magmatic.com - Squawk Box - OSX/OpinionSpy Discovered by Intergo

MAAS History

OSX/OpinionSpy Discovered by Intergo

Tuesday, June 1, 2010 at 03:23PM

Intego, which makes a host of excellent Mac security products, is reporting the discovery of spyware named OSX/OpinionSpy which installs with a host of freely available Mac screensavers and software. The spyware reports back various machine, user and file information after executing with root privileges. It leaves the system open to a host of malicious operations including executing code at root privileges without the users knowledge and maintaining a back door using port 8254, 80 and 443.

Users should update their Intego virus definitions. Users can also do a search for "PremierOpinion" which is what the spyware is installed updater. Intego has updated a list of products that contain the spyware software which can be viewed here. Port scanning information for 8254 can be found here.

There is never any reason to install any screensavers or survey software since usually the terms allow the vendor access to private information. It is important to remember that Mac OSX has a built in screen saver for user to use. In addition the screen saver should lock idle system at the very least, users/administrators should set the following in the Security Preference Setting Panel:

Require Password Immediately after screen saver begins
User secure virtual memory

Users/Administrators should set an automatic log out time and lock access to Prefernce Panes.

Update on Wednesday, June 2, 2010 at 07:23PM by

drStrangeP0rk

Another flag is a Java App/PHP combination named "mac_flv_to_mp3.php." The trend is to use tags with MP3 or other media descriptor in the name to get users to install the software. Seems to be hosted at your favorite source for Malware and Spyware, The Planet. Also brothersoft site which has various warnings from Norton and Google.

Brothersoft_com____ 165.254.0.0/16

Norton Site Advisor

https://safeweb.norton.com/report/show?name=brothersoft.com

http://www.google.com/safebrowsing/diagnostic?site=brothersoft.com

Various Domains Hosting malware

zxmedia.com/, qmacro.com/, desktop-tools.net/.

Networks

AS21844 (THEPLANET), AS20940 (AKAMAI), AS3549 (Global Crossing Ltd.).

You can also block this site at your gateway.

174.132.165.157 --> www.mishinc_info___

Google has no direct detection

http://www.google.com/safebrowsing/diagnostic?site=www.mishinc.info

NetRange: 174.132.0.0 - 174.133.255.255

CIDR: 174.132.0.0/15

OriginAS: AS13749, AS21844, AS30315, AS36420

NetName: NETBLK-THEPLANET-BLK-15

NetHandle: NET-174-132-0-0-1

Parent: NET-174-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.THEPLANET.COM

NameServer: NS2.THEPLANET.COM

drStrangeP0rk |

References (2)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

magmatic.com by magmatic consulting is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Based on a work at http://magmatic.com.
Permissions beyond the scope of this license may be available at http://magmatic.com.