Malicious Spyware Spreads On Mac OS X
Once downloaded, the spyware, known as OSX/OpinionSpy, performs a wide array of actions, including scanning files, logging keystrokes, recording users' online activities, sending captured information to a remotely controlled server, and opening a backdoor on vulnerable Mac platforms.
Security researchers at Mac security company Intego found that the OSX/OpinionSpy is distributed by applications and screen savers found on sites such as MacUpdate, VersionTracker, and Softpedia. The spyware isn't directly contained in the applications, but instead is downloaded during the installation process.
Security researchers warned in an advisory that this strand of malware was particularly stealthy.
"The neat thing about this malware is that it passes most static scan tests -- the downloaded software itself is clean, the malware is downloaded as part of the installation process," said SANS researcher Rob VandenBrink, in a blog post. "This highlights the requirement for an on-access virus scanner for your OSX computers. I hate to bring 'that advertisement' up again, but the 'viruses? Oh, Mac's don't have that problem' statement was both not true and a huge red flag for malware authors."
During the attack, the malware -- a Mac version that has existed for Windows since 2008 -- claims to collect browsing and purchasing information used in market reports.
In reality, the OSX/OpinionSpy malware runs as a root, obtaining full rights to access, delete and alter any file on the infected user's computer after it requests an administrator's password on installation. The spyware also opens an HTTP backdoor, scans and analyzes all files on both the local and network volumes and analyzes packets and data entering and leaving the infected Mac from different computers over a local network.
The spyware can also inject malicious code without any user intervention into legitimate applications such as Safari, Firefox and iChat and copies personal data from the Web browsers, and then sends encrypted data to numerous servers, including e-mail addresses, iChat message headers and URLs, in addition to user names, password, credit card number, and Web browser bookmarks, among other things.
The spyware will remain on the user's computer, even if the original application or screen saver that installed the malicious program was deleted.
The spyware application comes equipped to upgrade new features automatically with no user intervention, and without users' knowledge, updating information with fake surveys and password requests. And in some cases, its slows the Mac to such a point that it causes a forced reboot, Intego said.
"The fact that this application collects data in this manner, and that it opens a backdoor, makes it a very serious security threat," said Intego in a blog post. "In addition, the risk of it collecting sensitive data such as user names, passwords and credit card numbers, makes this a very high-risk spyware. While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install."