Wednesday, June 2, 2010

OSX/OpinionSpy:
Mac's First Illegal Spyware
Part I

--
RISK: HIGH
--


Introduction:

Up to this point in time, Mac OS X has only had 'legal', publicly available 'spyware'. The most common kind has been keyloggers installed by Mac network administrators into client accounts to keep track of what the client user is doing on the computer and on the Internet. You can grab a list of known 'legal' spyware over at the MacScan website. You can also search for them (using the terms 'spyware' and 'keylogger') at any of the shareware sites, such as VersionTracker.com and MacUpdate.com.

Ten years into the life of Mac OS X we now have our very first actual malware version of spyware. And it's a nasty one.

OSX/OpinionSpy:

I seriously doubt OSX/OpinionSpy is going to be the official name of this spyware. Using the current malware naming standard, my best guess is that it will end up being called Trojan.OSX.OpinionSpy.A. But don't quote me. I am calling it a Trojan horse form of spyware because of its method of infection. It requires you, the user, to install it by providing it with your administrator password. Once it has the admin password it can do what it likes, as is typical with the current crop of Mac Trojans. For now, I will stick with the name Intego have given it.

Thanks to Intego's vigilance in detecting and studying malware for the Mac, we now have some reasonable details about this spyware. We know what it does and we know a lot about where it comes from. At the time of this posting, Intego have two articles in their series on OSX/OpinionSpy:

Intego Security Alert: OSX/OpinionSpy Spyware Installed by Freely Distributed Mac Applications

Further Information about the OSX/OpinionSpy Spyware

NetworkWorld has joined in the research efforts and has come up with a preliminary list of applications that include OSX/OpinionSpy with their installation:

Intego updates Mac users on OSX/OpinionSpy Spyware threat

It might be useful to repeatedly check the article above for further additions to the list. I will also be publishing a continually updating list here in Part II of my own blog series on this malware.


What OSX/OpinionSpy Does:

Read the Intego articles for full details. Below is a very brief summary of what they have discovered:

1) At this time, the infected installers are downloadable from any of the shareware sites as well as from the source developer sites.

2) The download website or the installer may or may not tell you know that the spyware, calling itself a 'market research' program, is included in the installer. If you are warned, obviously don't install the software. I personally cannot abide any form or marketing research data collection on my computers. Sadly, the field of marketing is too full of parasites, aka what I call Marketing Morons (versus beneficial Marketing Mavens) to ever trust your data with anyone.

3) Once the Trojan horse is installed, it takes over your computer with full Root access. At that point it can do anything-at-all to your computer.

4) The basic behavior of OSX/OpinionSpy is that of most spyware applications. It collects masses of data about your computer and sends it off to a collection hub for evaluation and potential distribution to others. This can include all your account IDs and passwords, all your web surfing history, bookmarks, address book data, email addresses, literally everything about you that exists on your computer and on your local network. This is a very thorough method of Phishing you, aka stealing your identity. Plenty of criminals would gladly put your identity to work for nefarious purposes.

HOWEVER, that is not where this spyware stops.

5) It is capable of restarting itself if its process is stopped on your Mac. It is also capable of reinfecting your Mac despite you having deleted any one of the applications it has infected.

6) It opens an HTTP backdoor into your Mac using port 8254.

7) It upgrades itself with new variants of itself, or any other malware it chooses to install. So far one new variant called 'PremierOpinion' has already been discovered.

8) It eats your CPU cycles while it scans your computer files and sends out files and data to the 'bot wrangler' hub. (Typically these hubs are anonymous IRC rooms setup by the bot wrangler).

9) It intercepts and analyzes all data packets coming into and going out of your Mac.

10) It injects code, aka infects itself into the RAM space used by running applications. It also gathers data from application memory space, such as IDs, passwords, credit card numbers, PINs, etc.

11) It occasionally provides an interface for asking users for information it would like to learn, essentially Phishing for your identity via bogus surveys.

12) It is capable of crashing or stopping Macs it has infected, requiring the user to Force-Reboot their computer. Potentially it has corrupted your boot drive.

No doubt, further details about its behavior will be discovered. Considering that this spyware runs with Root authority, you might as well describe it has having botted, zombied or pwned your Mac. This is the worst possible infection situation.


Detection And Prevention:

Intego today provided a 'threat filter' (aka malware signature) update for active versions of VirusBarrier versions 10.5 and 10.6.

As with any Trojan horse, only install software on your Mac that you have verified to be legitimate and malware free. Intego recommend having 'real time scanning' running in their anti-malware application. Another option is to individually scan all application installers you download before you install them. If you fail to use either of these precautions, you should perform a full scan of your Mac.

Using a reverse firewall is also extremely helpful. I use Little Snitch. Intego also include a reverse firewall in VirusBarrier v10.6. In particular, keep an eye out for any application accessing ports 80, 443 and 8254. Personally, I set up a denial rule for 'All Applications' attempting to send data out of port 8254. This is unlikely to entirely block the actions of the spyware, but it can't hurt. This port is very rarely used.

Reverse firewalls also make it easy to scan down a list of applications with rules you have set for accessing your network or the Internet. This can help you identify whether you have some odd or foreign application making connections. If you find one, it is likely useful for you to scan your Mac for all instances of the spyware.

It is also useful to delete mysterious applications from your reverse firewall rules list in order to keep an eye on their further requests for network and Internet access.


Other Anti-Malware applications:

At the moment, only Intego VirusBarrier is able to detect and fully remove this malware. As usual, VirusBarrier is the only commercial anti-malware application I can recommend.

I'm going to keep an eye out for detection and removal by other anti-malware apps. Of the free options it is doubtful that ClamAV (via ClamXav) will detect this malware in the near future. iAntiVirus so far not does detect OSX/OpinionSpy, but I expect they shortly will.

A blog at Sophos describes the experience of running one of the screensaver spyware installers from 7art:

Mac OS X OpinionSpy – same old, same old

In keeping with the chaotic nature of the anti-malware community, Sophos are ignoring the published malware naming standard, calling this malware simply "OpinionSpy". They are also describing it as "monitorware" as opposed to spyware. Yeah, whatever guys.
(o_0)
[Patience requires that I start counting to 10, again...]


Infected Installers:

With time I will be posting a periodically updating list of dangerous installers that will infect your Mac. This will constitute Part II of my blog series on OSX/OpinionSpy. For the moment, the general shortlist is:

A) ANY screensaver installer from 7art-screensavers.com, version 2.6 or above. So far, 29 of their screensavers have been found to be vectors for installing this spyware.

B) The installer for 'MishInc FLV to MP3' available from the MishInc.info website.

I don't know if Intego have contacted VersionTracker or MacUpdate about these dangerous application installers. I will be writing to both of them tomorrow to make certain they know what is going on. If you are a fan of other shareware download sites, please contact them as well.

Stay safe. Stay secure.

:-Derek

1 comment:

  1. thanks for the post. and i use Protemac NetMine for protection my Mac. (protemac.com)

    ReplyDelete