[LINK] Spyware trojan hitching ride on third-party Mac screensavers

Kim Holburn kim at holburn.net
Wed Jun 2 14:50:47 AEST 2010 

This is only interesting because there are so still few pieces of  
malware for the Mac.

http://arstechnica.com/apple/news/2010/06/spyware-trojan-hitching-ride-on-third-party-mac-screensavers.ars
> Spyware trojan hitching ride on third-party Mac screensavers
> By Chris Foresman | Last updated about 5 hours ago
> Mac security firm Intego has issued a warning about a Mac twist on a  
> two-year-old Windows spyware app that sends a variety of potentially  
> sensitive information to external servers. Dubbed "OSX/OpinionSpy,"  
> the spyware is installed along with a number of widely available  
> third-party Mac OS X screensaver modules, as well as with at least  
> one shareware tool to strip audio tracks from Flash videos.
>
> OSXOpinionSpy, aka PremierOpinion, claims in some cases to be a tool  
> to help collect browsing habits for "market research," while in  
> other cases it installs without any notification. The application  
> runs in the background with root permissions, opening an HTTP  
> backdoor. It scans any attached volumes, sending encrypted  
> information to a number of servers, and can also examine packets  
> coming and going from an infected Mac, potentially grabbing  
> information from other computers on a local network. Finally, it  
> injects code into running versions of Safari, Firefox and iChat,  
> sending a variety of information—e-mail addresses, iChat message  
> headers and URLs, as well as other data—back to command servers.
>
> Intego warns that, given the scope of data that the application  
> collects, it could include a variety of sensitive information. "This  
> data may include personal data, such as user names, passwords,  
> credit card numbers, web browser bookmarks, history and much more,"  
> according to a statement released by Intego.
>
> The spyware is downloaded and installed by the installers for  
> MishInc FLV To Mp3, as well as a few dozen screensaver modules made  
> by 7art-screensavers. All of these also appear on common Mac OS X  
> shareware sites like MacUpdate and Softpedia.
>
> Removing the original application won't remove the spyware; Intego's  
> VirusBarrier has been updated to identify and remove it, however.  
> Your safest course of action is to be cautious when installing  
> software from unknown sources. Aside from healthy skepticism,  
> though, an up-to-date malware scanner may be the only tool that can  
> protect you from such spyware that masquerades as legitimate  
> software. As the Mac platform increases in popularity, such malware  
> has the potential to become more widespread.
>

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list