Sign in to follow this  
Robsav

My iTunes 11.03 generates Adware Installer warning, during Backup of iPad

Recommended Posts

Hi, I'm on Windows 8 pro with the MCE add-on.

This is the first time installing the latest iTunes, downloaded from Apple, directly onto my new installation of this OS to my PC

 

Could Apple be adding a hidden ADWARE INSTALLER within the backup file being created.

 

Ad-Aware thinks it is.

 

I have the latest FREE version, 10.5.2.4379 with the latest definitions file.

Could this be a false positive?

 

I can't create a backup of my iPad because the Ad-Aware stops the file from being written to the hard drive.

 

post-89679-0-68443100-1370136788_thumb.jpg

Share this post


Link to post
Share on other sites

Hi Robsav,

 

Thanks for your report.

 

Can I ask you to read the guide for posting false positives then upload the log files that will help me understand what is being detected? The screenshot shows the info about the iPad backup file that contains the Rocketfuel installer, but the log file will contain additional details.

 

You can read the guide here: http://www.lavasoftsupport.com/index.php?/topic/18033-guide-for-posting-false-positives/

 

Thanks!

 

Regards,

 

Andy

Lavasoft Malware Lab

Share this post


Link to post
Share on other sites

Hi Robsav,

 

Thanks for the uploads - very helpful.

 

Not sure where the detected file came from, but you can read more info about RocketFuel installers here: http://www.vertitechnologygroup.com/rocketfuel-installer

 

For reference, the detected file's SHA256 value is 32e0a07cd835063b4cd63b0c7178e9f779c27394b5e0fa1bdcd3fdea388e4432, if you want to check what data virustotal.com has about the file.

 

You could run a scan with AdAware and allow it to remove the file, add it to the ignore list or uninstall the RocketFuel app from the control panel before running your next backup.

 

Hope this helps.

 

Andy

Lavasoft Malware Lab

Share this post


Link to post
Share on other sites

Hi Andy, thanks for taking the time to look this over.

 

This never showed-up until my installation of iTunes, on my new Win 8 installation.

Ad-Aware was the first anti-Malware program to detect it.

I've had iTunes installed on WinXP OS and no detection of "RocketFuel" ever showed. (was using MS 'Security Essentials', then)

I really like Ad-Aware now, even more than before.

 

I'll try your suggested "fix" of ...

"... or uninstall the RocketFuel app from the control panel before running your next backup. ..."

 

I hope I'll see the entry of it there, to uninstall it. :)

I'll let you know how it all goes, later.

 

Thanks again,

... bye for now.

Share this post


Link to post
Share on other sites

Hi Andy,

The RocketFuel App isn't showing in my control panel, where it uninstalls programs (Win8)

 

Am I looking in the wrong place on that OS? (I'm new to the Win 8 platform)

 

I feel like a newbie to PC's with this OS. :)

Everything is placed differently from how WinXP had it, but, it IS much better an OS, than XP was.

Share this post


Link to post
Share on other sites

Hi Robsav,

 

I guess that Ad-Aware blocked the installer, and then Rocketfuel wasn't installed. Can that be correct?

Share this post


Link to post
Share on other sites

Hi Robsav,I guess that Ad-Aware blocked the installer, and then Rocketfuel wasn't installed. Can that be correct?

It's possible. ;)

I'm sure Ad-Aware did its job, but I'm curious how, and from where, RocketFuel got mixed-in to the backup in the iTunes file.

I still can't backup my iPad because this warning comes up, and I don't want to make Ad-Aware 'ignore' it.

 

If this new iTunes has it, hidden, or was it on my iPad already?

--How to detect where it is, and get rid of it.

 

Can you ask Andy, or if you can say, what the quarantined and log file shows, or if I can get a 'reader' that shows me, what's in there?

Edited by Robsav

Share this post


Link to post
Share on other sites

I'm not a specialist but I think the information in the log file means:

The "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileBackup.exe" program has tried to use the "C:\Users\Thi64\AppData\Roaming\Apple Computer\MobileSync\Backup\66c7223e594755a6fa95de7e96b69709113623c1\Snapshot\d354a33face8f3abaa5ee217b0d91885c2f39060.upload" file.

 

Please, make a full scan of the computer with Ad-Aware. Maybe the installation file is located somewhere else and then the Mobile Sync program wanted to sync it.

Share this post


Link to post
Share on other sites

Hi, :) yes I gathered that much, but meant if it looked like the Apple program put the malware in, or did another source show in the quarantined file?

Is there a program that reads that file, other than a standard HEX reader, giving more detailed info of the meaning of each line, or whatever?

