[angelmb]

The Mac Security Blog � Intego Security Alert: OSX/OpinionSpy Spyware Installed by Freely Distributed Mac Applications

Risk: High
Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites. This spyware, OSX/OpinionSpy, performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process.

The information provided with some of these applications contains a misleading text that users must accept explaining that a “market research” program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.

oh snap !!

[turtle777]

Little Snitch will let me know if something phones homes.

-t

[Cold Warrior]

Can they actually provide specific examples of software apps doing this?

[turtle777]

Originally Posted by Cold Warrior 

Can they actually provide specific examples of software apps doing this?

Probably not.

Haven't we seen this kind of fear-mongering from OS X Anti-Virus companies in the past ?

-t

[Person Man]

Originally Posted by turtle777 

Probably not.

Haven't we seen this kind of fear-mongering from OS X Anti-Virus companies in the past ?

-t

Intego has posted a preliminary list of applications. You can find it here. Mostly appears to be a bunch of "Clock Screensavers"

[Big Mac]

When Apple catches wind of these occasional occurrences, will a subsequent OS X patch disable them from executing? They're few enough in number that I'd think Apple could easily do that.

[Doofy]

I trust Intego slightly less than I trust Symantec.

Little Snitch FTW.

[Big Mac]

Is there a Little Snitch equivalent for Windows?

[Doofy]

Zone Alarm maybe? <shrug>

[P]

Originally Posted by Big Mac 

When Apple catches wind of these occasional occurrences, will a subsequent OS X patch disable them from executing? They're few enough in number that I'd think Apple could easily do that.

The problem with doing that is that they'd be expected to keep doing it forever, even if the number of malware shot through the sky. "Disable an item from executing" sounds a lot like quarantine mode, and you'd need some sort of signature ID to identify the relevant files, a way to update it... pretty soon, that's a complete antivirus solution. I think that adding an antivirus solution to the OS would only shine a spotlight on the fact that malware exists on the Mac, even if it's uncommon. They need to patch weaknesses, certainly, but not ID single files. I'd rather see a way to jail apps, so you could runs suspect apps with a highly decreased privileges, and something like Little Snitch included with the OS. Windows has something quite similar to that.

Pop quiz: Apple used to make a free antivirus program once. What was the name?

[Spheric Harlot]

Disinfectant?

Edit: Nope. Not made by Apple. Hm.

[CharlesS]

Originally Posted by P 

Pop quiz: Apple used to make a free antivirus program once. What was the name?

VirusRx.

[Big Mac]

Originally Posted by P 

The problem with doing that is that they'd be expected to keep doing it forever, even if the number of malware shot through the sky. "Disable an item from executing" sounds a lot like quarantine mode, and you'd need some sort of signature ID to identify the relevant files, a way to update it... pretty soon, that's a complete antivirus solution. I think that adding an antivirus solution to the OS would only shine a spotlight on the fact that malware exists on the Mac, even if it's uncommon. They need to patch weaknesses, certainly, but not ID single files. I'd rather see a way to jail apps, so you could runs suspect apps with a highly decreased privileges, and something like Little Snitch included with the OS. Windows has something quite similar to that.

Yeah, you're right, that makes sense and sounds like a better solution. I think some of that is already done in a limited fashion, as covered by this Apple code signing recap.

[Curiosity]

The spyware itself is not contained in these applications, but is downloaded during the installation process.

If it is the installation process that causes the download, how does it do that? I would expect Little Snitch to stop the installation from calling out without permission.

[P]

Originally Posted by CharlesS 

VirusRx.

I think it was called Vaccine. Icon was a hypodermic needle.

[Spheric Harlot]

^ That rings a bell.

[moonmonkey]

Originally Posted by P 

The problem with doing that is that they'd be expected to keep doing it forever, even if the number of malware shot through the sky. "Disable an item from executing" sounds a lot like quarantine mode, and you'd need some sort of signature ID to identify the relevant files, a way to update it... pretty soon, that's a complete antivirus solution. I think that adding an antivirus solution to the OS would only shine a spotlight on the fact that malware exists on the Mac, even if it's uncommon. They need to patch weaknesses, certainly, but not ID single files. I'd rather see a way to jail apps, so you could runs suspect apps with a highly decreased privileges, and something like Little Snitch included with the OS. Windows has something quite similar to that.

