Mac software security specialists Intego has warned Mac users of a potential new threat. Intego claims to have discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found online, without specifying the details.
The spyware — OSX/OpinionSpy — reportedly performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.
While distribution is limited, Intego warns Mac users to pay careful attention to which software they download and install, and rates the threat risk as 'high.'
In a press release Intego highlights the following potential dangers associated with the OSX/OpinionSpy spyware.
- This application, which has no interface, runs as root (it requests an administrator's password on installation) with full rights to access and change any file on the infected user's computer.
- If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.
- It opens an HTTP backdoor using port 8254.
- It scans all accessible volumes, analysing files, and using a great deal of CPU time. It is not clear what data it copies and sends to its servers, but it scans files on both local and network volumes, potentially opening up large numbers of confidential files on a network to intrusion.
It analyses packets entering and leaving the infected Mac over a local network, analysing data coming from and being sent to other computers. One infected Mac can therefore collect a great deal of data from different computers on a local network, such as in a business or school.
- It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behaviour similar to that of a virus, and this malware "infects" applications when they are running to be able to carry out its operations. (It infects the applications' code in the Mac's memory, and does not infect the actual applications' files on the user's hard disk.)
- It regularly sends data, in encrypted form, to a number of servers using ports 80 and 443. It sends data to these servers about files it has scanned locally, and also sends email addresses, iChat message headers and URLs, as well as other data. This data may include personal data, such as user names, passwords, credit card numbers, web browser bookmarks, history and much more.
- Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location and much more.
- The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this. It occasionally asks users for information, via the display of dialogs, such as their name, or asks them to fill out surveys.
- In some cases, computers with this spyware installed no longer work correctly after a certain period of time; it is necessary to force-reboot such Macs.
- If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.
More information can be found on the newly redesigned Intego Mac Security Blog.