 

I'm running the full scan, as you suggested, and the 'FOUND THREATS' notice came up as soon as the ad-aware started.

Within minutes shows 93 found, and it's still running on the C drive.

 

The computer has had some other programs installed, but Ad-Aware never gave a threat notice using those.

This installation of iTunes was the first time seeing it, and ONLY when I tried to create a FIRST backup using the first-time installation of iTunes 11 to the new OS of Win 8

 

I'm hoping I can find out where it came from, because if it's from Apple iTunes 11, I'm goin' to complain, loudly, to Apple.

but if it came from another installation, could it 'sleep' until some other program uses a function on another device?.. that doesn't sound likely, YES, NO? :) ... I'm still waiting for the scan to finish, here's the screen so far, hope that's all there is.

 

 

post-89679-0-35266700-1370411450_thumb.png

 

 

 

I'm not a specialist but I think the information in the log file means:
The "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileBackup.exe" program has tried to use the "C:\Users\Thi64\AppData\Roaming\Apple Computer\MobileSync\Backup\66c7223e594755a6fa95de7e96b69709113623c1\Snapshot\d354a33face8f3abaa5ee217b0d91885c2f39060.upload" file.

Please, make a full scan of the computer with Ad-Aware. Maybe the installation file is located somewhere else and then the Mobile Sync program wanted to sync it.

 

Share this post


Link to post
Share on other sites

Hi Robsav,

 

I extracted the detected RocketFuel file from the quarantined file that was uploaded and did some static analysis on it. You can get the analysis output here. Password is infected. The actual detected file is included in the download (extension .VIR) so you can inspect it with a hex editor.

 

Please let me know when you've downloaded so I can delete it.

 

You asked about reading the log file. The log file is an XML file - you can read it by opening it in a browser.

 

You also asked where how the file might have arrived on your machine - sorry, I have no idea. Nothing in the log or static analysis output reveals that information.

 

Andy

Lavasoft Malware Lab

Share this post


Link to post
Share on other sites

 

I'm running the full scan, as you suggested, and the 'FOUND THREATS' notice came up as soon as the ad-aware started.

 

Within minutes shows 93 found,

Hi Robsav,

 

Since it's so many and so fast, it might be tracking cookies from different web sites. They aren't dangerous for the computer but is removed to protect privacy. But impossible to tell before the log file is created at the end of the scan.

 

ONLY when I tried to create a FIRST backup using the first-time installation of iTunes 11 to the new OS of Win 8

That indicates that it wasn't something Apple is responsible for, but a file already in the computer. Can you find out which folders that iTunes backed up?

Share this post


Link to post
Share on other sites

Hi Robsav,

 

Since it's so many and so fast, it might be tracking cookies from different web sites. They aren't dangerous for the computer but is removed to protect privacy. But impossible to tell before the log file is created at the end of the scan.

 

 

That indicates that it wasn't something Apple is responsible for, but a file already in the computer. Can you find out which folders that iTunes backed up?

 

Hey, C, yes it was tracking cookies. 93 of them, but still doesn't explain why I still can't do a backup of the iPad with iTunes, without the warning coming up, and the backup shutting down. I'll try again now with the tracking cookies gone, but don't think that would make a difference.

 

I'm confused how this happening first now, after a brand new iTunes installation, shows it can't be Apples program, if the only file infected was the iPad backup. Could it be the iPad may have this RocketFuel Trojan on it?

 

 

Hi Robsav,

 

I extracted the detected RocketFuel file from the quarantined file that was uploaded and did some static analysis on it. You can get the analysis output here. Password is infected. The actual detected file is included in the download (extension .VIR) so you can inspect it with a hex editor.

 

Please let me know when you've downloaded so I can delete it.

 

You asked about reading the log file. The log file is an XML file - you can read it by opening it in a browser.

 

You also asked where how the file might have arrived on your machine - sorry, I have no idea. Nothing in the log or static analysis output reveals that information.

 

Andy

Lavasoft Malware Lab

Hi Andy, thanks, I have downloaded the file. Is it safe to open on the PC, or should I use the iPad HEX editor App I have?

I very-much appreciate you viewing it so closely. I thought these files reveal their source, but I guess the hackers are better at hiding that now.

 

Shoud I tell Apple about this? CeciliaB believes it's not their program doing it, but I'm confused with that logic. :)

Is there a program (App) to scan the iPad?