Pop quiz: Apple used to make a free antivirus program once. What was the name?

Im pretty sure that there is a list of files in the Plist of Safari (or similar place) that safari cannot download/mount.
I feel sure this was discussed when Leopard was introduced and included the names of a few trojans.

Apple could add these with a security update.

[osiris]

So, has anyone actually seen this thing? Is it Intego just trying to gain some sales?

[Big Mac]

I imagine they are. Intego loves playing up these "threats." It must be pretty difficult to sell Mac security software.

[Doofy]

Before I did a reinstall I tried Intego's product and did a virus scan. 15 years worth of files - not a virus in sight. Only one bit of malware, which I already knew about because I bought it off Adobe and installed it myself.

The only thing Intego had going for them was better firewall control (e.g. allow only one.specific.ip.address to connect to internal FTP server) without delving into the geekery of ipfw config files.

[Person Man]

Originally Posted by moonmonkey 

Im pretty sure that there is a list of files in the Plist of Safari (or similar place) that safari cannot download/mount.
I feel sure this was discussed when Leopard was introduced and included the names of a few trojans.

Apple could add these with a security update.

Yes, and then it becomes a stupid arms race. The developer just keeps changing the name of the files as Apple adds them to the block list. Eventually the developer starts using names of legitimate software that Apple couldn't add to the block list without angering the major developers.

You can't protect against social engineering with a technical solution. Ever.

[CharlesS]

Originally Posted by P 

I think it was called Vaccine. Icon was a hypodermic needle.

Nope! Vaccine was from CE Software (although it was free). Apple's was called VirusRX. It was hilariously lame, though — not only did it have no repair feature, but it focused more on detecting suspicious behaviors rather than scanning for specific viruses, and as such turned up tons of false positives. My personal favorite was one that popped up literally every time it was used — it would find this suspicious looking invisible file on the disk! Oh no! What was this file called, you ask? Oh, it was Macintosh HD&#58;Desktop.

[P]

I think you're probably right, some googling does reveal references to "Apple's own VirusRX". Odd, I used Vaccine back in the day, and I seem to remember getting it on one of those white floppies Apple used.

[Big Mac]

I remember a Vaccine scanner screen saver that was part of More After Dark. I also recall running Disinfectant every once in a while, perhaps hoping it would find something malicious in order to justify the scan. But then again it was just fun to do in some respects, probably because there was no Internet to amuse me back then. It was, that various screen savers, and Lunatic Fringe.

Ah, fond memories of ancient Mac nerdom.

[CharlesS]

Originally Posted by P 

I think you're probably right, some googling does reveal references to "Apple's own VirusRX". Odd, I used Vaccine back in the day, and I seem to remember getting it on one of those white floppies Apple used.

I am right.

InfoWorld - Google Books

Stand-alone programs include Flu-Shot, available free on Compuserve's IBM Software Forum, and (for Macintosh users) the aptly named Vaccine from CE Software of Des Moines, Iowa.

[bishopazrael]

I was just wondering the same thing.. if there was a windows equivalent of Little snitch.

btw intego is the company thats the chicken little of apple isn't it? Always issuing these kinds of alerts.

[CharlesS]

I for one appreciate knowing about things like this.

The Windows equivalent of Little Snitch would be ZoneAlarm.

[angelmb]

From the intego blog:

Earlier this week, we reported about spyware found in a number of screensavers and an application. Following this, the company who distributes these screensavers, 7arts, claimed that they have removed the spyware from their screensavers.

Well, it turns out that this is not true. Perhaps they did so for one day, but checking their site today, and downloading some of the screensavers, shows that they are still distributing this spyware. (The spyware is not found in all of the company’s screensavers, but the ones we found it in initially contain it again.)

This is especially dishonest. In the first place, distributing spyware is reprehensible, but then pretending to want to placate Mac users by claiming to remove the spyware is doubly so.

We strongly urge all Mac users to avoid this company and its software.

Emphasis mine.