Mac OSX “Bubble” Malware Browser Infection

Had a curious case of a Macbook Pro which had a browser hijack from what appeared to be some nasty Malware.

It was overlaying a small window in the bottom left of every new browser window in both Google Chrome and Safari (both latest versions as of 11/03/2015).

The window usually suggested a Russian Bride or pyramid “investment” advert. The malware was also subverting any links clicked from legitimate pages and returning the request (mostly) but also opening an additional tab to more advertising websites (bettering, bridges, “investments” etc).

 

Booting the system into a live USB 10.10 environment allowed me to Sophos 9.2.2 scan the drive which highlighted an infected “Install paint.dmg” file but nothing else.

 

Having removed that I began some web searching and came across an informative HowToGeek article: http://www.howtogeek.com/210589/mac-os-x-isn%E2%80%99t-safe-anymore-the-crapware-malware-epidemic-has-begun/

Also some informative results on an Apple discussions thread : https://discussions.apple.com/thread/6673353

This led me to :

  1. Searching /Library/Launch Agents/ where I found a “com.bubble.plist”, looking at the file it was indeed making references to /Library/Application Support/Launch Agents/bubble
  2. I then removed  /Library/Launch Agents/com.bubble.plist and also  /Library/Application Support/Launch Agents/bubble
  3. Rebooted the Macbook Pro and the problem seemed to be resolved! I’m never 100% confident in these areas but Sophos is happy (it failed to install during the infection but installed happily afterwards).