2016-11-08, Tuesday:: MPlayerx malware posted by compn. MPlayerX (a fork of MPlayer for OSX) was found to have malware bundled with its installer. More information can be found at malware bytes blog. MPlayerX is armed by FFmpeg and MPlayer, which means it could handle any media format in the world without extra plug-ins or codec packages. MPlayerX has been around for over 2 years. With it's adware installer, adware, analysis avoidance behavior, and other PUPs calling it a PUP is a no-brainer. GitHub is where people build software. More than 28 million people use GitHub to discover, fork, and contribute to over 85 million projects.
The multimedia player with the new eye-candy fashion. • Play almost any format of file or stream. • Multi-touch. Control the player with your fingers. • Intelligently detecting the encoding of the subtitles. No need for encoding conversion.
• Direct pass through. Connect, play, enjoy your home theater. • Multi-monitor support. Wanna work while watching your collection?
Just drag and F. • Apple Remote support. Watch your favorites in sofa, more comfortable. • Automatically find the next episode. Enjoy the whole afternoon, with just one click.
• Forget where you stopped playing last time? Tasty Planet Back For Seconds No. MPlayerX won't.
The multimedia player with the new eye-candy fashion. • Play almost any format of file or stream. • Multi-touch.
Control the player with your fingers. • Intelligently detecting the encoding of the subtitles. No need for encoding conversion. • Direct pass through. Connect, play, enjoy your home theater. • Multi-monitor support.
Wanna work while watching your collection? Just drag and F. • Apple Remote support.
Watch your favorites in sofa, more comfortable. • Automatically find the next episode. Enjoy the whole afternoon, with just one click.
• Forget where you stopped playing last time? MPlayerX won't.
MPlayerX began to be associated with malware about two years ago, or possibly even longer. Back in 2014, an emerging piece of adware that soon crossed the line to malicious behavior, called VSearch, was frequently associated with MPlayerX installers. At the time, many people assumed that MPlayerX was being used in the same manner that Adobe Flash Player often is – innocent software used to trick people into running a shady installer. MPlayerX began to be so synonymous with the VSearch adware that Google searches for “MPlayerX” began to show prominently-featured hits for “MPlayerX removal.” Worse, it eventually became apparent that MPlayerX was not simply an innocent victim. In early 2015, MPlayerX wasn’t being distributed with VSearch anymore. Unfortunately, this didn’t turn out to be good news, as it was soon discovered that the official MPlayerX installer, downloaded directly from the MPlayerX website, had started to include the IronCore adware. The bad behavior didn’t stop there, however.
The official MPlayerX installer! Malware will frequently exhibit analysis avoidance behavior. This means that if it feels that it is being analyzed by a security researcher or automated security software, it will act innocent, showing none of its malicious behaviors.
Thus, if a researcher or tool is not aware that the program is malicious, it avoids sending up any red flags that would trigger a more thorough analysis. The most common method of analysis avoidance that malware uses is to detect whether it is running within a virtual machine – in other words, a full system running entirely within a piece of software.
For example, a researcher may install Mac OS X within a virtual machine run by a program like Parallels, VMWare, or VirtualBox. Using a virtual machine is a good way to keep the malware isolated from a real system, so that the infection is easier to contain. The MPlayerX installer, it turned out, was doing exactly that. When run in a virtual machine, it installed nothing but MPlayerX.
When opened on a “real” system, however, it would install the IronCore adware, as well as (at that time) the junk apps MacKeeper and ZipCloud. Recently, we decided to re-evaluate MPlayerX for possible detection as a PUP (potentially unwanted program). Sure enough, although the installer had been updated, it still exhibited the same analysis avoidance behavior, this time installing IronCore, MacKeeper, and MegaBackup. The following video shows the MPlayerX installer being downloaded from the official MPlayerX site and being installed twice. The first time, it is installed in a Parallels Virtual Machine running Mac OS X 10.11 (El Capitan), and it installs nothing but MPlayerX. (Or, more accurately, installs an MPlayerX installer that you still have to run to install MPlayerX) The second time shows the same process, in the same virtual machine – with some modifications to the virtual machine to defeat the technique MPlayerX uses to detect it.
Thus, MPlayerX can’t detect that it’s running in a virtual machine, and thinks it’s on a real system, in the second case, at which time it dumps its nasty payload of crap. The bundling of MPlayerX into an adware installer, alongside adware and other PUPs, is reason enough to consider it to be a PUP according to our. The addition of malware-like analysis avoidance behavior makes the decision to call MPlayerX a PUP a no-brainer. Further, because we feel that this malware-like behavior shows that the developer of MPlayerX is not trustworthy, we detect the Mac App Store version of MPlayerX to be a PUP as well.
Malwarebytes detects any version of MPlayerX as PUP.MPlayerX.