Privacy guaranteed - Your email is not shared with anyone.

Welcome to Glock Forum at

Why should YOU join our forums?

  • Reason #1
  • Reason #2
  • Reason #3

Site Description

Free apps install spyware on Macs

Discussion in 'Tech Talk' started by TBO, Jun 1, 2010.

  1. TBO

    TBO Why so serious? CLM

    Free apps install spyware on Macs

    Mac users downloading free screensavers and a video converter app from several popular download sites also got spyware that installs a back door, collects data, and sends encrypted information to remote servers, security company Intego said on Tuesday.

    The high-risk spyware, dubbed OSX/OpinionSpy, was being installed along with nearly 30 screensavers developed by a company called 7art and an app called MishInc FLV to MP3, according to a list compiled by Intego.

    They were found on Softpedia, MacUpdate, and CNET-owned VersionTracker, according to a post on Intego's Mac Security Blog.

    VersionTracker had removed all of the items on the Intego list by late afternoon. A MacUpdate representative said the company disabled the screensavers earlier on Tuesday and had never offered the MishInc converter. "Our users were discussing the software installed alongside the 7art screensavers as far back as March," the company said in an e-mail. Softpedia, 7art, and MishInc publisher Brothersoft did not immediately respond to e-mails seeking comment late on Tuesday.

    The spyware, a Windows version of which has existed since 2008, is not contained in the apps but is downloaded during the installation process. It is often marked as a "market research" program called PremierOpinion that claims to collect browsing and purchasing information for use in market reports, but it can also come with no warning or message, Intego said.

    It's unclear exactly what data is collected and sent to the remote server, but it could include personal information like usernames, passwords, and credit card numbers, the post said.
    Here is what the spyware does:

    -runs as root with full rights to access and change any file on the computer,

    -opens a back door using port 8254,

    -scans all accessible files on local and network drives,

    -analyzes packets entering and leaving the computer over a local area network, enabling one infected Mac to collect data from different computers on a school or business local network,

    -injects code with no user action required into Firefox, Safari, and iChat and copies personal data from those applications, infecting the code of the applications in the Mac's memory but not the actual application files,

    -regularly sends encrypted data to a number of servers using ports 80 and 442 about files scanned, as well as other information including e-mail addresses, iChat message headers, and URLs.

    The spyware can be automatically upgraded to add new features without the knowledge of the computer user. It occasionally asks for the user's name or prompts the user to fill out surveys via a dialog box.

    In some cases the infected computer will not work correctly and the user will need to force a reboot. In addition, deleting the original app or screensaver will not delete or interfere with the spyware, Intego said.

    "While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install," the company said. "Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location, and much more."
    To see if your system is infected, there are several free Mac malware scanners including ClamXav and iAntiVirus.

    Updated at 5:08 p.m. PDT with MacUpdate comment and malware scanners.
  2. GenX


    Aug 8, 2009
    That can't be good.

  3. TBO

    TBO Why so serious? CLM

    Interesting article to follow (courtesy of GNG):

    Hacker: Windows More Secure Than Mac OS X
    8:21 PM - September 21, 2009 by Marcus Yam - source: Tom's Hardware US

    Hackers just like the PC more.

    Regardless of which side you're on (though as a true computing enthusiast, you shouldn't be taking sides), you've heard the arguments back and forth on the which operating system is truly safer – Mac OS X or Windows.

    It is of the opinion of Charlie Miller, a well known Mac security guru, that even Snow Leopard, the latest version of Mac OS X, isn't as safe as Windows.

    One key point is that Snow Leopard still doesn't have ASLR, or address space layout randomization, which randomly arranges the position of key data making it harder for hackers to target for exploits.

    Miller said to TechWorld that Apple didn't change the ASLR from 10.5 to 10.6: "Apple didn't change anything. It's the exact same ASLR as in Leopard, which means it's not very good."

    Apple didn’t completely missed the chance to tighten up security in Snow Leopard though, as the new QuickTime solves a lot of the issues that Mac OS X had before.

    "Apple rewrote a bunch of QuickTime," said Miller, "which was really smart, since it's been the source of lots of bugs in the past."

    One thing that Snow Leopard did adapt, which Windows has had since XP SP2, is DEP (data execution prevention). With DEP, buffer overflow attacks are much harder to execute.

    Despite Miller's opinion that Windows is the more secure OS, the large install based of Microsoft-based systems make them a much more attractive target for hackers. Still, Miller would like to see security on all platforms.

    "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security."

  4. IndyGunFreak


    Jan 26, 2001

    First, I'd be curious to see how the malware is gaining root access to the system. I'd be willing to bet this is gonna come back to the bozo pounding on the keyboard. Linux, Mac, Windows, etc.. are all fairly "unsafe" if you're not going to take general precautions and set rules for users. All users essentially having "admin" access is a major issue w/ Windows( as of XP anyways, I don't have much experience w/ vista or 7)

    Again, my Mac experience is very limited, but if you don't allow the file to have root access in the first place, the rest of the stuff on that list isn't going to happen. To me, it would seem most of these are probably being installed by "social engineering"

  5. It's important to remember that the first root-kit viruses were built to attack SCO and UNIX systems and elevate their own privs.

    Now they do both, they wait for the user to grant them access and they self elevate.
  6. crimsonaudio

    crimsonaudio 15 or 30?

    Apr 11, 2008
    Ahh, another one of those 'if you're dumb enough to install it' bits...
  7. ChristopherBurg


    Dec 18, 2009
    This root-kit uses a well known exploit called installing software.

    It's come to the point where most modern operating systems are secure enough where the malicious hackers have moved from words to either getting the user to install software themselves (as is the case with the mentioned root-kit) or attack software running on the computer (the web browser and Adobe Flash and PDF Reader are the current most popular).

    I find this to be a good thing personally. Operating system designers are finally paying enough attention to security that operating system exploits are much rarer. The problem now comes down to the software (which should all be running in a sandbox but sadly isn't) and the ultimate hole in any security plan, the person(s) using the system.

    The software will be fixed eventually. Look at Chrome they isolate each page in it's own process and run the entire browser in a sandbox making exploiting the browser difficult (you need to find a browser exploit and a sandbox exploit for attack the system). I believe most software will go this direction in the future meaning the malicious hackers will focus almost all of their energy on the users which sadly can't be patched.
  8. Another common counter strategy is to run a lite-weight thin client. Very hard to compromise anything in that enviroment.
  9. ancienthacker


    Apr 25, 2009
    Installing software is one way. An unpatched OS is the other. A few months ago OSX has a local privilege elevation bug fix in the monthly patch bundle. Reverse engineer that, work it into a Javascript page, get people to visit it, and own lots of Macs. Same month had a remote code execution bug fix. Had those been discovered by a black hat it could have been bad news for Mac owners.

    Those that were around in the pre OSX days may recall the virus problems the Mac had. The security model is OSX is a huge improvement. Same for Vista/Win 7. When Windows users turn UAC off they are back in the XP days of running as root. No matter what the OS this is always a bad idea.

    All virus infections at my place of work are reviewed. I can't recall one in the past few years where the user was not in the local admin group - aka running with full admin access. As we remove users from the local admin group the rate of infection has been dropping. Requires a bit more work for the support staff but it's better than reloading machines.

    No OS is perfect. Most problems can be mitigated by a bit of user education. Unfortunately there are some in the OSX camp who continue to say that OSX is virus/spyware/etc proof. Someday those words are going to cause a lot of people a lot of pain.