Adware blocking AdwareMedic downloads!

Last week, I began to receive a series of reports from people that the Download button on the AdwareMedic site wasn’t working. First it was just a trickle, then a flood. For some people, the button was redirecting to the MacKeeper website. For others, it was going to a “not found” error page. I knew that the site itself wasn’t doing that, since I wrote every single piece of code on the AdwareMedic site… so what was going on?

It didn’t take long to figure out that this was the work of adware working on the affected machines. The only real question in my mind was: which one? Before I began investigating, though, I fought back. I added information to the AdwareMedic home page about how to handle these redirects, in the form of an alert:

That didn’t work for long, though. I began getting reports that the “What to do if the Download button redirects” link was also redirecting to the MacKeeper site. It seemed like the makers of this adware were responding to every step I took to try to counter my efforts. So I added the direct download link as plain text as well, just to keep them hopping. I also changed my site’s “not found” page to include information on what to do if clicking the Download button ended up on that page.

Soon, the reports from affected users began to point the finger at one particular piece of adware: Downlite (aka VSearch). I eventually found a copy of the Downlite adware that exhibits this behavior, thanks to someone who had been affected by the issue, and installed it in a virtual machine. I found that the behavior had changed yet again, now simply removing my alert entirely:

This was done through JavaScripts injected into the browser by the adware, and wasn’t done very smoothly… on loading the page, the alert was visible for a second, then disappeared. I also found that the Download link had been changed yet again, this time to simply point back to the main page, so clicking it would seem to do nothing (and wouldn’t go to the explanatory “not found” page).

Although this is extremely annoying, and is making some people using Downlite-infected Macs question the legitimacy of my site, I’m taking this as an indication of the success of AdwareMedic. If it weren’t having some impact on Downlite, I doubt they would bother. I’ll continue fighting back with further changes to the site, in order to keep them on their toes.

I’ve also reported this to Apple’s product security team, in hopes that this behavior will be the thing that finally gets Apple to block Downlite via the anti-malware XProtect system in all recent versions of Mac OS X.

In the meantime, for anyone affected by this problem, you can download AdwareMedic directly from here:

http://www.adwaremedic.com/AdwareMedic.dmg

If some future change to Downlite causes even that to stop working on infected Macs, you could download AdwareMedic on a different computer and transfer it via flash drive, or you could restart the infected Mac in safe mode (which will temporarily disable Downlite) and download it then.

Updates

Tuesday, October 28, 2014 @ 3:55 pm EST: Downlite is now blocking the AdwareMedic site entirely:

However, the direct download link still works, as would downloading on another machine or restarting in safe mode.

Tags: adware, AdwareMedic, Downlite, VSearch