A Deeper Look On MacSweeper
Do you think Macsweeper is not a rogue application? Ok, let’s take a deeper look and see what it does.
::::::::::::
File Size
::::::::::::
MacSweeperSetup.dmg 1.5 MB (1,600,201 bytes)
MacSweeper.app 2.6 MB (2,563,303 bytes)
:::::::::::::::::
Installation
:::::::::::::::::
Behind this page is a SWF flash file and javascripts that records the traffic and clicks.
After the fake display of scanning process, this bogus website displays an Alert box.
Clicking “Ok” triggers the downloading of MacSweeperSetup.dmg. Inside this DMG file is the rogue application – MacSweeper.app.
MacSweeper does not require root admin password to execute and it remains in Download folder unless the user manually drag it to another location.
::::::::::::::
Network
::::::::::::::
Lookup information of www.macsweeper.com:
www.macsweeper.com. A 217.20.175.39
ns1.vici.au NS 217.20.175.157
ns2.vici.au NS 217.20.182.29
alt1.aspmx.l.google.com MX 209.85.147.27
alt2.aspmx.l.google.com MX 64.233.185.27
aspmx.l.google.com MX 66.249.93.27
Cleanator is a rogue application that works in Windows platform.
:::::::::::::::::::::::::::::::
Behaviour & Analysis
:::::::::::::::::::::::::::::::
Most of the files inside MacSweeper.app are images file (in PNG file format). Let’s check the other files …
PkgInfo contains strings “APPL????”
Database.plist contains 6390 cookie data that looks like this:
Cookie
YMR6LmFmdGVyZGF3bi5uZXQ
TODO.txt contains list of things to do that includes its current limitation, bugs and features. Interesting info from this text file is this:
“18. When update in process arert of new version can come, and fuck everithing”
You may check the complete list here.
Info.plist contains the following strings:
Package Type: APPL
Executable: MacSweeper
The file MacSweeper inside MacOS folder is a binary file in universal binary format. Which means, this could work both in PPC and x86.
From the screenshot above, you will think that this application has scanned unwanted files from your system. However in background, MacSweeper executes the following shell command:
file -f /private/tmp/com.MacSweeper.found.tmp -kn | grep ‘universal binary’ | sed -e ‘s/: *Mach.*//g’ > /private/tmp/com.MacSweeper.found2.tmp;
exit;
lipo “%@” -thin %@ -output “%@.lipo”&& mv -f “%@.lipo” “%@”;
During the scanning process, it drops the following temporary files:
/private/tmp/com.MacSweeper.found.tmp
/private/tmp/com.MacSweeper.found2.tmp
It then uses these files to display the scan result. This application does not scan for unwanted files, instead it is giving you list of legitimate information installed in your system.
And it does not end here, few minutes after displaying the scan result, it will display a bugging screen as shown below:
What! privacy violation with your own legitimate files ? Absolutely, not right.
From the code, this application unlocks more feature and displays the message below once the user input a valid serial code.
Thank You! You made me a bit hapier 
Definitely, this application is not just a rogue but also a junkware.
This comment has been removed because it linked to malicious content. Learn more.
@angelo:
You guys are complete failures. You can’t write decent software, and you obviously don’t have a clue about marketing because nobody believes your bullshit excuses.
Let’s face it — software development just isn’t your thing. I suggest you considered a change of career.
// nobody believes your bullshit excuses
All those news were before our “excuses”
//Let’s face it — software development just isn’t your thing. I suggest you considered a change of career.
Google: 109,000 results for macsweeper. Not bad for Two people, in only one month! ? I would love to see only good news, but unfortunately life is difficult. Give us some time and we will correct most of the terrible mistakes, we have done!
We adore Mac platform, and we are creative enough to write glorious software for it!
> We adore Mac platform, and we are creative
> enough to write glorious software for it!
Yeah, right.
In your dreams.
Rogue is not a malware (it is not a trojan, backdoor, adware, spyware or a virus), it is simply unreliable, can’t be trusted and dubious in nature. The misleading words and information exploits vulnerable or confused users to make damaging action to their own system.
You don’t actually scan for unwanted files, instead you are scanning a legitimate applications and tagged them as “Privacy Violation”. If you understand, this is a 100% false positive and a serious security company should know about this.
This types of application/software are also called Junkware or crapware. It is something that looks useful but it’s not.
In this industry, Trust is not given but it is something that you really need to work hard.
//You don’t actually scan for unwanted files, instead you are scanning a legitimate applications and tagged them as “Privacy Violation”.
“Privacy Violations” – yes that was too much. But we really scanning for files that can be harmlessly removed. Like for example: dozen of languages in different applications. Or fat binaries with Intel and PPC architectures.
Do you really need them?
//This types of application/software are also called Junkware or crapware. It is something that looks useful but it’s not.
Unfortunately we are not the last ones who will use this tactics. But other won’t ask for public excuses!
And even most of “Security” (Junkware Antiviruses) software are made to make money on “Protecting” people from nonexistent problems! You just look at these:
Affected operating systems: Windows,
http://www.sophos.com/security/analyses/macsweeper.html
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-011613-5206-99&tabid=3
http://vil.nai.com/vil/content/v_143952.htm
These companies are cheating users not better than we did! Do you really think that they found some virus or spyware there?
If you really want to remove MacSweeper, you just need to Move these files to Trash:
1) MacSweeeper.app (Check if MacSweeperDaemon is running)
2) ~/Library/Contextual\ Menu\ Items/MacSweeperCMI.plugin
3) ~/Library/Preferences/com.KIVViSoftware.MacSweeper.plist
Thats it!
//In this industry, Trust is not given but it is something that you really need to work hard.
Good words! Thanks!
Mac community has taught us a lesson that we will never forget.
We worked hard to correct our mistakes, and we promise you will never see a “junk” software from our company anymore!
Meet new MacSweeper at http://macsweeper.com
As we promised we are giving away 1000 licenses of MacSweeper for free, even more!
Our activation algorithm is based on short user name. So the most easiest method to get it and to generate serial number for it is when you pressing purchase from the program.
We also considered our prices policy. You will be able to purchase MacSweeper for as low as 15$.
Thank You All for this lesson! I hope it will reflect the same way on other junk-ware that will try to harm our lovely mac platform and its users!
You can post your thoughts on our support forum
http://forum.macsweeper.com
about trimming binaries. Some apps don’t care and some do. Size matters in schools when you are trying to save disk images that need to be copied to thousands of computers so believe me we trim where we can. I had thought that universal binaries are separable but that turns out not to be the case. I believe some apps are built with hooks to info in the other binary. For example split the Airport Admin app and try to manage all the airport flavors – it just stops working.
Triming languages on the other hand has been around for a long time. see http://www.bombich.com/software/local.html
SO how to get rid of it?
You just need to exit MacSweeperDaemon (small trash icon in your tray bar). Then you will be able to move MacSweeper to trash.
The topic is quite trendy on the Internet at the moment. What do you pay attention to while choosing what to write about?