adware goes old school with cron job
I’ve been wondering for a while now why we see so much adware persisting with nothing much other than easily detected Launch Agents when there’s a variety of other methods available on macOS. Some of those require privileges, like this little known one, but others do not.
Thanks to a DetectX user’s quick reporting, I was able to spot a known offender making good use of the venerable old crontab routine. Set to run on the 4th minute, every second hour, the job fires an executable lurking in the user’s Application Support folder.
A quick look on Google’s VirusTotal confirms what we expected:
Although cron jobs are easy to spot if you go looking for them, this one would probably have stayed hidden away for a while longer if it hadn’t been for the speedy reporting of the user.
DetectX will now find this particular miscreant in its normal search routine, but if you want to check for others, run the
Report a Problem to Sqwarq Support function in the Help menu. We’re happy to look through the logs that creates on your Desktop for you, or if you like delving into this kind of thing, check out the
DetectX_Swift.Processes.txt file in the logs and search down for where it says ‘User Crontab’ as indicated in the screenshot at the top of this post. If you find anything there that you didn’t put in yourself, it warrants further investigation. Feel free to contact us at Sqwarq support if you need help with that.
Stay safe, folks! 🙂
Posted on March 8, 2018, in Security, Sqwarq and tagged adware, booking, cron, mughthesec, sorimbrsec. Bookmark the permalink. Comments Off on adware goes old school with cron job.