An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Possible Malware: Core Insight Express AI
#36934 11/03/15 01:46 AM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
core.insightexpressai.com

While I was working on the web site Lyric Wikia, I hit an edit button, a normal oft-used procedure for this site on which you add information about singers, albums, and so on. As I hit the edit button, I think a new window popped up. I must have closed it quickly, I don't know. It all happened so fast, like my browser got redirected. I was able to cut and paste the url in Google, which lead me to information about malware associated with insightexpressai.

I don't know what this means. I'm going to dig around my computer to see if anything looks odd. If anyone has any suggestions I'd appreciate it. I haven't seen anything like this before.

I have more info, but I would like to talk to an experienced person privately. Thanks.

Firefox 39.0.3

Edited to add:
lyrics.wikia.com

Firefox addons:
Ad Block Plus
HTTPS Everywhere
1 Password
Amazon add-on button
YouTube High Definitoin

Last edited by deniro; 11/03/15 01:52 AM.
Re: Possible Malware: Core Insight Express AI
deniro #36941 11/03/15 11:03 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
The Web site at core.insightexpressai.com has been used in the past by advertising malware aimed at Windows computers. It has never, to my knowledge, had a Mac version. It attempts a drive-by download of advertising malware if you're browsing from Windows, but as you're on a Mac, you should be okay.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Possible Malware: Core Insight Express AI
tacit #36958 11/03/15 05:54 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009

Last edited by deniro; 11/03/15 05:58 PM.
Re: Possible Malware: Core Insight Express AI
deniro #36960 11/03/15 09:01 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
PMing is turned off at FTM...has been since day one.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Possible Malware: Core Insight Express AI
artie505 #36963 11/03/15 10:08 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: artie505
PMing is turned off at FTM...has been since day one.

That includes the moderators


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Possible Malware: Core Insight Express AI
deniro #36975 11/04/15 03:42 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
The last link contains these instructions for removing the malware from OS X:

Quote:
Then press return button to hold ‘alt’ on the keyboard and right click on the Finder icon to select Relaunch button. Close the window to browse to C: Windows, delete all executable files identical to systematic ones, such as svchost.exe and winlogon.exe in the sub-directories and remove temp folders under System32.


There seems some confusion here, as Mac OS X doesn't have a C\Windows directory or a System32 directory.

Generally, it seems like this site does two things:

1. On Windows, attempts to download software that causes its ads to pop up.

2. On Macs, attempts to pop up windows that are hard to remove--force quitting and then restarting the browser seems to resolve the issue.

I haven't seen any evidence that it actually downloads malware to Macs, though.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Possible Malware: Core Insight Express AI
joemikeb #36981 11/04/15 05:41 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
If PM is turned off, then someone should delete that choice from the preferences under My Stuff.

Re: Possible Malware: Core Insight Express AI
deniro #37091 11/09/15 12:36 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Indeed. Unfortunately, the software doesn't offer a graceful way to do this; it can only be done by hand-editing the PHP code. And those changes disappear every time a new update is installed. frown


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Possible Malware: Core Insight Express AI
tacit #37132 11/12/15 03:12 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
Today I was at YouTube when I was given a pop-up message that my version of Flash was outdated and that I should dowload the latest version.

Problem is, I didn't have Flash installed. I uninstalled it a long time ago. I still have the uninstaller. After this recent coreinsight hijack, I did a lot of housecleaning, including installing a new version of Firefox, deleting cookies and caches and so on, running Onyx.

Moroever, the Flash update started downloading on its own, and the file name didn't look like the usual Flash update filenames. I've downloaded many of them over the years, as you might expect. For one thing, the file name didn't include a version number and the file itself was dowloading quickly, suggesting a smaller file than usual.

I'd also like to say that, despite using AdBlock Plus and having pop-ups blocked in Firefox, I install encounter a lot of pop-ups. I'm on Firefox 39.0.3 because the new versions conflict with my version of 1Password.

I don't know if any of this means anything.

Re: Possible Malware: Core Insight Express AI
deniro #37134 11/12/15 08:38 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
The latest version of Flash Player is 19.0.0.245, which was released a couple days ago. Go directly to adobe.com to acquire same.

When you install it, just before finishing it asks how you would like to access updates. I always check the box which states never to update automatically. I always go to Adobe independently.

I'm running Adblock Plus (2.6.11) on Firefox 41.0.2 with popups blocked as well and don't encounter popups at all.

Re: Possible Malware: Core Insight Express AI
deniro #37145 11/13/15 01:45 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: deniro
For one thing, the file name didn't include a version number and the file itself was dowloading quickly, suggesting a smaller file than usual.

That particular part is actually normal. Adobe's been pushing a downloader for quite awhile now. You download this little thing, and it checks your computer to figure out what version you have and what updater works best for you, and then it downloads that instead, and runs it. It doesn't even have the common courtesy to download a normal installer, or even to somewhere you can SEE. It downloads to a hidden folder and launches the actual installer automatically.

Makes it a pain to deploy to many computers.


I work for the Department of Redundancy Department
Re: Possible Malware: Core Insight Express AI
grelber #37152 11/13/15 04:51 PM
Joined: Aug 2009
Likes: 8
Online

Joined: Aug 2009
Likes: 8
You can also check for updates and initiate the download process through the Flash Preference in System Preferences.


On a Mac since 1984.
Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
Re: Possible Malware: Core Insight Express AI
Ira L #37165 11/13/15 08:10 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
Seems to be some confusion here.

I didn't have Flash installed because I don't use it anymore. I deleted it a long time ago along with any traces of it, e.g. prefs. I don't want Flash Player and I don't want to download it. I see no point in that.

Nothing should be downloading itself to my computer without my permission or any action from me. I've never been an "automatic update" guy.

One other dubious add-on, which I had enabled, is Clip Converter. Google revealed some people complaining that it downloaded malware.

Edit: Correction. I never deleted every trace of Flash. EasyFind tells me there are all kinds of Flash and Adobe files on my computer, most of which I know nothing about and therefore leave alone.

Maybe I will download a version of Flash and then uninstall it.

Last edited by deniro; 11/13/15 08:16 PM.
Re: Possible Malware: Core Insight Express AI
deniro #37167 11/13/15 09:34 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: deniro
Moroever, the Flash update started downloading on its own....

I dunno if there's such a thing as a maliciously crafted video, but that quoted segment stinks on ice.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.040s Queries: 42 (0.032s) Memory: 0.6398 MB (Peak: 0.7502 MB) Data Comp: Zlib Server Time: 2024-03-28 21:15:00 UTC
Valid HTML 5 and Valid CSS