12 Comments

Summary:

Luckily, it’s not often that we have to make announcements regarding dangerous malicious software for the Mac. But not often isn’t never, and right now there’s a nasty piece of spyware attacking Apple’s computer platform. It’s called OSX/OpinionSpy, and it piggybacks in on free screensaver software.

virus_thumb

Luckily, it’s not often that we have to make announcements regarding dangerous malicious software for the Mac. But not often isn’t never, and right now there’s a very nasty piece of spyware attacking Apple’s computer platform. It’s called OSX/OpinionSpy, and it piggybacks in on free screensaver and media conversion software.

Specifically, around 30 screensavers developed by a company called 7art and one app called Mishinc FLV to MP3 carry the spyware, according to security firm Intego. The programs were available on popular sites, like Softpedia, MacUpdate and VersionTracker, though they’ve since been pulled from those locations. MacUpdate told CNET that it had been aware of the problem as far back as March and had acted accordingly.

The spyware app isn’t part of the software itself, but instead downloads during the installation of the originally downloaded programs. It often masquerades as a market research program called PremierOpinion that tracks browsing and purchasing information for market research purposes, but it also can come completely unannounced. The aim of OSX/OpinionSpy is to collect data from files and programs. Here’s a breakdown of a few ways it does its dirty work:

  • Runs as root, allowing complete access, including modification, to all files
  • Scans all accessible files on local and network drives
  • Opens a back door using port 8254
  • Analyzes data transmitted via a LAN connection, allowing a single Mac to collect data from an entire network
  • If the application is killed, it automatically relaunches via launchd, the system-wide OS X service launcher
  • Injects code into Safari, Firefox and iChat without any user authorization or action required, and then copies personal data from these applications. Code is injected into Mac memory, not the actual application’s files, allowing it to go undetected

It can be upgraded via the backdoor access without the user’s knowledge, and just deleting the original program it came in on won’t eliminate the spyware itself. To rid yourself of the infection, if you think you might have it, you should grab ClamXav or iAntiVirus or another trusted Mac malware scanner. Signs that you may be infected include your computer sometimes asking for your name or prompting you to fill out forms and surveys. Also, your computer may stop working correctly and require a reboot.

Intego is using the opportunity to push its anti-virus products, which is only fair given that it’s at least warning people about it, but as always, I recommend sensible downloading and browsing practice before any other means of virus or malware protection. If something seems suspicious, it probably is, and if you find you have no internal means of analyzing what constitutes danger and what doesn’t in term of online activity, consult with someone who you know definitely does. Finally, if something is free, always exercise extra caution.

  1. CERT Advisory or it didn’t happen.

    Share
  2. Strange – checked on the net and NOT ONE site has this so called Spyware? I would like to download and test it on my system. Why is Macupdate or Intego acting like a dictator? If I want to test a virus, I should be able to. Virus’s are used by over 60% of PC users and its unfair that I as a Mac user am denied that same privilege. Why MacUpdate and Intego should deny me free choice is beyond me. Hackers can develop all sorts of things using the Open Source Virus Development tools available and then Intego can make a boat load of money selling crap but they should be able to.

    This is about Free Speech. I want my Mac Virus – where is it?

    Wait a minute – I thought this article was about Flash – I got carried away a bit there!

    Share
    1. I dare you to try one of these: http://7art-screensavers.com .

      Share
  3. Just curious: How does it gain root access? AFAIK it’s not exactly easy.

    Share
    1. From CNET’s coverage, I think it was, it pops up the Mac OS X security framework’s standard password entry dialog. In other words, no priveledge escalation, it requires the user’s full knowledge to run as root.

      Share
  4. pk de cville Thursday, June 3, 2010

    Who the hell are you talking to?

    “but as always, I recommend sensible downloading and browsing practice before any other means of virus or malware protection.”

    This does not help the 75% of Mac users who have no idea what ‘sensible’ means. See people over 50, under 12, and the computerphobes.

    Surely, you know a few.

    Share
  5. Didn’t Steve Jobs mentioned that Apple got malware from Flurry on their iPhone, iPad, Macs and what ever prototypes…at D8! See how simple Flurry can infilterate Apple with Malware that collect data from users without them knowing…

    So Apple has malware under Steve’s nose…and boy was he furious!

    Share
  6. thanks for the post. and i use Protemac NetMine for protection my Mac.

    Share
  7. It would be no surprise if the anti-virus software company mentioned had actually created the nasty little virus to drum-up business for themselves. It’s a dirty tactic which is sometimes used by shameless software authors out there to part fools from their cash.

    Share
  8. I use ProteMac NetMine (firewall). It monitors and controls all the Internet and network activity of your computer.
    http://www.protemac.com/netmine/

    Share
  9. More and more news regarding mac security appear these days. Seems no company is safe from viruses and spyware.

    Share
  10. Great article. Mac user since 1982. I believe there is a new virus on the scene as of the last two days. Two perfectly good MacBookPro’s in my office, crashed at the same time and I got the question mark on restart. Inserting the system disk as boot disk and then running the disk utility showed that both macs had a new start up disk called HD5s1s. The HD5s1s was showing as a MS_DOS disk and was not visable on my desktop. I erased this disk and all seems fine, however, I have noticed that my key strokes are not always accurate, Mail and Safari have crashed often and I am expecting another visit. Still tracking it down as of this writing, I have some leads as both computers had just exchanged about ten files, AND both computers had visited a government law enforcement website. I will post when I find the file.

    Share

Comments have been disabled for this post