Removing Elf Toolbar/Conduit for Mac from Safari

Well…it looks like the Mac is finally getting hit with malware!  I’ve had to remove the “Elf Toolbar” or “Translation Toolbar” aka “Conduit” from a number of Macs in the past few weeks.  Judging by the increasing number of recent forum posts on Apple’s Discussion Boards, it’s spreading fast.  Here’s what it is and more importantly how to remove it.

 

Background

I was able to track down some of the actual package installer files for Elf and installed it on a machine with a fresh install of Mac OS X 10.6.6.  My testing was performed on that machine.  If you’d like a copy for your own more thorough evaluation, please get in touch with me.  For obvious reasons, I will not be posting it here.

 

 

 

What is Elf?

Elf appears simply to be adware with several software components.  Upon running the installer, I was immediately bombarded with the following.

 

Initial Screen After Installing Elf

Users of the machines that I removed Elf from reported more frequent advertisements popping up, or even not being able to use the web browser at all.  I didn’t experience this, but I only used my infected test machine for a few hours.  Notice the toolbar right below the

address bar.  This is installed with Elf, somewhat “hacked” into Safari window.  In fact, if Safari was open before you installed Elf, you’d now see two copies of Safari in your Dock.

Some other lovely things that come with Elf are an “alert” menubar icon.  This icon seemed to only be present when Safari was open.

Alert Menubar Icon from Elf (Far Right)

To go along with these alerts is an awful (oh, I mean “handy“) alert dialog, complete with close button on the wrong side of the window.

Elf Alert Dialog

Clicking the icon dropped down a list of choices which displayed websites like the following “Privacy Policy” (not sure I believe it):

Elf Privacy Policy

I also thought that Elf might be messing around with iCal due to the iCal icon looking very strange after installation and the fact that the Elf toolbar includes a calendar component.  I couldn’t find any evidence to back it up, but I’m not sure what else would cause what’s pictured below.  You’ll see below that the iCal icon’s font is different.  After launching iCal, the font was fixed, but the strange font would come back on reboot.

Strange iCal Icon Font

 

How did I get it?

No one I’ve talked to seems to know how it got installed on their system.  Judging from the .pkg files, it looks like they were downloaded via drive-by.  The only problem with this is that Elf installs files to areas of your Mac that require administrative access.  This means at some point you authorized the installation with an administrator username and password!

Update: A commenter suggested people have downloaded this by clicking a fake download link while trying to download Mac software.  This might be a picture of such a fake download link.

Possible Fake Download Link

 

What does it do?

I used the utility fseventer from fernLightning as well as the contents of the .pkg files I acquired to track file system usage after the installation.  The files I noticed touched by Elf are listed in the “uninstall instructions” section below.  The toolbar portion is actually a product (a “Community Toolbar (ct)”) from Conduit.  I’d imagine the different toolbars could have different portions of malcode, but the uninstall steps should be the same since they’re based off the same product.

 

Some scripting additions and a system LaunchAgent are installed in addition to the pieces you’ve seen above.  The toolbar itself is actually an InputManager (“one of the simplest and most popular ways to load arbitrary external code into other applications” — cocoadev.com).  There are good InputManagers (most notably those from Unsanity), but they routinely cause instability with the OS in my experience.

Other than install a bunch of garbage and occasionally pop up ads, Elf didn’t really seem to do too much in my tests.  The Conduit LaunchAgent sat in the background, so even if you killed it, launchd would open it right back up (by design).  I did notice outbound connections to various flash game, online radio, and ad websites with every new Safari window opened.  There was at least one connection per window.  Using Wireshark, I was also able to see that Google Analytics code was being downloaded every so often as well.  I did not notice any personal information being sent out, though that’s not to say there wasn’t any (again, if you’d like a copy for your own evaluation, let’s get in touch).

How do I get rid of it?  (Uninstall Instructions)

Oddly enough, the program does come with a utility called “uninstall.”  I didn’t try it out until I had manually uninsalled it though, so I’m not sure what it does.  I didn’t feel like doing another fresh install of OS X to find out.

 

Here’s what I did to uninstall.  Run these commands in the Terminal (Applications > Utilities > Terminal).  As always, be careful with sudo commands.  If you don’t know what you’re doing, ask someone who does.  Quit all programs first to be on the safe side.

rm -rf ~/Library/Application Support/Conduit
launchctl unload -w -S Aqua /Library/LaunchAgents/com.conduit.loader.agent.plist
sudo rm -rf /Library/Application Support/Conduit
sudo rm -rf /Library/LaunchAgents/com.conduit.loader.agent.plist
sudo rm -rf /Library/InputManagers/CTLoader
sudo rm -rf /Library/ScriptingAdditions/ct_scripting.osax
sudo rm -rf /Applications/Toolbars

That should do it, you might want to reboot for good measure afterwards, but you shouldn’t have to. Remember to always think before authorizing a program with an administrator username and password.  Ask yourself why that particular program needs your password, and don’t provide it if you can’t figure it out.  Never run a program that you don’t know where it came from.  You might also want to not allow Safari to automatically launch files after download.  Remember, no operating system is invulnerable to attack and you are your own best defense.

