Intego classifies the risk associated with OSX/OpinionSpy spyware as “high.”
OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process.
The information provided with some of these applications contains a misleading text that users must accept explaining that a “market research” program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning. The malware, a version of which has existed for Windows since 2008, claims to collect browsing and purchasing information that is used in market reports. However, this program goes much further, performing a number of insidious actions, which have led Intego to classify it as spyware.
OSX/OpinionSpy performs the following actions:
• This application, which has no interface, runs as root (it requests an administrator’s password on installation) with full rights to access and change any file on the infected user’s computer.
• If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.
• It opens an HTTP backdoor using port 8254.
• It scans all accessible volumes, analyzing files, and using a great deal of CPU time. It is not clear what data it copies and sends to its servers, but it scans files on both local and network volumes, potentially opening up large numbers of confidential files on a network to intrusion.
• It analyzes packets entering and leaving the infected Mac over a local network, analyzing data coming from and being sent to other computers. One infected Mac can therefore collect a great deal of data from different computers on a local network, such as in a business or school.
• It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations. (It infects the applications’ code in the Mac’s memory, and does not infect the actual applications’ files on the user’s hard disk.)
• It regularly sends data, in encrypted form, to a number of servers using ports 80 and 443. It sends data to these servers about files it has scanned locally, and also sends e-mail addresses, iChat message headers and URLs, as well as other data. This data may include personal data, such as user names, passwords, credit card numbers, web browser bookmarks, history and much more.
• Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location and much more.
• The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this. It occasionally asks users for information, via the display of dialogs, such as their name, or asks them to fill out surveys.
• In some cases, computers with this spyware installed no longer work correctly after a certain period of time; it is necessary to force-reboot such Macs.
• If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.
As can be seen above, this application that purports to collect information for marketing reasons does much more, going as far as scanning all the files on an infected Mac. Users have no way of knowing exactly what data is collected and sent to remote servers; such data may include user names, passwords, credit card numbers and more. The risk of this data being collected and used without users’ permission makes this spyware particularly dangerous to users’ privacy.
The fact that this application collects data in this manner, and that it opens a backdoor, makes it a very serious security threat. In addition, the risk of it collecting sensitive data such as user names, passwords and credit card numbers, makes this a very high-risk spyware. While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install. Means of protection: Intego VirusBarrier X5 and X6 detect and eradicate this malware, which they identify as OSX/OpinionSpy, with their threat filters dated May 31, 2010 or later.
More info including a “Preliminary List of Applications that Install OSX/OpinionSpy Spyware,” via Intego here.
Source: Intego
MacDailyNews Note: Here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.
And a new era is born.
All I read is a SCARE.
They don’t even mention with which software package the spyware is coming from. So they tell you you have a problem & you can BUY their fix.
Besides that, I’ve had those scanners running when I tried to order a mac online. VirusBarrier f*cked up my browser session & I ended up ordering three macs. Luckily my credit card company blocked this suspicious usage.
Is this the FIRST widely recognized Mac Spyware?
More info:
Intego announced earlier today that the OSX/OpinionSpy spyware has been found in a number of applications and screen savers that are distributed on several web sites. This spyware performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.
As we said in our initial security alert, the spyware itself is not contained in these applications, but is downloaded during the installation process. The information provided with some of these applications contains a misleading text that users must accept explaining that a “market research” program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.
The spyware is installed as an application named PremierOpinion.
Below is a list of the screensavers and applications that we have found so far which install this spyware.
Screensavers: all these screensavers are made by the same company, 7art-screensavers, and are available from their web site, http://7art-screensavers.com.
Secret Land ScreenSaver v.2.8
Color Therapy Clock ScreenSaver v.2.8
7art Foliage Clock ScreenSaver v.2.8
Nature Harmony Clock ScreenSaver v.2.8
Fiesta Clock ScreenSaver v.2.8
Fractal Sun Clock ScreenSaver v.2.8
Full Moon Clock ScreenSaver v.2.8
Sky Flight Clock ScreenSaver v.2.8
Sunny Bubbles Clock ScreenSaver v.2.9
Everlasting Flowering Clock ScreenSaver v.2.8
Magic Forest Clock ScreenSaver v.2.8
Freezelight Clock ScreenSaver v.2.9
Precious Stone Clock ScreenSaver v.2.8
Silver Snow Clock ScreenSaver v.2.8
Water Color Clock ScreenSaver v.2.8
Love Dance Clock ScreenSaver v.2.8
Galaxy Rhythm Clock ScreenSaver v.2.8
7art Eternal Love Clock ScreenSaver v.2.8
Fire Element Clock ScreenSaver v.2.8
Water Element Clock ScreenSaver v.2.8
Emerald Clock ScreenSaver v.2.8
Radiating Clock ScreenSaver v.2.8
Rocket Clock ScreenSaver v.2.8
Serenity Clock ScreenSaver v.2.8
Gravity Free Clock ScreenSaver v.2.8
Crystal Clock ScreenSaver v.2.6
One World Clock ScreenSaver v.2.8
Sky Watch ScreenSaver v.2.8
Lighthouse Clock ScreenSaver v.2.8
Applications: so far, Intego has only found this spyware in one application:
MishInc FLV To Mp3, http://www.mishinc.info/mac_flv_to_mp3.php
Intego is continuing its search for other applications that install this spyware. We will post more information regarding this spyware here as it is uncovered.
All screensavers from the same company. Pretty fishy
I want to know what software this was included with… They make it sound prevalent, but I call BS.
