drwxr-xr-x 7 test staff 306 23 Dec 03:50 .
drwxrwxrwt@ 6 root admin 204 12 Jan 23:42 ..
lrwxr-xr-x 1 test staff 20 23 Dec 03:49 Double-click to Install -> StarfieldInstall.app
The application is basically hidden. Obviously, It discourages user to inspect the package. Back in the terminal, let’s run this command to unhide:
defaults write com.apple.finder AppleShowAllFiles TRUE
$ killall Finder
Installation: What happens when you ‘double click’ it? You’ll notice that it requires root privilege.
In this stage, it is already too late because even if you decide to discard or cancel the authorization, the tricky ‘StarfieldInstall.app’ has already installed itself as follows:
1) It creates a ‘Starfield’ folder in the Application directory. In this folder, you’ll find a copy of itself and an update component.
/Application/Starfield/StarfieldInstall.app
/Application/Starfield/starfieldupdate.app
2) It is set to run at login by adding ‘starfieldupdate’ in the Login Items.
3) It is always running in the background.
$ lsof -c Starfield
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Starfield 221 test cwd DIR 14,2 1394 2 /
Starfield 221 test txt REG 14,2 93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate
Starfield 221 test txt REG 14,2 1064960 2655251 /private/var/folders/ur/urE9xwfCE+a922ltbYjezk+++TU/-Caches-/com.apple.LaunchServices-025504.csstore
Starfield 221 test txt REG 14,2 1054960 25052 /usr/lib/dyld
Starfield 221 test txt REG 14,2 206983168 2609511 /private/var/db/dyld/dyld_shared_cache_i386
Starfield 221 test 0r CHR 3,2 0t0 297 /dev/null
Starfield 221 test 1 PIPE 0x079a7640 16384 ->0x079a76a4
Starfield 221 test 2 PIPE 0x079a7640 16384 ->0x079a76a4
Starfield 221 test 3r REG 14,2 163 42178 /private/etc/security/audit_control
Starfield 221 test 4u KQUEUE count=1, state=0x2
Starfield 221 test 5r REG 14,2 93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate
Starfield 221 test 66r REG 14,2 611 42177 /private/etc/security/audit_class
So, when you thought it’s gone, it’s not because ‘StarfieldInstall’ sleeps and activates again to request your password. It will continue to annoy you with repeated request until it gets authorized.
On a sidenote, ‘StarfieldUpdate.app’ gets the following information:
- OS version and CPU Type
- Local user
- Previous installation
- Starfield installation component versions
And performs the following:
- Checks user privilege on the system by checking if user is admin or if the user can be elevated to admin.
- StarfieldInstall launches ‘starfieldupdate.app’ which is kept in the background.
- ‘starfieldupdate.app’ is responsible for initial installation (first run) and updates.
- The initial installation path of Starfield would be:
/Applications/Starfield
/Library/Application Support/Starfield
/Library/Internet Plug-ins/
/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
- Dumps data log of its activity especially the installation. Notice the name ‘starfield’ in the ~/Library/Logs/ folder.
Launch.cpp(18): Launching /Applications/Starfield/StarfieldUpdate.app runme
StarfieldInstall.cpp(862): Starting v1.0.4.9 with command: -psn_0_1011959
StarfieldInstall.cpp(879): OS Version 10.6 x86
StarfieldInstall.cpp(880): Local user test (test)
StarfieldInstall.cpp(881): User can become administrator.
StarfieldUpdate.cpp(90): Starting v1.0.3.3 with command: -psn_0_1007862
StarfieldUpdate.cpp(119): launchargs runme
StarfieldUpdate.cpp(144): Local user test
StarfieldUpdate.cpp(145): User can become administrator.
StarfieldUpdate.cpp(162): Launching /Applications/Starfield/StarfieldInstall.app
Launch.cpp(18): Launching /Applications/Starfield/StarfieldInstall.app
Payload:
The payload is mainly handled by ‘StarfieldInstall.app’. When the user inputs the password, the installation continues by sending a HTTP request to the server as follows:
GET /moduleinfo HTTP/1.1
User-Agent: StarfieldInstall/1.0
Host: na.secureserver.net
Accept: *.*
‘Moduleinfo’ is a JSON text which ‘StarfieldInstall.app’ parses and evaluating the content of a JSON string. For example, it reads and evaluate which package appropriate to the user: Windows or Mac.
{ "win" :
…
, "mac" :
It also evaluates the installation requirement, example:
, “mac” :
[ { “file” : “StarfieldInstall.App”
, “version” : 4
, “source” : “starfieldinstall.zip”
, “app” : “*”
, “type” : “util”
, “adminRequired” : false
, “osMin” : [10,4]
}
StarfieldInstall’ compares this requirement defined by JSON file ‘moduleinfo’ before it downloads, extracts and run the latest package resulting to installation of the following:
starfieldinstall.zip
starfieldupdate.zip
fileedittool64.plugin.zip
fileedittool.zip
WBETools14.plugin
wbetools64.zip
copypaste.xpi
zoomext.xpi
offdavhelper_mac4.zip
offdavhelper_mac.zip
offsettings.bundle.zip
wbesettings.bundle.zip
drivemapreconnect.zip
backupstatus.zip
offsync_mac.zip
desktoptools.zip
wbedesktopnotifier.zip
So far we have 17 files here and 4 of these files do not require root password. It is important to take note that ‘StarfieldUpdate.app’ is always running in the background and launch ‘StarfieldInstall.app’ to perform the following:
– Evaluating JSON text ‘moduleinfo’ for update
– Download and installation of latest versions
– Discovery of products installed
– Running privileged shell command
It installs two Firefox extensions and plugins, which is persistent. It means that you can’t just click ‘uninstall’ to remove it . In Firefox, click Tools and Addons to view the installed Extensions and Plugins as shown below:

Another notable process created is ‘OffSyncService’ which is always running in the background .
In conclusion, this is a nasty and abusive application that performs remote activities and installation of unwanted plugins and application without user consent. It is a bloatware and a backdoor.