|
A new strain of MAC Malware is being reported by Intego - OSX/OpinionSpy. You can find details here: http://blog.intego.com/2010/06/01/intego-security-alert-osxopinionspy-spyware-installed-by-freely-distributed-mac-applications/ So far, it has been seen on a number of screensavers, and a small java/php app generally named "mac_flv_to_mp3.php" or similar, but be cautious on downloads, it's a simple bolt-on, so be on the lookout for it elsewhere. The neat thing about this malware is that it passes most static scan tests - the downloaded software itself is clean, the malware is downloaded as part of the installation process. This highlights the requirement for an on-access virus scanner for your OSX computers. I hate to bring "that advertisement" up again, but the "viruses? oh, mac's don't have that problem" statement was both not true and a huge red flag for malware authors. Thanks to several readers for both pointing us to this article, and shooting us a copy of the actual code ! =============== Rob VandenBrink Metafore |
Rob VandenBrink 578 Posts ISC Handler Jun 2nd 2010 |
| Thread locked Subscribe |
Jun 2nd 2010 1 decade ago |
|
Is this Onionspy or Opinionspy? It's called both in the article above. Which one is it?
New Mac malware - OSX/Onionspy A new strain of MAC Malware is being reported by Intego - OSX/OpinionSpy. Thanks, Alex |
Anonymous |
| Quote |
Jun 2nd 2010 1 decade ago |
|
Also, the abbreviation for a Macintosh is not MAC, that's used for Media Access Controller. The proper abbreviation is Mac or mac. PC is used for Personal Computer since it is two words. Since Macintosh is only one word, the proper abbreviation only has the first letter capitalized if at all.
Thanks, Alex |
Anonymous |
| Quote |
Jun 2nd 2010 1 decade ago |
|
What bugs me most is that Intego found this spyware, yet refuses to tell how to detect if you're infected, and how to remove, other than buying (or using) their virus scanner.
In the past, I downloaded one of the mentioned screen savers, but it must have been an older version (cannot verify), since I didn't find any strange open ports or services running. |
Peter 1 Posts |
| Quote |
Jun 2nd 2010 1 decade ago |
|
We got lots'o'more coming too. Pulling a few allnighters in Grandma's Basement so we can push out at least 5 more by the 10th of Junio. Thank you Ladies and Gentlemen, for our next trick......
|
Peter 1 Posts |
| Quote |
Jun 2nd 2010 1 decade ago |
|
Is there anything to this item other than what is typically known as a Trojan? I am trying to figure out if this is leveraging a security hole other than social engineering. So far I can not find anything useful. Anyone have anything they can share?
thanks, Brian |
BGC 23 Posts |
| Quote |
Jun 4th 2010 1 decade ago |
|
Everything old is new again - Marketscore by any other name. Note the store at
http://www.sophos.com/blogs/duck/g/2010/0/02/mac-osx-monitorware/ Does anyone have word of when we might expect A/V (besides Intego) to detect this? Portscanning 8254 on my local networks only works against the customers who *didn't* follow my advice and deploy default-deny rulesets :| |
BGC 2 Posts |
| Quote |
Jun 4th 2010 1 decade ago |
|
Sorry - s/store/story/ above.
|
BGC 2 Posts |
| Quote |
Jun 4th 2010 1 decade ago |
|
I found this statement odd: "the downloaded software itself is clean, the malware is downloaded as part of the installation process."
Isn't something designed to download and deploy malware, inherently unclean, in and of itself? I consider downloading it, no different than if it had self-extracted it. More stealthy, but the downloader should still be considered malicious. |
Mysid 146 Posts |
| Quote |
Jun 5th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
