An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#36934 - 11/02/15 05:46 PM Possible Malware: Core Insight Express AI
deniro Offline


Registered: 09/09/09
core.insightexpressai.com

While I was working on the web site Lyric Wikia, I hit an edit button, a normal oft-used procedure for this site on which you add information about singers, albums, and so on. As I hit the edit button, I think a new window popped up. I must have closed it quickly, I don't know. It all happened so fast, like my browser got redirected. I was able to cut and paste the url in Google, which lead me to information about malware associated with insightexpressai.

I don't know what this means. I'm going to dig around my computer to see if anything looks odd. If anyone has any suggestions I'd appreciate it. I haven't seen anything like this before.

I have more info, but I would like to talk to an experienced person privately. Thanks.

Firefox 39.0.3

Edited to add:
lyrics.wikia.com

Firefox addons:
Ad Block Plus
HTTPS Everywhere
1 Password
Amazon add-on button
YouTube High Definitoin


Edited by deniro (11/02/15 05:52 PM)
_________________________
OS X 10.11.6
iMac 21.5", Mid 2011
2.8 GHz Intel Core i7, 24 GB
AMD Radeon HD 6770M
Using Apple computers since 1980

Top
#36941 - 11/03/15 03:03 AM Re: Possible Malware: Core Insight Express AI [Re: deniro]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
The Web site at core.insightexpressai.com has been used in the past by advertising malware aimed at Windows computers. It has never, to my knowledge, had a Mac version. It attempts a drive-by download of advertising malware if you're browsing from Windows, but as you're on a Mac, you should be okay.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#36958 - 11/03/15 09:54 AM Re: Possible Malware: Core Insight Express AI [Re: tacit]
deniro Offline


Registered: 09/09/09


Edited by deniro (11/03/15 09:58 AM)
_________________________
OS X 10.11.6
iMac 21.5", Mid 2011
2.8 GHz Intel Core i7, 24 GB
AMD Radeon HD 6770M
Using Apple computers since 1980

Top
#36960 - 11/03/15 01:01 PM Re: Possible Malware: Core Insight Express AI [Re: deniro]
artie505 Online


Registered: 08/04/09
PMing is turned off at FTM...has been since day one.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#36963 - 11/03/15 02:08 PM Re: Possible Malware: Core Insight Express AI [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
PMing is turned off at FTM...has been since day one.

That includes the moderators
_________________________
joemikeb • moderator

Top
#36975 - 11/04/15 07:42 AM Re: Possible Malware: Core Insight Express AI [Re: deniro]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
The last link contains these instructions for removing the malware from OS X:

Quote:
Then press return button to hold ‘alt’ on the keyboard and right click on the Finder icon to select Relaunch button. Close the window to browse to C: Windows, delete all executable files identical to systematic ones, such as svchost.exe and winlogon.exe in the sub-directories and remove temp folders under System32.


There seems some confusion here, as Mac OS X doesn't have a C\Windows directory or a System32 directory.

Generally, it seems like this site does two things:

1. On Windows, attempts to download software that causes its ads to pop up.

2. On Macs, attempts to pop up windows that are hard to remove--force quitting and then restarting the browser seems to resolve the issue.

I haven't seen any evidence that it actually downloads malware to Macs, though.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#36981 - 11/04/15 09:41 AM Re: Possible Malware: Core Insight Express AI [Re: joemikeb]
deniro Offline


Registered: 09/09/09
If PM is turned off, then someone should delete that choice from the preferences under My Stuff.
_________________________
OS X 10.11.6
iMac 21.5", Mid 2011
2.8 GHz Intel Core i7, 24 GB
AMD Radeon HD 6770M
Using Apple computers since 1980

Top
#37091 - 11/09/15 04:36 AM Re: Possible Malware: Core Insight Express AI [Re: deniro]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Indeed. Unfortunately, the software doesn't offer a graceful way to do this; it can only be done by hand-editing the PHP code. And those changes disappear every time a new update is installed. frown
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#37132 - 11/12/15 07:12 AM Re: Possible Malware: Core Insight Express AI [Re: tacit]
deniro Offline


Registered: 09/09/09
Today I was at YouTube when I was given a pop-up message that my version of Flash was outdated and that I should dowload the latest version.

