Home > OSX Rogue Application > A Deeper Look On MacSweeper

A Deeper Look On MacSweeper

Do you think Macsweeper is not a rogue application? Ok, let’s take a deeper look and see what it does.

::::::::::::
File Size
::::::::::::

MacSweeperSetup.dmg 1.5 MB (1,600,201 bytes)
MacSweeper.app 2.6 MB (2,563,303 bytes)

:::::::::::::::::
Installation
:::::::::::::::::

Like other rogue application, MacSweeper uses a deceptive sales and marketing technique to get into users’ system. It does not have the capability to propagate or spread by itself, but it arrives as an Ads where it redirects users to this bogus webpage.


Behind this page is a SWF flash file and javascripts that records the traffic and clicks.

After the fake display of scanning process, this bogus website displays an Alert box.

The buttons “Ignore” and “Remove” are useless since it will continue to display another message box, and this time the user has no other option but to click “OK”. Check the screenshot here.

Clicking “Ok” triggers the downloading of MacSweeperSetup.dmg. Inside this DMG file is the rogue application – MacSweeper.app.

MacSweeper does not require root admin password to execute and it remains in Download folder unless the user manually drag it to another location.

::::::::::::::
Network
::::::::::::::

Lookup information of http://www.macsweeper.com:

http://www.macsweeper.com. A 217.20.175.39
ns1.vici.au NS 217.20.175.157
ns2.vici.au NS 217.20.182.29
alt1.aspmx.l.google.com
MX 209.85.147.27
alt2.aspmx.l.google.com
MX 64.233.185.27
aspmx.l.google.com
MX 66.249.93.27


The screenshot shows that MacSweeper.com, Cleanator.com, Clenator.com and Kivvisoftware.com are sharing same name server IP address.

Cleanator is a rogue application that works in Windows platform.

:::::::::::::::::::::::::::::::
Behaviour & Analysis
:::::::::::::::::::::::::::::::

Most of the files inside MacSweeper.app are images file (in PNG file format). Let’s check the other files …

PkgInfo contains strings “APPL????”

Database.plist contains 6390 cookie data that looks like this:

Cookie
YMR6LmFmdGVyZGF3bi5uZXQ

TODO.txt contains list of things to do that includes its current limitation, bugs and features. Interesting info from this text file is this:

“18. When update in process arert of new version can come, and fuck everithing”

You may check the complete list here.

Info.plist contains the following strings:

Identifier: com.KIVViSoftware.MacSweeper
Package Type: APPL
Executable: MacSweeper

The file MacSweeper inside MacOS folder is a binary file in universal binary format. Which means, this could work both in PPC and x86.

From the screenshot above, you will think that this application has scanned unwanted files from your system. However in background, MacSweeper executes the following shell command:

find “%@” ! -empty -and -type f > /private/tmp/com.MacSweeper.found.tmp;
file -f /private/tmp/com.MacSweeper.found.tmp -kn | grep ‘universal binary’ | sed -e ‘s/: *Mach.*//g’ > /private/tmp/com.MacSweeper.found2.tmp;
exit;


lipo “%@” -thin %@ -output “%@.lipo”&& mv -f “%@.lipo” “%@”;

During the scanning process, it drops the following temporary files:

/private/tmp/com.MacSweeper.found.tmp
/private/tmp/com.MacSweeper.found2.tmp

It then uses these files to display the scan result. This application does not scan for unwanted files, instead it is giving you list of legitimate information installed in your system.

And it does not end here, few minutes after displaying the scan result, it will display a bugging screen as shown below:

What! privacy violation with your own legitimate files ? Absolutely, not right.

From the code, this application unlocks more feature and displays the message below once the user input a valid serial code.

Thank You! You made me a bit hapier 🙂

Definitely, this application is not just a rogue but also a junkware.

  1. AngelO.
    January 18, 2008 at 4:24 pm

    This comment has been removed because it linked to malicious content. Learn more.

  2. smoothy
    January 18, 2008 at 5:27 pm

    @angelo:

    You guys are complete failures. You can’t write decent software, and you obviously don’t have a clue about marketing because nobody believes your bullshit excuses.

    Let’s face it — software development just isn’t your thing. I suggest you considered a change of career.

  3. AngelO.
    January 18, 2008 at 6:15 pm

    // nobody believes your bullshit excuses
    All those news were before our “excuses”

    //Let’s face it — software development just isn’t your thing. I suggest you considered a change of career.

