBytes

Barkley1220 wrote:

To others viewing this thread, does anyone else have more information about what the Trojan. JS.Agent.JMG and the listed malware does?

I didn't see this before today, and I haven't read every message in this thread, so forgive me if what I'm saying has already been said.

First, with regard to the things that Malwarebytes found, those are adware and PUPs (potentially unwanted programs). Those things do not steal your data or do other malicious things, or they would be categorized as malware.

Adware is software designed to inject advertisements in your web browser, in an attempt to defraud the advertising systems. PUPs are junk software that attempt to defraud you by tricking you into paying for them. Any time these kinds of programs display actual malicious behavior, they are escalated to malware. (In Malwarebytes, that means that the name of the threat is prefixed by "Trojan" or "OSX" instead of "Adware" or "PUP".)

Regarding Trojan.JS.Agent.JMG, that is a generic detection of a JavaScript. This is not part of any Mac malware. It's most likely a malicious JavaScript found on a website, designed to detect vulnerabilities on Windows machines and install malware automatically on those machines. It will not affect your Mac, and was most likely found in your browser's cache, where it is not any danger. That's assuming, of course, that it's not a false positive (ie, a legitimate, harmless JavaScript being detected as malicious by mistake by Bitdefender).

I don't know what those apps do - some look like 'cleaner utilities' that claim to do many things that are basically pointless as far as I can tell, at best they appear to be useless at worst they could be malicious.

If you do not know what they do then remove them & recheck that they are no longer installed via MalwareBytes. The app should have instructions to remove or look for help from Malwarebytes.

Ironcore appears to be adware - scammy software designed to make money by sending adverts & selling your details. It is part of a Firefox extension, so perhaps it only harvests data in Firefox.

Sorry, I tried to explain in plain terms, if it is not clear you can ask questions about specific parts but I can't really help when you dismiss all of the post as not understandable.

In summary ANY app you install has the ability to do everything YOU can do on your Mac - that means read & write any data you can see & send it anywhere.

My personal preference in these situations is to backup to an external disk & then erase the Mac and reinstall the OS. Some care can be taken to reinstate the users data files but that is beyond what I can describe here.

Hopefully others will comment here & clarify your questions.

Barkley1220 wrote:

Even assuming there are no suspicious charges listed on my bank account, is it reasonable to conclude that ZipCloud already backed up data off my computer before I got to it?

I don't know how ZipCloud was configured and I also don't know what data you store on your Mac. The point I was making is that when you run something in your user account it can read & write to the data your account 'owns'.

If you store something obvious like a text file with a list of bank account details, social security numbers, mothers maiden name, security reset answers… I'd be a little concerned if that was uploaded elsewhere - that is easy to read if someone takes a copy of it. Even if Zipcloud are not a malicious service you have to consider that they can be a victim of attacks too that could expose data, they don't seem to store the data encrypted as far as I can tell.

If you use online banking or shopping sites your details should be OK. Most reputable websites will protect credit card & bank details in transit. That info supplied to the browser is generally not saved on your Mac in plain text formats (openly readable data).

Passwords are generally saved by Keychain on macOS so they should be encrypted with your user login password.

Zipcloud has a reputation because it seems to have been bundled with other search hijacking junk software. It is not clear to me the level that this product goes to harvest data or exploit users, it may not. The reputation may simply be complaints from angry customers that do not like this product - they seem to like up selling extra features.

If you are concerned you should keep an eye on your statements or consider requesting a new bank/ debit/ credit card. It becomes more difficult if you need to change bank account numbers etc. There may be no point to any of that, I really can't say from here.

My personal preference is to use a backup system that encrypts data before it leaves my machine so the servers cannot decrypt it at rest (because only I have the keys). That does put the responsibility on me not to lose the keys etc.

Barkley1220 wrote:

I

was under the impression that the functions malware performed on a given computer varied depending on their individual design.

Obviously malware only does what it is designed to do. Unfortunately it takes a degree in computer science to be able to work out what complicated malware does and some malware sits dormant until it has a job to do (like launch an attack on a specific company along side thousands of other bots). You can search & read what researchers say these items do but some software is designed to allow remote access & can be manipulated into doing more things in the future. A lot of it is simply to make other people money (click fraud, advertising revenue etc).

Barkley1220 wrote:

Just to clarify, I should assume that the privacy of emails and documents on my MacBook is compromised if I find ANY kind of malware installed on my computer?

That is a cautious assumption. If you are planning on erasing & reinstalling the computer it would be a good idea to reset any passwords for accounts that are on the machine.

I still think you need to look into these apps to see if they appear malicious. Also have you had any signs of an attack such as compromised credit or bank accounts etc?

Maybe ask for assistance on the malwarebytes forum, they may be able to say how capable these items are. Sometimes they flag software simply because it is not well written & causes users to spend money on worthless apps, I really don't know if that is the case with the Macbooster & Mac cleaner apps you have - I just don't trust them.

The trojan and the adware are my main concerns.

Barkley1220 wrote:

Does that mean the Trojan picked up by Bitdefender is not one of the variants of family that harvest data or download other malware onto my computer?

No. It means that it is part of one of the most common strains of Mac adware. You can read more about it here: https://blog.malwarebytes.com/101/2017/03/mac-security-facts-and-fallacies/ - search for "ironcore".

Anytime security is concerned, companies like to use loaded words like "trojan", "malware", or "virus". From a certain point of view, those terms are technically correct. But they really aren't what you are thinking of. It is not something to be worried about. Just delete it and more on.

Hello Barkley1220,

I sincerely doubt you are ever going to get a response from that question. There are a handful of people who investigate malware and try to reverse-engineer it to find out what it does. The behaviour of popular, legitimate software is usually pretty straightforward. But even then, there are usually enough users to notice if it starts doing something fishy.

But you are asking about grey market software. It isn't malware per se, so security researchers aren't interested in it. It also doesn't have any legitimate users. It is all a scheme involving affiliates and advertising networks. They are essentially leveraging people's Macs to generate revenue for themselves. No one really knows what the software does. It may just drive ads or user clicks, or notify some corporate customer of another software install, or it may just be a benign cover (i.e. bait) for the installation of other malware.

I am certainly not saying it is safe. I think the number of legitimate software products is dropping like a rock. Even on Apple's App Stores, Apple is gingerly starting to enforce some of its decade-old guidelines and targeting only the worst examples. But the problem went far beyond Apple's control years ago.

I strongly suggest that that no one install software they haven't personally researched. It is like giving your house or car keys to strangers on the street and then asking on the internet if anybody knows what those people are going to do with your house or car. The answer is pretty much whatever they want. Most of the honest people are busy enough with their own houses and cars and probably don't want to be bothered by yours. Who does that leave you with?

In this day and age, scams and identity theft are common. They are common even among people who haven't given grey market strangers access to all of their data. I don't know what you want anyone to tell you. Don't install this stuff. If you do anyway, see what kinds of identity theft and scam protection you can get.

I'm not sure if that's their Gig - there into more fine print contract wiggling and up-sell/trick-sell and outright gray area fraud. They remind me of the IRS, say one thing and do another.... but from my understanding - they don't hijack they are the guy who stops you on the street and says, I bet you 5 dollars I can tell you where you got your shoes !

What I would do, is open terminal and

locate ZipCloud or whatever other terms you have seen in their files

Remove from all those locations.

It's your call if you want to change any passwords, but if you do, be judicial and do everything from your laptop, email, cc's, et al.

Barkley1220 wrote:

So, just for the sake of confirmation, the fact that Trojan.JS.Agent.JMG is adware means there is no possibility of it searching documents and emails for private information like bank account PINs, social security numbers, etc?

MalwareBytes reported that it is a Firefox extension and search installer. If you use Firefox, then, in theory, it may have been able to access any web page that you accessed using Firefox, including the data you entered on those pages. But in most cases, these things just insert ads into your web pages.

EVERY one of those apps for cleaning and boosting need be fully as possible removed.

Get Malwarebytes and run it.

Before you ADD anything - consider first checking it online: https://www.virustotal.com/#/home/upload

Get EtreCheck

Barkley1220 wrote:

Thank you for your response, Etresoft. I found your answer to be very informative.

However, when you say none of the items mentioned are malware, did you mean to include the

Trojan. JS.Agent.JMG or are you just referring to the list of programs picked up by Malwarebytes?

I was only referring to the information reported by MalwareBytes. Most Mac security products (with the exception of MalwareBytes) are notorious for identifying harmless caches files, e-mails, or Apple system files as malware infections. They like to refer to them with their own code names such as "Trojan.JS.Agent.JMG" which sound scary, but have no meaning whatsoever. If it also identified a specific file, including the full path, that would be much more useful. I could then tell you exactly which category of harmless files this one belongs to.

Hello again Barkley1220,

As far as Mac security software goes, MalwareBytes is the most effective and one of the least problematic. I don't have any problem recommending it if people insist on having some kind of 3rd party software. Apple includes several layers of malware protection built into the operating system. But some people insist on more, so MalwareBytes will meet their requirement, will do a good job, and probably won't cause problems.

All that being said, MalwareBytes is still a part of the same security industry. They don't sell software, they sell fear. To their credit, MalwareBytes also sells good software, but they are just as happy to sell fear as any other company. Is any of that possible? Of course. Anything is possible. There are millions of Macs in service today. Maybe some of them have real-life trojans that were installed via adware. I can't prove that such a thing doesn't exist. But it hasn't happened yet. Could it happen? Sure! Could fish fall from they sky? Well, they do, on a regular basis. Fish falls are more common than Mac malware. But how many of us buy umbrellas that will withstand a good-sized bass or sturgeon?

If you absolutely must have some 3rd party security software, fine. Buy MalwareBytes. It will work. It will protect you from the annoying adware threats that you are at risk for. It will be redundant for the bona fide malware that Apple also protects you from, but it probably won't do any harm. If you absolutely must have a product with a higher market name recognition, fine. Buy BitDefender or maybe Norton Security. Even better - buy both! Just don't bother asking people here on Apple Support Communities for help with your Mac that is running slow and crashing. Because that is just going to put you back to square one.

I got the same thing. I just used Malwarebytes to remove it. It was launching my Firefox on reboot and was driving me nuts. I am pretty sure it is gone and will not send my info out.

Goodluck!