 

14 thoughts on “Removing Elf Toolbar/Conduit for Mac from Safari

  1. Hi Greg,
    In trying to download a printer manual, this malware was ‘fronting’ as the manual download. That was the hook. In going through your instructions ran into a couple of problems.
    1. the launchct1 command was not recognized
    2. sudo command would not advance without a password.

    How does that work?

  2. @Sir Duke:
    * Can you provide the brand/model of printer? I’d be interested to know.
    * The command is `launchctl` (lowercase L, not the number one).
    * `sudo` commands require an administrator password, meaning the account on which you run that command must be an administrator account. The password you need to provide is the password for your account. The sudo commands above are removing files from an area of the OS that only administrators may access. You can also navigate to those locations in the Finder and drag the files to the trash (this will cause the Finder to prompt you for an administrator password).

  3. Thanks much for your guidance. This popped up on my wife’s PowerBook, and it’s the first time I’ve ever encountered anything like this on our Macs. You pointed me in the right direction and helped me clean this crap up.

  4. Hey Greg, I’m glad you put this info in this website. I just bought my first mac yesterday, and i was searching for a program that i could use msn messenger on the mac, i was searching around the web and i saw some eBuddy program that was suppose to use msn messenger on a mac, i downloaded it and i read a little bit into it and it looked original, (i always do that because i dont like downloadind stuff to my computer if i dont know what it is, but because i got a mac and it is not suppose to get viruses and stuff like that, i was a little confident and i downloaded it, and everything u saod in your post happen exactly how you said it, and i also didnt get the ebuddy to mac, so that was really weird for me. so i started searching to see how could i remove it until i found this post. honestly im glad that the commands you said worked. i finally gave up searching for the program and erased that elf thing from my system.

  5. Thanks for sharing your results. I have seen the “Elf toolbar” in action. Following your instructions appears to remove it.

    As far as I can tell from asking the owner of the macbook, the malware was installed “by mistake” while the user attempted to install the open source sftp client Cyberduck. She says: “I clicked the large download symbol (bouncing arrow) but the program did never install as expected. However, after a couple of unsuccessful attempts, suddenly a toolbar appeared in Safari. The download symbol i clicked is gone from cyberduck.ch today”.

    I noticed that there is a large box with a Google Adwords Ad on cyberduck.ch just below the valid download links. I suspect that this ad space was used to display a specially crafted advertisement tricking the user into thinking that clicking the ad would install the Cyberduck program. This might explain how the trojan is being distributed.

  6. Thank you, Greg, for your excellent instructions. While Macs are certainly not invincible, I’m grateful for the underlying Unix and the ability to zap this crap using the Terminal. Thanks again! Not only is that crappy bell icon gone from the toolbar, but my 2006 MacBook feels zippy once again.

  7. Thanks, so much. Elf was causing one of our macs here to not finish loading web pages, like it was waiting to download pics or something, so i knew something was causing it. Saw a weird looking toolbar in safari, figured out it was elf and found your post. Script ran perfect and elf is no more. Thanks again!

  8. Greg – thanks for your post! I didn’t feel comfortable running the script myself, but your post helped me to explain the issue when I called Apple Support. The support rep was very helpful and removed the toolbar. Here are the instructions he gave me; hopefully this can help people that aren’t comfortable running the script you provided above.

    1) Click on Finder –> Hard Drive (usually “Macintosh HD”) –> Applications Folder –> delete the “Toolbars” folder
    2) Go back in Finder –> click on Library –> Application Support –> delete the “Conduit” folder. (You may be prompted to enter a password to delete – it’s safe to enter a password)
    3) Go back 2 clicks to Library –> InputManagers –> find and delete the folder called “CTLoader” (You may be prompted to enter a password to delete – it’s safe to enter a password)
    4) The Alerts toolbar will still be visible. Restart your computer. Toolbar should be gone after restarting computer.

  9. Hello Greg,
    I’ve just found your site while trying to find out how to rid my Mac of conduit. I don’t really know what I’m doing and I tried to use the terminal application by copying the code you wrote at the bottom of your explanation. I got scared off and then it asked something about a password and something else about using sudo commands causing damage or something.

    Would you be able to advise me how I can get rid of this virus or do I need to take my mac somewhere?

    Thank you.

  10. hi
    I am a teacher
    I was downloading resources from instantdisplay.co.uk
    I have downloaded many times from here in the past
    I do remember putting in my password
    and now have the conduit and elf thing – and a bell up on the top bar
    I am a novice user
    so am using your instructions to uninstall all this
    thank you

Leave a Reply

Your email address will not be published. Required fields are marked *