 

It would be VERY nice to have Ad-Aware on the iPad. ;)

Share this post


Link to post
Share on other sites

Hi H,

 

Nice that the computer wasn't infected. I'm not familiar with iPad and iTunes, but if iTunes only copy information that is on the iPad to the computer, then it should be something in the iPad. Please, check your apps in the iPad, maybe there is one that displays ads.

 

You can turn off the real-time protection in Ad-Aware while you backup the iPad.

Share this post


Link to post
Share on other sites

Hi, yes I have many 'FREE-by-Ads' Apps.

 

I've had them since I've purchased my iPad, and have made backups with iTunes, while Ad-Aware was active, (under WinXP) and the AdWare notification never showed then. That's why this is so strange.

 

I never had to turn off real-time protection to backup the iPad or any other storage-type device, and I'm not sure I want to now, ... until I find where this RocketFuel add-on to the backup file is coming from.

 

If it IS on the iPad, it should be an Apple issue, since THEY control all that can be put on the iPad, someone may have breached that.

 

Is it possible it's still on the Win 8 PC?

I had some Demo program installations, on my Win 8 PC, with Ads displaying too.

I removed those before this event, but could Ad-Aware only see it when an iPad backup is being made, and not see it any other time?

 

This is why I'm still confused. :)

Share this post


Link to post
Share on other sites

Hi,

 

the AdWare notification never showed then.

Maybe this Rocketfuel installer is a recent addition to the definitions in Ad-Aware.

 

When you have 'FREE-by-Ads' Apps it's a high probability that one of them contain the Rocketfuel Installer. Note that Ad-Aware doesn't say it's dangerous for PC/iPad, only that it can install adware (displays ads).

 

 

Is it possible it's still on the Win 8 PC?
I had some Demo program installations, on my Win 8 PC, with Ads displaying too.
I removed those before this event, but could Ad-Aware only see it when an iPad backup is being made, and not see it any other time?

No and no.

I asked you to do a full scan to be sure that it wasn't something dangerous lurking around in the PC.

Share this post


Link to post
Share on other sites

Hi again, CeciliaB

What I'd really need, is to be able to have Ad-Aware scan the iPad. ;)

Any chance the wizards of LavaSoft can create that link, or iPad App?
(I know... it's not that easy) :) to bad it's not as easy as have the PC scan it thru USB.

Ahh, you're saying Ad-Aware may not have seen it before, when iTunes was used, and may have been there before the definitions file had that definition.
so it's definitely NOT possible Ad-Aware still isn't fully aware of it when not using iTunes?

Could it be hiding as different looking code until iTunes uses it? --sorry, I'm just throwing ideas out into the air-- :)


I guess I should tell Apple about this RocketFuel Malware, and have them see if the App developers who used it, will remove it.
All you've said, regarding possible sources, are pointing to the iPad as IT.
Do you think Apple would be interested, and should I bother telling them?

I tried again, and sure enough, the file gets quarantined...but I'm Leary of ignoring it, or shutting off real-time scanning, because I've had several attempted 'attacks' to my Internet service thru the iPad, so I'm worried it may be a second hidden Trojan that may try to get into the computer after I shut real-time scanning

 

post-89679-0-01545200-1370556846_thumb.jpg

Edited by Robsav

Share this post


Link to post
Share on other sites

Hi Robsav,

 

 

Ahh, you're saying Ad-Aware may not have seen it before, when iTunes was used, and may have been there before the definitions file had that definition.
so it's definitely NOT possible Ad-Aware still isn't fully aware of it when not using iTunes?

Could it be hiding as different looking code until iTunes uses it?

No and no

It's an installation file. Since it wants you to use it to install something, it has to be visible. If it was hidden, you would never start it. It's not a rootkit, which is very clever in hiding itself.

 

A program developed for an iPad, with that specific operating system, can't run in a PC with Windows.

 

The discovered file isn't dangerous until you run it. It doesn't harm the computer or the iPad to have the file just being there.

 

I think Apple is fully aware of that there are plenty of ads-supported free apps in their store. This isn't more dangerous that the other such apps.

Share this post


Link to post
Share on other sites

Hi CeciliaB :)

Hi Robsav,

 

No and no

It's an installation file. Since it wants you to use it to install something, it has to be visible. If it was hidden, you would never start it. It's not a rootkit, which is very clever in hiding itself.

 

I didn't mean hidden from view, rather hidden from looking like a Trojan. I'm glad it's not like a Root-Kit. That's what I may have been thinking of.

A program developed for an iPad, with that specific operating system, can't run in a PC with Windows.

 

The Apps have links thru WiFi or USB, but I know what you mean, there's also the developer restrictions not allowing access to the other App 'sandbox' but even that's allowed with some Apps, to view a file or print or move to another App - for example.

