OSX/OpinionSpy Discovered by Intergo
Tuesday, June 1, 2010 at 03:23PM
drStrangeP0rk in Client, Mac OSX 10.5, Mac OSX 10.6, Malware, Server, Spyware, Wild

Intego, which makes a host of excellent Mac security products, is reporting the discovery of spyware named OSX/OpinionSpy which installs with a host of freely available Mac screensavers and software. The spyware reports back various machine, user and file information after executing with root privileges. It leaves the system open to a host of malicious operations including executing code at root privileges without the users knowledge and maintaining a back door using port 8254, 80 and 443. 

Users should update their Intego virus definitions. Users can also do a search for "PremierOpinion" which is what the spyware is installed updater. Intego has updated a list of products that contain the spyware software which can be viewed here. Port scanning information for 8254 can be found here.

There is never any reason to install any screensavers or survey software since usually the terms allow the vendor access to private information. It is important to remember that Mac OSX has a built in screen saver for user to use. In  addition the screen saver should lock idle system at the very least, users/administrators should set the following in the Security Preference Setting Panel:

 

Users/Administrators should set an automatic log out time and lock access to Prefernce Panes.

 

Update on Wednesday, June 2, 2010 at 07:23PM by Registered CommenterdrStrangeP0rk

Another flag is a Java App/PHP combination named "mac_flv_to_mp3.php." The trend is to use tags with MP3 or other media descriptor in the name to get users to install the software. Seems to be hosted at your favorite source for Malware and Spyware, The Planet. Also brothersoft site which has various warnings from Norton and Google. 

Brothersoft_com____     165.254.0.0/16

Norton Site Advisor

https://safeweb.norton.com/report/show?name=brothersoft.com 

http://www.google.com/safebrowsing/diagnostic?site=brothersoft.com

Various Domains Hosting malware 

zxmedia.com/qmacro.com/desktop-tools.net/.

Networks

AS21844 (THEPLANET)AS20940 (AKAMAI)AS3549 (Global Crossing Ltd.).

You can also block this site at your gateway. 

174.132.165.157 --> www.mishinc_info___

Google has no direct detection

http://www.google.com/safebrowsing/diagnostic?site=www.mishinc.info

NetRange:   174.132.0.0 - 174.133.255.255
CIDR:       174.132.0.0/15
OriginAS:   AS13749,  AS21844,  AS30315,  AS36420
NetName:    NETBLK-THEPLANET-BLK-15
NetHandle:  NET-174-132-0-0-1
Parent:     NET-174-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Article originally appeared on magmatic.com (http://www.magmatic.com/).
See website for complete article licensing information.