This is more a trojan isn’t it? You still have to enter your password to install it. It may spy on you after you install it, but this isn’t going to be spread around like a real virus.
Exclusively a Mac user since ’87.
Because this may not require user intervention to get onboard it appears to me to be a legitimate MacOSX virus, a first
What’s new about it?
while I don’t doubt the existence of this sort of risk on the Mac – you would think as a valuable public service someone (whether Intego, or some independent party) would at least mention some of the specific software downloads as examples known to contain this malware??
My question answered before I hit return – amazing.
addendum – ok I see a list from P5ycH0
It’s a trojan, for those who like to split hairs between types of malware. I highly recommend that everyone complain to the sites MacUpdate, VersionTracker, etc., about the apps containing this malware.
Well, I found the list, but I think it’s still pretty fishy…
Anyway, I never go to those sites to get my software.
I buy everything since I got my first mac years ago.
The only thing I did not pay for was photoshop. I d/l’ed it directly from adobe and modified it to not expire. Luckily, there are much cheaper alternatives around nowadays.
In the end, there is no patch for human stupidity. Too bad that stupidity now includes installing free screensavers…
and a simple ‘whois 7-artscreensavers.com’ shows:
domain: 7art-screensavers.com
reg_created: 2002-06-04 09:30:59
expires: 2012-06-04 13:30:59
created: 2002-06-04 15:31:00
changed: 2010-05-18 09:02:00
ns0: ns1.ev1servers.net
ns1: ns2.ev1servers.net
owner-c:
nic-hdl: AK1130-GANDI
owner-name: Alex Korsakoff
organisation: Alex Korsakoff
person: Alex Korsakoff
address: P.O.Box 464
zipcode: 111555
city: Moscow
country: Russia
phone: ~
fax: ~
email: 065791b0bb17c205a6097de5d07d81ff-ak1130@contact.gandi.net
lastupdated: 2007-10-05 10:29:16
Still no one has found a way to produce a self-replicating computer virus for Mac OS X. This malware MUST BE INSTALLED BY THE USER to work. No OS out there prevents user stupidity.
Know what you are buying/downloading/authenticating.
Thanks P5ycH0 for the helpful info.
Gregg said: “Because this may not require user intervention to get onboard it appears to me to be a legitimate MacOSX virus, a first.”
Oh, but it DOES require user intervention. You must enter an administrator’s name and password to install it. It’s a Trojan.
Wow this is not news. The reviews on macupdate say this:
Dated 3/12/2010
WCITYMIKE DO NOT INSTALL OR USE THIS SCREEN SAVER. Upon installation, this screensaver installs a menu extra which phones home with marketing information about your system. If you try to quit this menu extra using tools such as Activity Monitor, the application will restart, because, on installation, this screen saver’s installer also installs a LaunchDaemon whose job it is to make sure that their spyware can’t be quit. While their uninstaller does work (if you take them at their word), it is also deceptively phrased, as (if my memory serves me correctly) the screensaver’s uninstaller uninstalled *merely* the screensaver, leaving the spyware in place; you have to run the SPYWARE’s uninstaller to properly remove yourself of the thing, or take it all out manually.
In short, there are plenty of other legitimate, non-spyware screen savers you can install should you so desire them. This company’s practices are, in my own opinion, so deceptive as to make sure they never have a place on my computer; I suggest you make the same decision.
More… Just because the installed app loads the malware from a server during the install process doesn’t mean it’s classified as a virus. The bad stuff that got into your computer in the first place is the software that loads the software. THAT is the Trojan, and you installed that it into your system when you installed the screensaver, requiring an admin name & pw.
And the solution? Buy Our Software! What a surprise!
When turning on a new Mac for the first time (or, in some cases, wiping & installing some version of Mac OS X), the Mac OS configuration software will have you enter some personal data (at least your name, or something approaching it), and use that info to create the first user account. As it is the only user account at that point, it has Administrative privileges (not quite root, but close enough).
The problem is, that is as far as many people take it, and they run their day-to-day operations in an Admin account. As such, without further protections, it is *possible* to have software downloaded and executed without user intervention (although it appears in Leopard & Snow Leopard that Safari will at least ask you if you *really* want to run that program just downloaded from the Internet). This does allow a mechanism for infection with malware. As has been suggested many times in the past, one should create at least one other account whose sole purpose is to do software installs & updates, and make it an Admin account. Only then do you go back an change your original account to a standard user. This goes a long way towards filtering out stuff you shouldn’t install. If you’re doing something in this standard account, and a dialogue box unexpectedly opens asking for an admin username & password, you can bet you should CANCEL the request and not install whatever wants to install. I also set preferences in Safari to not automatically open downloaded files, just for this same reason.
I’ve been running without malware protection since moving from Mac OS 9 to Mac OS X a long time ago, and never had a problem with any of this.
@Gregg Thurman
It does requiere user intervention. You have to install the thing. This is nothing more than a Trojan. Please stop attempting to sensationalize this. It is a key logger trojan disguised with in a screen saver.
I must take issue with the MDN “take” on this one. I would consider MacUpdate, VersionTracker and Softpedia reasonably trustworthy websites. Does MDN believe they are not trustworthy?
Intego needs some dough.
So that means it’s time for their quarterly Mac Virus Alert!
Buy Our Software NOW!
They are SCUM.
Do a lot of Mac users download the Sunny Bubbles clock screensaver, or the Magic Forest clock screensaver? Really?