Malware: OSX/OpinionSpy Risk: High Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites. This spyware, OSX/OpinionSpy, performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.
OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process. This shows the need for an up-to-date anti-malware program with a real-time scanner that can detect this malware when it is downloaded by the original application’s installer.
The information provided with some of these applications contains a misleading text that users must accept explaining that a “market research” program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.
The malware, a version of which has existed for Windows since 2008, claims to collect browsing and purchasing information that is used in market reports. However, this program goes much further, performing a number of insidious actions, which have led Intego to classify it as spyware.
OSX/OpinionSpy performs the following actions:
This application, which has no interface, runs as root (it requests an administrator’s password on installation) with full rights to access and change any file on the infected user’s computer.
If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.
It opens an HTTP backdoor using port 8254.
It scans all accessible volumes, analyzing files, and using a great deal of CPU time. It is not clear what data it copies and sends to its servers, but it scans files on both local and network volumes, potentially opening up large numbers of confidential files on a network to intrusion.
It analyzes packets entering and leaving the infected Mac over a local network, analyzing data coming from and being sent to other computers. One infected Mac can therefore collect a great deal of data from different computers on a local network, such as in a business or school.
It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations. (It infects the applications’ code in the Mac’s memory, and does not infect the actual applications’ files on the user’s hard disk.)
It regularly sends data, in encrypted form, to a number of servers using ports 80 and 443. It sends data to these servers about files it has scanned locally, and also sends e-mail addresses, iChat message headers and URLs, as well as other data. This data may include personal data, such as user names, passwords, credit card numbers, web browser bookmarks, history and much more.
Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location and much more.
The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this. It occasionally asks users for information, via the display of dialogs, such as their name, or asks them to fill out surveys.
In some cases, computers with this spyware installed no longer work correctly after a certain period of time; it is necessary to force-reboot such Macs.
If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.
As can be seen above, this application that purports to collect information for marketing reasons does much more, going as far as scanning all the files on an infected Mac. Users have no way of knowing exactly what data is collected and sent to remote servers; such data may include user names, passwords, credit card numbers and more. The risk of this data being collected and used without users’ permission makes this spyware particularly dangerous to users’ privacy.
The fact that this application collects data in this manner, and that it opens a backdoor, makes it a very serious security threat. In addition, the risk of it collecting sensitive data such as user names, passwords and credit card numbers, makes this a very high-risk spyware. While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install.
Means of protection: Intego VirusBarrier (also available as part of Intego’s Mac Premium Bundle protection suite) detects and eradicates the OSX/OpinionSpy malware with threat filters dated May 31, 2010 or later.