Dangerous New Mac Spyware Making the Rounds

Luckily, it’s not often that we have to make announcements regarding dangerous malicious software for the Mac. But not often isn’t never, and right now there’s a very nasty piece of spyware attacking Apple’s (s aapl) computer platform. It’s called OSX/OpinionSpy, and it piggybacks in on free screensaver and media conversion software.

Specifically, around 30 screensavers developed by a company called 7art and one app called Mishinc FLV to MP3 carry the spyware, according to security firm Intego. The programs were available on popular sites, like Softpedia, MacUpdate and VersionTracker, though they’ve since been pulled from those locations. MacUpdate told CNET that it had been aware of the problem as far back as March and had acted accordingly.

The spyware app isn’t part of the software itself, but instead downloads during the installation of the originally downloaded programs. It often masquerades as a market research program called PremierOpinion that tracks browsing and purchasing information for market research purposes, but it also can come completely unannounced. The aim of OSX/OpinionSpy is to collect data from files and programs. Here’s a breakdown of a few ways it does its dirty work:

  • Runs as root, allowing complete access, including modification, to all files
  • Scans all accessible files on local and network drives
  • Opens a back door using port 8254
  • Analyzes data transmitted via a LAN connection, allowing a single Mac to collect data from an entire network
  • If the application is killed, it automatically relaunches via launchd, the system-wide OS X service launcher
  • Injects code into Safari, Firefox and iChat without any user authorization or action required, and then copies personal data from these applications. Code is injected into Mac memory, not the actual application’s files, allowing it to go undetected

It can be upgraded via the backdoor access without the user’s knowledge, and just deleting the original program it came in on won’t eliminate the spyware itself. To rid yourself of the infection, if you think you might have it, you should grab ClamXav or iAntiVirus or another trusted Mac malware scanner. Signs that you may be infected include your computer sometimes asking for your name or prompting you to fill out forms and surveys. Also, your computer may stop working correctly and require a reboot.

Intego is using the opportunity to push its anti-virus products, which is only fair given that it’s at least warning people about it, but as always, I recommend sensible downloading and browsing practice before any other means of virus or malware protection. If something seems suspicious, it probably is, and if you find you have no internal means of analyzing what constitutes danger and what doesn’t in term of online activity, consult with someone who you know definitely does. Finally, if something is free, always exercise extra caution.