Warning to Mac Users -Ruby security risk

[Raima]

I just thought I'd share something I discovered.

Last week my 2012 iMac i7 was running slow. I originally thought it was the new VLC update as the mac was running slow when it was running.

I turned off VLC and noticed the text I was typing in web browsers was still lagging. It was almost like it was using ruby to key log and send off the details.

I decided to install little snitch onto the iMac to investigate further and discovered it was using ruby to connect to a malware site I had identified earlier. The site was blocked at my router.

Since blocking ruby in little snitch my mac has returned back to normal.

I'm not sure exactly what it was doing, but if any who has more expertise that could investigate and report back, it could help the community.

 

[Intell]

What site was it trying to connect to?

 

[Raima]

What site was it trying to connect to?

WARNING: I do not advise on clicking on the link below

One of them is - http://72.52.9.108

My router displays the following page

FRITZ!Box
The Internet page is blocked.
The Internet filter is enabled in the FRITZ!Box.
The requested page may not be displayed due to the filter settings.
URL: http://72.52.9.108/
Reason: Access to IP addresses is not permitted

 

[Intell]

There's nothing bad about that site. It's privateinternetaccess.com. A legitmate VPN service that has been reviewed by reputable organizations. It would appear that your router's settings are blocking it because it is trying to access the page via IP address. Something that your router is not setup to allow. A rather strange and not recommend setting at that.

 

[Raima]

Why would ruby need to access that site?

 

[Intell]

Don't know. It's probably because of a third party installation. Maybe a torrent type of thing or something to do with VPNs.