“PremierOpinion” Spyware Now in Mac OS X
From Intego security advisory today:
——————————————————————————————————–
Malware: OSX/OpinionSpy
Risk: High
Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.
Who’s PremierOpinion?
PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.
Website: http://www.premieropinion.com/Home.aspx
So, who’s the partner?
“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml
Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]
There are 48 screensaver Mac OS X apps in this source, and there are two different packages.
How to spot “PremierOpinion” Mac OS X Spyware?
1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different – 7art while the other izpack.icns.
2. IzPack generated installers are in Java Archive (.JAR) file.
3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.
4. Spyware installs software without user’s consent or notification. It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).
“Package once. Deploy everywhere.”
This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.
Be cautious and stay safe!
——–> Threat Info FYI
File Name: poinstaller
File Type: Mach-O executable i386
File Size: 470,352 bytes
Threat Type: Backdoor, Downloader, Sniffer, Stealer,
Installation Requirement: root
Remote Activity: Installation of other threats
Remote Download File: Rule14.xml
Remote Download: PermissionResearch.zip
Installation: RunPermissionResearch.sh
Package Name: PermissionResearch.app
File Name: PermissionResearch
File Type: Mach-O executable i386
File Name: macmeterhkLeave a Reply
Threat Researcher
Pictures of the Day
|
Recent Comments
 | Scott on How to Remove Starfield |
 | Ratan on Summary of ASF File Speci… |
| loewenherz.cc… on Summary of ASF File Speci… | |
 | N. Cheatham on Analysis of OSX Starfield |
 | Rudolf Jockers on Just a note… |
As the IzPack opensource project lead, I would like to stress out the fact that we have nothing to do with this spyware…
Thanks for dropping by.
Yes, your project is good and attractive for organized groups to easily deploy threats in Mac.
What do you mean by that???
Lots of respectable companies use IzPack to deploy very respectable software. We do not make it for deploying spywares, and we don’t have special “spyware”-friendly tricks to offer… contrarily to what your comment suggests.
Blame the spyware authors, and blame users for downloading trojan screensavers and blindly clicking through security checks…
Hi Julien,
My apologies for confusion. I mean, IzPack was used to deploy this threat but it doesn’t mean it is related, responsible or in any way indicated as malicious. The malicious JAR file is now distributed in many sources online (as apps and screensaver), I have to explain a visual awareness for Mac users to spot possible infected packages. Apparently, I have to point out that this threat is using IzPack installer and as you’ve noticed I have added further information about the threat itself.
Hi Methusela,
is it known where the files get installed in the filesystem? Or does Intego hide the information to sell more of their antivirus software?
Best regards
Yes, the installation locations is known. (I’ll try to put up some details later.)
If new threat are discovered, the first response would be awareness and detection. Then, followed by detailed description indicating the complete behaviour of the threat. This enable users to identify suspicious behaviour that is possible undetected. The complete description should also include the installation details as well. Sometimes vendors release portable detection and cleanup (removal) tools to assist possible infected users.
As consumer, I believe people pay for service and product when they find it useful, trustworthy and reliable especially when there is help, in times when users needed the most.
Thanks for the feedback.
Best regards
Do you have the instructions to uninstall this malware? If so, please share.