Pob of SophosLabs found this interesting update, please read this blog post Updated XProtect protects against OSX.HellRTS
Apple Mac OS X Snow Leopard Anti-Malware signature file ‘XProtect.plist’ has new definition detecting “OSX.HellRTS” in the latest Security Update 2010-004 / Mac OS X v10.6.4.
XProtect.plist is stored inside the Resources folder of a bundle called, CoreTypes.bundle.
CoreTypes.bundle contains specifications that allow Mac OS X uniquely identify data types, file format, associated icons and UTIs (Uniform Type Identifiers) as defined in the Info.plist file.
In this update (Mac OS X v10.6.4), there are two major update for Mac OS X detection feature (Quarantine and Anti-Malware):
1) Risk assessment for Safari extensions(.safariextz) is unsafe, which triggers Mac OS X quarantine feature and displays a warning “..Are you sure you want to open it?”.
This assessment is reflected to an XML file called System which contains risk definitions for certain file types and extensions. The risk assessment has 3 categories:
As shown below, Safari extensions (.safariextz) was added under
Apple recently released Safari 5 with support for browser extensions, and this security update make sure that nothing gets executed without a warning.
System file location:
2) Mac OS X Anti-Malware signature file “XProtect.plist” now includes detection for HellRaiser version 4.2 server application.
There are 3 definitions for OSX.HellRaiser. As highlighted in the screenshot above, it’s detecting 2 components namely: rbframework.dylib and RBShell.rbx_0.129.dylib, and searches defined hex strings for a pattern matching the Hellraiser server auto launch entry (adding login items) command.
The latest XProtect.plist time stamp suggest that it was updated on 24th of April, just couple days after the discovery HellRaiser 4.2 server (in-the-wild). Unfortunately, it seems that it has to wait for the combo update as released on 15th of June.
From Intego security advisory today:
Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.
PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.
So, who’s the partner?
“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml
Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]
There are 48 screensaver Mac OS X apps in this source, and there are two different packages.
How to spot “PremierOpinion” Mac OS X Spyware?
1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different – 7art while the other izpack.icns.
2. IzPack generated installers are in Java Archive (.JAR) file.
3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.
4. Spyware installs software without user’s consent or notification. It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).
“Package once. Deploy everywhere.”
This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.
Be cautious and stay safe!
——–> Threat Info FYI
File Name: poinstaller
File Type: Mach-O executable i386
File Size: 470,352 bytes
Threat Type: Backdoor, Downloader, Sniffer, Stealer,
Installation Requirement: root
Remote Activity: Installation of other threats
Remote Download File: Rule14.xml
Remote Download: PermissionResearch.zip
File Type: Mach-O executable i386