 

I'm not a developer, so I can't say how easy or complex it is, to write for the Apple devices, but I've seen other windows-based programs, showing-up as App 'extensions' of that program on the iPad.

The discovered file isn't dangerous until you run it. It doesn't harm the computer or the iPad to have the file just being there.

 

I think Apple is fully aware of that there are plenty of ads-supported free apps in their store. This isn't more dangerous that the other such apps.

I'm happy it's not some nasty virus. That's what I've got Ad-Aware to stop :) Thanks for that.

I did notice when I tried to view the .VIR file, on the PC, Ad-Aware kicked-in and quarantined the file, so I'll leave that alone for now, and let Ad-Aware do it's job.

 

Yes, Apple knows some Apps support FREE use thru Ads, but at first, I thought this one was dangerous.

Thanks for letting me know. I thought ones classified as Moderate Threats were concerning, more than Low-Level Threats are.

Share this post


Link to post
Share on other sites

 

I'm not a developer, so I can't say how easy or complex it is, to write for the Apple devices, but I've seen other windows-based programs, showing-up as App 'extensions' of that program on the iPad.

The programs have to be adapted for different operating system, even if they look the same. For example, see http://www.adobe.com/products/catalog/software._sl_id-contentfilter_sl_catalog_sl_software_sl_mostpopular.html and when you click on "Buy" you have to select if you want to buy the product for Windows or for Mac.

 

I thought ones classified as Moderate Threats were concerning, more than Low-Level Threats are.

Low-Level Threats are cookies, which don't influence the computer at all. RocketFuel installer might change settings in the browser and display ads, that certainly is changing the behaviour of the computer/iPad and that is considered more serious than cookies.

Share this post


Link to post
Share on other sites

Hi, C,

I think you misunderstand me. I meant, an App on the iPad, to read the iPad files and pass the read data to the Windows Ad-Aware via WiFi, or USB, to analyze. This way, the entire program need not be re-coded for each device, and just a simple 'bridging' App is needed.

 

Even if it may not be allowed to delete / quarantine the iPad file, it coulld be useful to make note of the possibly infected files existence.

 

But, I'm sure either I'm over simplifying it :) or may still not be understood.

Either way, it's just a thought. I really don't expect any actual App made just because I ask for one. ;)

 

Anyway, I'm going to try the 'ignore' option with backing up my iPad.

If it's not that big a deal, threat-wise.

 

Thanks again for your help. I've taken up too much of your valuable volunteers time with this.

Bye again, for now.

Share this post


Link to post
Share on other sites

Hi H,

 

That's an interesting solution :) but I don't know if it can work.

 

It's been a pleasure to try to answer your questions, instead of the usual Ad-Aware questions as "why doesn't my Ad-Aware update" ;)

Share this post


Link to post
Share on other sites

Hi H,

 

That's an interesting solution :) but I don't know if it can work.

 

It's such a simple method, it may work. :) But I don't know the limits Apple puts on App Development.

It may be something to ask your team about. It would be wild to have something like this for the iPad.

 

It's been a pleasure to try to answer your questions, instead of the usual Ad-Aware questions as "why doesn't my Ad-Aware update" ;)

Tack för all din hjälp varje gång jag ställer en fråga på denna webbplats.

 

Du är alltid så professionellt och söt att chatta med, jag är ledsen att jag inte kan få en annan pizza för dig. ;)

 

I hope my translation is correct :) good night.

Share this post


Link to post
Share on other sites

Good morning!

 

Thank you for your kind words :blush:

It's not perfect Swedish but good and understandable.

 

Well, Andy is the one that has to check with the development team, since I'm not employed by Lavasoft.

Share this post


Link to post
Share on other sites

I meant, an App on the iPad, to read the iPad files and pass the read data to the Windows Ad-Aware via WiFi, or USB, to analyze. This way, the entire program need not be re-coded for each device, and just a simple 'bridging' App is needed.

 

Even if it may not be allowed to delete / quarantine the iPad file, it coulld be useful to make note of the possibly infected files existence.

 

But, I'm sure either I'm over simplifying it :) or may still not be understood.

Either way, it's just a thought. I really don't expect any actual App made just because I ask for one. ;)

 

Hi Robsav,

 

We have no plans to build anything like this, but I can add it to the ideas list anyway. It may be that enough people to make it worthwhile building would find it useful. Thanks for your suggestion!

 

Regards,

 

Andy

Lavasoft Malware Lab

Share this post


Link to post
Share on other sites
Sign in to follow this