Problem is, I didn't have Flash installed. I uninstalled it a long time ago. I still have the uninstaller. After this recent coreinsight hijack, I did a lot of housecleaning, including installing a new version of Firefox, deleting cookies and caches and so on, running Onyx.

Moroever, the Flash update started downloading on its own, and the file name didn't look like the usual Flash update filenames. I've downloaded many of them over the years, as you might expect. For one thing, the file name didn't include a version number and the file itself was dowloading quickly, suggesting a smaller file than usual.

I'd also like to say that, despite using AdBlock Plus and having pop-ups blocked in Firefox, I install encounter a lot of pop-ups. I'm on Firefox 39.0.3 because the new versions conflict with my version of 1Password.

I don't know if any of this means anything.
_________________________
OS X 10.11.6
iMac 21.5", Mid 2011
2.8 GHz Intel Core i7, 24 GB
AMD Radeon HD 6770M
Using Apple computers since 1980

Top
#37134 - 11/12/15 12:38 PM Re: Possible Malware: Core Insight Express AI [Re: deniro]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
The latest version of Flash Player is 19.0.0.245, which was released a couple days ago. Go directly to adobe.com to acquire same.

When you install it, just before finishing it asks how you would like to access updates. I always check the box which states never to update automatically. I always go to Adobe independently.

I'm running Adblock Plus (2.6.11) on Firefox 41.0.2 with popups blocked as well and don't encounter popups at all.

Top
#37145 - 11/13/15 05:45 AM Re: Possible Malware: Core Insight Express AI [Re: deniro]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: deniro
For one thing, the file name didn't include a version number and the file itself was dowloading quickly, suggesting a smaller file than usual.

That particular part is actually normal. Adobe's been pushing a downloader for quite awhile now. You download this little thing, and it checks your computer to figure out what version you have and what updater works best for you, and then it downloads that instead, and runs it. It doesn't even have the common courtesy to download a normal installer, or even to somewhere you can SEE. It downloads to a hidden folder and launches the actual installer automatically.

Makes it a pain to deploy to many computers.
_________________________
I work for the Department of Redundancy Department

Top
#37152 - 11/13/15 08:51 AM Re: Possible Malware: Core Insight Express AI [Re: grelber]
Ira L Offline


Registered: 08/13/09
Loc: California
You can also check for updates and initiate the download process through the Flash Preference in System Preferences.
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.14.x,; iPhones, iPods and iPads galore!

Top
#37165 - 11/13/15 12:10 PM Re: Possible Malware: Core Insight Express AI [Re: Ira L]
deniro Offline


Registered: 09/09/09
Seems to be some confusion here.

I didn't have Flash installed because I don't use it anymore. I deleted it a long time ago along with any traces of it, e.g. prefs. I don't want Flash Player and I don't want to download it. I see no point in that.

Nothing should be downloading itself to my computer without my permission or any action from me. I've never been an "automatic update" guy.

One other dubious add-on, which I had enabled, is Clip Converter. Google revealed some people complaining that it downloaded malware.

Edit: Correction. I never deleted every trace of Flash. EasyFind tells me there are all kinds of Flash and Adobe files on my computer, most of which I know nothing about and therefore leave alone.

Maybe I will download a version of Flash and then uninstall it.


Edited by deniro (11/13/15 12:16 PM)
_________________________
OS X 10.11.6
iMac 21.5", Mid 2011
2.8 GHz Intel Core i7, 24 GB
AMD Radeon HD 6770M
Using Apple computers since 1980

Top
#37167 - 11/13/15 01:34 PM Re: Possible Malware: Core Insight Express AI [Re: deniro]
artie505 Online


Registered: 08/04/09
Originally Posted By: deniro
Moroever, the Flash update started downloading on its own....

I dunno if there's such a thing as a maliciously crafted video, but that quoted segment stinks on ice.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top

Moderator:  alternaut, dianne, MacManiac