    Google: 109,000 results for macsweeper. Not bad for Two people, in only one month! ? I would love to see only good news, but unfortunately life is difficult. Give us some time and we will correct most of the terrible mistakes, we have done!

    We adore Mac platform, and we are creative enough to write glorious software for it!

  4. smoothy
    January 18, 2008 at 6:43 pm

    > We adore Mac platform, and we are creative
    > enough to write glorious software for it!

    Yeah, right.

    In your dreams.

  5. Methusela Cebrian Ferrer
    January 18, 2008 at 11:55 pm

    Rogue is not a malware (it is not a trojan, backdoor, adware, spyware or a virus), it is simply unreliable, can’t be trusted and dubious in nature. The misleading words and information exploits vulnerable or confused users to make damaging action to their own system.

    You don’t actually scan for unwanted files, instead you are scanning a legitimate applications and tagged them as “Privacy Violation”. If you understand, this is a 100% false positive and a serious security company should know about this.

    This types of application/software are also called Junkware or crapware. It is something that looks useful but it’s not.

    In this industry, Trust is not given but it is something that you really need to work hard.

  6. AngelO.
    January 19, 2008 at 8:45 am

    //You don’t actually scan for unwanted files, instead you are scanning a legitimate applications and tagged them as “Privacy Violation”.

    “Privacy Violations” – yes that was too much. But we really scanning for files that can be harmlessly removed. Like for example: dozen of languages in different applications. Or fat binaries with Intel and PPC architectures.
    Do you really need them?

    //This types of application/software are also called Junkware or crapware. It is something that looks useful but it’s not.

    Unfortunately we are not the last ones who will use this tactics. But other won’t ask for public excuses!
    And even most of “Security” (Junkware Antiviruses) software are made to make money on “Protecting” people from nonexistent problems! You just look at these:

    Affected operating systems: Windows,
    http://www.sophos.com/security/analyses/macsweeper.html

    http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-011613-5206-99&tabid=3

    http://vil.nai.com/vil/content/v_143952.htm

    :)))

    These companies are cheating users not better than we did! Do you really think that they found some virus or spyware there? 🙂

    If you really want to remove MacSweeper, you just need to Move these files to Trash:
    1) MacSweeeper.app (Check if MacSweeperDaemon is running)
    2) ~/Library/Contextual\ Menu\ Items/MacSweeperCMI.plugin

    3) ~/Library/Preferences/com.KIVViSoftware.MacSweeper.plist

    Thats it!

    //In this industry, Trust is not given but it is something that you really need to work hard.
    Good words! Thanks!

  7. AngelO.
    January 20, 2008 at 3:59 pm

    Mac community has taught us a lesson that we will never forget.
    We worked hard to correct our mistakes, and we promise you will never see a “junk” software from our company anymore!
    Meet new MacSweeper at http://macsweeper.com

    As we promised we are giving away 1000 licenses of MacSweeper for free, even more!

    Our activation algorithm is based on short user name. So the most easiest method to get it and to generate serial number for it is when you pressing purchase from the program.

    We also considered our prices policy. You will be able to purchase MacSweeper for as low as 15$.

    Thank You All for this lesson! I hope it will reflect the same way on other junk-ware that will try to harm our lovely mac platform and its users!

    You can post your thoughts on our support forum
    http://forum.macsweeper.com

  8. SMK
    January 24, 2008 at 4:32 pm

    about trimming binaries. Some apps don’t care and some do. Size matters in schools when you are trying to save disk images that need to be copied to thousands of computers so believe me we trim where we can. I had thought that universal binaries are separable but that turns out not to be the case. I believe some apps are built with hooks to info in the other binary. For example split the Airport Admin app and try to manage all the airport flavors – it just stops working.

    Triming languages on the other hand has been around for a long time. see http://www.bombich.com/software/local.html

  9. Webmaster
    April 19, 2008 at 8:14 pm

    SO how to get rid of it?

  10. AngelO.
    April 19, 2008 at 10:59 pm

    You just need to exit MacSweeperDaemon (small trash icon in your tray bar). Then you will be able to move MacSweeper to trash.

  11. April 15, 2009 at 4:25 pm

    The topic is quite trendy on the Internet at the moment. What do you pay attention to while choosing what to write about?

  1. May 1, 2009 at 5:18 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: