A recently discovered Mac spyware application targeted at Apple Mac OSX users is being distributed in free Mac applications found on a variety of shareware websites. Researchers from Intego, developers of Intenet security and privacy software for Macs, announced their findings ina a security alert on June 1, 2010 entitled, “OSX/OpinionSpy Spyware Installed by Freely Distributed Mac Applications.”
According to the Intego alert the company discovered “a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites. This spyware, OSX/OpinionSpy, performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.”
Intego provided additional details of the behavior of the spyware application as, “OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process. This shows the need for an up-to-date anti-malware program with a real-time scanner that can detect this malware when it is downloaded by the original application’s installer.”
OSX/OpinionSpy – Mac OS X Spyware Details
There are a number of different aspects of this malicious spyware program which cause concern for Apple OS X users including the fact that this malware is particularly stealthy. Other facets of the OSX/OpinionSpy Mac spyware described by the Intego alert include:
- The malware application has no interface and runs with full rights to access and change any file on the infected user’s computer.
- OSX/OpinionSpy opens an HTTP backdoor which potentially enables the undetected downloading of additional malicious applications.
- The malware scans accessible volumes, analyzing files, and using a great deal of CPU time. It is not clear what data it copies and sends to its servers, but it scans files on both local and network volumes, potentially opening up large numbers of confidential files on a network to intrusion.
- It analyzes packets entering and leaving the infected Mac over a local network, analyzing data coming from and being sent to other computers. One infected Mac can therefore collect a great deal of data from different computers on a local network, such as in a business or school.
- It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations.
- The OSX/OpinionSpymalware sends data, in encrypted form, to a number of servers about files it has scanned locally, and also sends e-mail addresses, iChat message headers and URLs, as well as other data. This data may include personal data, such as user names, passwords, credit card numbers, web browser bookmarks, history and much more.
- The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this.
If an Apple Mac OS X user actually deletes the original application or screen saver that was used to install the spyware, the spyware still remains installed and will continue to operate.
ZDNet in its article “Malware Watch: Free Mac OS X screensavers bundled with spyware” noted that:
A Windows variation of this spyware application “is a well known Windows based pest, with a surprisingly high number of people still willing to install it, in order to access the freeware application used as the lure. The risks involved? Excluding the intrusive, spyware-like practices of the application, in 2006, several researchers discovered a remotely exploitable flaw within the application, allowing anyone to perform keylogging and monitoring of active windows content on every host running it.”
“Mac OS X malware is no longer an urban legend, and neither are the remotely exploitable flaws targeting Apple’s OS, or the third party apps/plugins running on it.”
According to the Ars Technica blog in their article “Spyware trojan hitching ride on third-party Mac screensavers”: “The spyware is downloaded and installed by the installers for MishInc FLV To Mp3, as well as a few dozen screensaver modules made by 7art-screensavers. All of these also appear on common Mac OS X shareware sites like MacUpdate and Softpedia.”
Ars Technica goes on to state, “Removing the original application won’t remove the spyware; Intego’s VirusBarrier has been updated to identify and remove it, however. Your safest course of action is to be cautious when installing software from unknown sources. Aside from healthy skepticism, though, an up-to-date malware scanner may be the only tool that can protect you from such spyware that masquerades as legitimate software. As the Mac platform increases in popularity, such malware has the potential to become more widespread.”
Further information is available at the Ingeo blog, and a number of other resources including:
The AppleBlog – “Dangerous New Mac Spyware Making the Rounds”
MacWorld Magazine — “Security firm discovers spyware in Mac software”
PC World – “Security Firm Discovers Spyware in Mac Software”
CRN.com “Malicious Spyware Spreads On Mac OS X”