Spyware Still Plaguing Free Mac Software, Intego Says
As you may remember, the big Mac security news last week was that Intego uncovered that freely distributed software applications for Mac download spyware during the installation process – the spyware is identified by Intego as OSX/OpinionSpy; Intego VirusBarrier X5 and X6 application can detect and neutralize this threat. Most of these software applications for Mac were screensavers – all of them made by a single company, mainly 7arts.
After news that the screensavers post a security risk, 7arts announced that it removed the spyware from the screensavers. According to Intego, this is not the case. According to the company that specializes in providing security solutions for Mac, all the screensavers that distributed the OSX/OpinionSpy spyware continue to distribute it.
“Perhaps they did so for one day, but checking their site today, and downloading some of the screensavers, shows that they are still distributing this spyware. This is especially dishonest. In the first place, distributing spyware is reprehensible, but then pretending to want to placate Mac users by claiming to remove the spyware is doubly so. We strongly urge all Mac users to avoid this company and its software,” commented Intego.
Here’s the list of screensavers Intego released, the screensavers you should stay clear of:
Here is what you can expect OSX/OpinionSpy to do once it manages to compromise a machine:
- The spyware runs as root with full rights to access and change any file.
- The spyware opens a HTTP backdoor using port 8254.
- It uses a lot of CPU.
- It analyzes packets entering and leaving the compromised machine.
- It injects code into Firefox, iChat and Safari. It copies personal data from these apps.
- It sends encrypted data to a number of servers in a regular basis. It uses ports 80 and 443 to do so.
- It can be automatically upgraded.
- After a period of time, some machines infected with this spyware no longer work properly.
- The spyware doesn’t go away if the application or screensaver that delivered it is deleted.
- After a while, it installs another application on the user’s machine. The application, called PermissionResearch, is another variant of the same spyware.
After news that the screensavers post a security risk, 7arts announced that it removed the spyware from the screensavers. According to Intego, this is not the case. According to the company that specializes in providing security solutions for Mac, all the screensavers that distributed the OSX/OpinionSpy spyware continue to distribute it.
“Perhaps they did so for one day, but checking their site today, and downloading some of the screensavers, shows that they are still distributing this spyware. This is especially dishonest. In the first place, distributing spyware is reprehensible, but then pretending to want to placate Mac users by claiming to remove the spyware is doubly so. We strongly urge all Mac users to avoid this company and its software,” commented Intego.
Here’s the list of screensavers Intego released, the screensavers you should stay clear of:
- Secret Land ScreenSaver v.2.8
- Color Therapy Clock ScreenSaver v.2.8
- 7art Foliage Clock ScreenSaver v.2.8
- Nature Harmony Clock ScreenSaver v.2.8
- Fiesta Clock ScreenSaver v.2.8
- Fractal Sun Clock ScreenSaver v.2.8
- Full Moon Clock ScreenSaver v.2.8
- Sky Flight Clock ScreenSaver v.2.8
- Sunny Bubbles Clock ScreenSaver v.2.9
- Everlasting Flowering Clock ScreenSaver v.2.8
- Magic Forest Clock ScreenSaver v.2.8
- Freezelight Clock ScreenSaver v.2.9
- Precious Stone Clock ScreenSaver v.2.8
- Silver Snow Clock ScreenSaver v.2.8
- Water Color Clock ScreenSaver v.2.8
- Love Dance Clock ScreenSaver v.2.8
- Galaxy Rhythm Clock ScreenSaver v.2.8
- 7art Eternal Love Clock ScreenSaver v.2.8
- Fire Element Clock ScreenSaver v.2.8
- Water Element Clock ScreenSaver v.2.8
- Emerald Clock ScreenSaver v.2.8
- Radiating Clock ScreenSaver v.2.8
- Rocket Clock ScreenSaver v.2.8
- Serenity Clock ScreenSaver v.2.8
- Gravity Free Clock ScreenSaver v.2.8
- Crystal Clock ScreenSaver v.2.6
- One World Clock ScreenSaver v.2.8
- Sky Watch ScreenSaver v.2.8
- Lighthouse Clock ScreenSaver v.2.8
Here is what you can expect OSX/OpinionSpy to do once it manages to compromise a machine:
- The spyware runs as root with full rights to access and change any file.
- The spyware opens a HTTP backdoor using port 8254.
- It uses a lot of CPU.
- It analyzes packets entering and leaving the compromised machine.
- It injects code into Firefox, iChat and Safari. It copies personal data from these apps.
- It sends encrypted data to a number of servers in a regular basis. It uses ports 80 and 443 to do so.
- It can be automatically upgraded.
- After a period of time, some machines infected with this spyware no longer work properly.
- The spyware doesn’t go away if the application or screensaver that delivered it is deleted.
- After a while, it installs another application on the user’s machine. The application, called PermissionResearch, is another variant of the same spyware.
