Intego warns of new spyware: OSX/OpinionSpy

Intego warns of new spyware: OSX/OpinionSpy

Intego (http://www.intego.com) a Mac security specialist, has issued a security memo saying it's discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.

This spyware, OSX/OpinionSpy, performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.

Here's what Intego has to say about the spyware: OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process. This shows the need for an up-to-date anti-malware program with a real-time scanner that can detect this malware when it is downloaded by the original application’s installer.

The information provided with some of these applications contains a misleading text that users must accept explaining that a “market research” program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.

The malware, a version of which has existed for Windows since 2008, claims to collect browsing and purchasing information that is used in market reports. However, this program goes much further, performing a number of insidious actions, which have led Intego to classify it as spyware.

OSX/OpinionSpy performs the following actions:

° This application, which has no interface, runs as root (it requests an administrator’s password on installation) with full rights to access and change any file on the infected user’s computer.

°  If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.

° It opens an HTTP backdoor using port 8254.

° It scans all accessible volumes, analyzing files, and using a great deal of CPU time. It is not clear what data it copies and sends to its servers, but it scans files on both local and network volumes, potentially opening up large numbers of confidential files on a network to intrusion.

° It analyzes packets entering and leaving the infected Mac over a local network, analyzing data coming from and being sent to other computers. One infected Mac can therefore collect a great deal of data from different computers on a local network, such as in a business or school.

° It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations. (It infects the applications’ code in the Mac’s memory, and does not infect the actual applications’ files on the user’s hard disk.)

° It regularly sends data, in encrypted form, to a number of servers using ports 80 and 443. It sends data to these servers about files it has scanned locally, and also sends e-mail addresses, iChat message headers and URLs, as well as other data. This data may include personal data, such as user names, passwords, credit card numbers, web browser bookmarks, history and much

° Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location and much more.

°  The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this. It occasionally asks users for information, via the display of dialogs, such as their name, or asks them to fill out surveys.

° In some cases, computers with this spyware installed no longer work correctly after a certain period of time; it is necessary to force-reboot such Macs.

° If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.

As can be seen above, this application that purports to collect information for marketing reasons does much more, going as far as scanning all the files on an infected Mac. Users have no way of knowing exactly what data is collected and sent to remote servers; such data may include user names, passwords, credit card numbers and more. The risk of this data being collected and used without users’ permission makes this spyware particularly dangerous to users’ privacy.

The fact that this application collects data in this manner, and that it opens a backdoor, makes it a very serious security threat. In addition, the risk of it collecting sensitive data such as user names, passwords and credit card numbers, makes this a very high-risk spyware. While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install.

Intego VirusBarrier X5 and X6 detect and eradicate this malware, which they identify as OSX/OpinionSpy, with their threat filters dated May 31, 2010 or later, according to Intego.

 
AAPL
$282.52
Apple Inc.
-1.23
MSFT
$24.38
Microsoft Corpora
-0.11
GOOG
$525.62
Google Inc.
-0.17
MacTech Search:
Community Search:
See All

Introducing the App Hall of Fame!
App discoverability continues to be a real issue. With the fast churn of apps in the App Store, an app has only a few weeks of promotional life in it before it‚Äôs largely forgotten. There are a few things developers can do to fix that, but those... | Read more »
Gobliiins Are Coming
In the midst of the huge Q4 launch schedule, the cult classic, Gobliiins, as well as the rest of the trilogy, are being ported to the iPhone in all of their original glory. The Goblins trilogy was a quirky Atari/Amiga game series from the early 90‚Äôs... | Read more »
myPhoneDesktop – Chrome to iPhone Extens...
Anyone who has used myPhoneDesktop knows that it is a fantastic tool for streamlining your onscreen workflow. Instead of having to type line after line into your phone directly, you can use myPhoneDesktop to type from your computer directly into... | Read more »
Classes Review
Developer: Dustlab Price: $0.99 Version Reviewed: 2.4.7 iPhone Integration Rating: 3 out of 5 stars User Interface Rating: 4 out of 5 stars Re-use / Replay Value Rating: 3 out of 5 stars Overall Rating: 3.33 out of 5 stars | Read more »
AutoVerbal Talking Soundboard Pro helps...
Being able to speak and communicate with others is something that many of us take for granted. It‚Äôs not so easy for many folks though, in particular for individuals with autism spectrum disorders, as well as those who have suffered various brain... | Read more »
Pocketbooth Review
Developer: Project Box Price: $0.99 Version Reviewed: 1.0 iPhone Integration Rating: 4 out of 5 stars User Interface Rating: 4 out of 5 stars Re-use / Replay Value Rating: 4.5 out of 5 stars Overall Rating: 4.17 out of 5 stars | Read more »
Get Your Roast Right With ‘Time To Roast...
Roasting meat, in the cooking world, is about as simple as it gets. The greatest roast recipe I‚Äôve ever found is from Michael Ruhlman‚Äôs website, with the recipe titled, ‚ÄúThe World‚Äôs Most Difficult Roasted Chicken Recipe.‚Äù | Read more »
See All

  • Generate a short URL for this page:



All contents are Copyright 1984-2010 by Xplain Corporation. All rights reserved. Theme designed by Icreon.
Greetings, and welcome to the new MacTech web site! Our home page is designed to be your Industry Dashboard -- so you can have a snapshot of all that's relevant in the industry in one easy location. Many readers tell us that because the information is updated so frequently, they are now checking the site multiple times a day. Here's a quick run down of the features on the new web site, which can be subtle. We truly hope you register so that we can keep you up to date about new features as they are implemented. And, please use the BETA button in the top right to provide us any feedback, suggestions or bugs. We love to hear from you.