Thursday, June 03, 2010

More MAC Malware Found In The Wild

MAC antivirus vendor Intego has issued a warning about a new piece of malware being distributed primarily in freely available screen saver programs. This new spyware application dubbed OSX/OpinionSpy can scan files, record user activity and send stolen data to remote servers.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process. This shows the need for an up-to-date anti-malware program with a real-time scanner that can detect this malware when it is downloaded by the original application’s installer.

OSX/OpinionSpy performs the following actions:
  • This application, which has no interface, runs as root (it requests an administrator’s password on installation) with full rights to access and change any file on the infected user’s computer.
  • If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.
  • It opens an HTTP backdoor using port 8254.
  • It scans all accessible volumes, analyzing files, and using a great deal of CPU time. It is not clear what data it copies and sends to its servers, but it scans files on both local and network volumes, potentially opening up large numbers of confidential files on a network to intrusion.
  • It analyzes packets entering and leaving the infected Mac over a local network, analyzing data coming from and being sent to other computers. One infected Mac can therefore collect a great deal of data from different computers on a local network, such as in a business or school.
  • It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations. (It infects the applications’ code in the Mac’s memory, and does not infect the actual applications’ files on the user’s hard disk.)
  • It regularly sends data, in encrypted form, to a number of servers using ports 80 and 443. It sends data to these servers about files it has scanned locally, and also sends e-mail addresses, iChat message headers and URLs, as well as other data. This data may include personal data, such as user names, passwords, credit card numbers, web browser bookmarks, history and much more.
  • Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location and much more.
  • The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this. It occasionally asks users for information, via the display of dialogs, such as their name, or asks them to fill out surveys.
  • In some cases, computers with this spyware installed no longer work correctly after a certain period of time; it is necessary to force-reboot such Macs.
  • If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.
The amount and type of data the malware collects makes it a very high risk piece of spyware. Not only does it collect sensitive data such as user names, passwords and credit card numbers, but it opens a backdoor that could led to further attacks and or more malicious code being injected. While Intego suggest the distribution is limited, the company warns Mac users to pay careful attention to which software they download and install. 

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you
Geek-News.Net