|
|
dumb malware hits the Mac
|
|
|
|
Addicted to MacNN
Join Date: Oct 2001
Location: Automatic
Status:
Offline
|
|
The Mac Security Blog � Intego Security Alert: OSX/OpinionSpy Spyware Installed by Freely Distributed Mac Applications
Risk: High
Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites. This spyware, OSX/OpinionSpy, performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.
OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process.
The information provided with some of these applications contains a misleading text that users must accept explaining that a “market research” program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.
oh snap !!
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Little Snitch will let me know if something phones homes.
-t
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Can they actually provide specific examples of software apps doing this?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by Cold Warrior
Can they actually provide specific examples of software apps doing this?
Probably not.
Haven't we seen this kind of fear-mongering from OS X Anti-Virus companies in the past ?
-t
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by turtle777
Probably not.
Haven't we seen this kind of fear-mongering from OS X Anti-Virus companies in the past ?
-t
Intego has posted a preliminary list of applications. You can find it here. Mostly appears to be a bunch of "Clock Screensavers"
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
When Apple catches wind of these occasional occurrences, will a subsequent OS X patch disable them from executing? They're few enough in number that I'd think Apple could easily do that.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jul 2005
Location: Vacation.
Status:
Offline
|
|
I trust Intego slightly less than I trust Symantec.
Little Snitch FTW.
|
Been inclined to wander... off the beaten track.
That's where there's thunder... and the wind shouts back.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Is there a Little Snitch equivalent for Windows?
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jul 2005
Location: Vacation.
Status:
Offline
|
|
Zone Alarm maybe? <shrug>
|
Been inclined to wander... off the beaten track.
That's where there's thunder... and the wind shouts back.
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Originally Posted by Big Mac
When Apple catches wind of these occasional occurrences, will a subsequent OS X patch disable them from executing? They're few enough in number that I'd think Apple could easily do that.
The problem with doing that is that they'd be expected to keep doing it forever, even if the number of malware shot through the sky. "Disable an item from executing" sounds a lot like quarantine mode, and you'd need some sort of signature ID to identify the relevant files, a way to update it... pretty soon, that's a complete antivirus solution. I think that adding an antivirus solution to the OS would only shine a spotlight on the fact that malware exists on the Mac, even if it's uncommon. They need to patch weaknesses, certainly, but not ID single files. I'd rather see a way to jail apps, so you could runs suspect apps with a highly decreased privileges, and something like Little Snitch included with the OS. Windows has something quite similar to that.
Pop quiz: Apple used to make a free antivirus program once. What was the name?
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
Disinfectant?
Edit: Nope. Not made by Apple. Hm.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by P
Pop quiz: Apple used to make a free antivirus program once. What was the name?
VirusRx.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Originally Posted by P
The problem with doing that is that they'd be expected to keep doing it forever, even if the number of malware shot through the sky. "Disable an item from executing" sounds a lot like quarantine mode, and you'd need some sort of signature ID to identify the relevant files, a way to update it... pretty soon, that's a complete antivirus solution. I think that adding an antivirus solution to the OS would only shine a spotlight on the fact that malware exists on the Mac, even if it's uncommon. They need to patch weaknesses, certainly, but not ID single files. I'd rather see a way to jail apps, so you could runs suspect apps with a highly decreased privileges, and something like Little Snitch included with the OS. Windows has something quite similar to that.
Yeah, you're right, that makes sense and sounds like a better solution. I think some of that is already done in a limited fashion, as covered by this Apple code signing recap.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Senior User
Join Date: Jul 2006
Status:
Offline
|
|
The spyware itself is not contained in these applications, but is downloaded during the installation process.
If it is the installation process that causes the download, how does it do that? I would expect Little Snitch to stop the installation from calling out without permission.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Originally Posted by CharlesS
VirusRx.
I think it was called Vaccine. Icon was a hypodermic needle.
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2001
Location: Australia
Status:
Offline
|
|
Originally Posted by P
The problem with doing that is that they'd be expected to keep doing it forever, even if the number of malware shot through the sky. "Disable an item from executing" sounds a lot like quarantine mode, and you'd need some sort of signature ID to identify the relevant files, a way to update it... pretty soon, that's a complete antivirus solution. I think that adding an antivirus solution to the OS would only shine a spotlight on the fact that malware exists on the Mac, even if it's uncommon. They need to patch weaknesses, certainly, but not ID single files. I'd rather see a way to jail apps, so you could runs suspect apps with a highly decreased privileges, and something like Little Snitch included with the OS. Windows has something quite similar to that.
Pop quiz: Apple used to make a free antivirus program once. What was the name?
Im pretty sure that there is a list of files in the Plist of Safari (or similar place) that safari cannot download/mount.
I feel sure this was discussed when Leopard was introduced and included the names of a few trojans.
Apple could add these with a security update.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Sep 2000
Location: Isle of Manhattan
Status:
Offline
|
|
So, has anyone actually seen this thing? Is it Intego just trying to gain some sales?
|
"Faster, faster! 'Till the thrill of speed overcomes the fear of death." - HST
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
I imagine they are. Intego loves playing up these "threats." It must be pretty difficult to sell Mac security software.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jul 2005
Location: Vacation.
Status:
Offline
|
|
Before I did a reinstall I tried Intego's product and did a virus scan. 15 years worth of files - not a virus in sight. Only one bit of malware, which I already knew about because I bought it off Adobe and installed it myself.
The only thing Intego had going for them was better firewall control (e.g. allow only one.specific.ip.address to connect to internal FTP server) without delving into the geekery of ipfw config files.
|
Been inclined to wander... off the beaten track.
That's where there's thunder... and the wind shouts back.
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by moonmonkey
Im pretty sure that there is a list of files in the Plist of Safari (or similar place) that safari cannot download/mount.
I feel sure this was discussed when Leopard was introduced and included the names of a few trojans.
Apple could add these with a security update.
Yes, and then it becomes a stupid arms race. The developer just keeps changing the name of the files as Apple adds them to the block list. Eventually the developer starts using names of legitimate software that Apple couldn't add to the block list without angering the major developers.
You can't protect against social engineering with a technical solution. Ever.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by P
I think it was called Vaccine. Icon was a hypodermic needle.
Nope! Vaccine was from CE Software (although it was free). Apple's was called VirusRX. It was hilariously lame, though — not only did it have no repair feature, but it focused more on detecting suspicious behaviors rather than scanning for specific viruses, and as such turned up tons of false positives. My personal favorite was one that popped up literally every time it was used — it would find this suspicious looking invisible file on the disk! Oh no! What was this file called, you ask? Oh, it was Macintosh HD:Desktop.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
I think you're probably right, some googling does reveal references to "Apple's own VirusRX". Odd, I used Vaccine back in the day, and I seem to remember getting it on one of those white floppies Apple used.
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
I remember a Vaccine scanner screen saver that was part of More After Dark. I also recall running Disinfectant every once in a while, perhaps hoping it would find something malicious in order to justify the scan. But then again it was just fun to do in some respects, probably because there was no Internet to amuse me back then. It was, that various screen savers, and Lunatic Fringe.
Ah, fond memories of ancient Mac nerdom.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by P
I think you're probably right, some googling does reveal references to "Apple's own VirusRX". Odd, I used Vaccine back in the day, and I seem to remember getting it on one of those white floppies Apple used.
I am right.
InfoWorld - Google Books
Stand-alone programs include Flu-Shot, available free on Compuserve's IBM Software Forum, and (for Macintosh users) the aptly named Vaccine from CE Software of Des Moines, Iowa.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Nov 2006
Status:
Offline
|
|
I was just wondering the same thing.. if there was a windows equivalent of Little snitch.
btw intego is the company thats the chicken little of apple isn't it? Always issuing these kinds of alerts.
|
Backups are like guns and condoms. It's better to have it and not need it than to need it and not have it.
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
I for one appreciate knowing about things like this.
The Windows equivalent of Little Snitch would be ZoneAlarm.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2001
Location: Automatic
Status:
Offline
|
|
From the intego blog:
Earlier this week, we reported about spyware found in a number of screensavers and an application. Following this, the company who distributes these screensavers, 7arts, claimed that they have removed the spyware from their screensavers.
Well, it turns out that this is not true. Perhaps they did so for one day, but checking their site today, and downloading some of the screensavers, shows that they are still distributing this spyware. (The spyware is not found in all of the company’s screensavers, but the ones we found it in initially contain it again.)
This is especially dishonest. In the first place, distributing spyware is reprehensible, but then pretending to want to placate Mac users by claiming to remove the spyware is doubly so.
We strongly urge all Mac users to avoid this company and its software.
Emphasis mine.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|