Home > Emerging Threats, Malwares, OS X > “PremierOpinion” Spyware Now in Mac OS X

“PremierOpinion” Spyware Now in Mac OS X

From Intego security advisory today:

——————————————————————————————————–

Malware: OSX/OpinionSpy

Risk: High

Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdateVersionTracker and Softpedia.
——————————————————————————————————–

Who’s PremierOpinion?

PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.

Website: http://www.premieropinion.com/Home.aspx

So, who’s the partner?

“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml

Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]

There are 48 screensaver Mac OS X apps in this source, and there are two different packages.

How to spot “PremierOpinion” Mac OS X Spyware?

1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different7art while the other izpack.icns.

2. IzPack generated installers are in Java Archive (.JAR) file.

3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.

4. Spyware installs software without user’s consent or notification.   It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).

“Package once. Deploy everywhere.”

This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.

Be cautious and stay safe!

——–> Threat Info FYI

File Name: poinstaller

File Type: Mach-O executable i386

File Size: 470,352 bytes

Threat Type: Backdoor, Downloader, Sniffer, Stealer,

Installation Requirement:  root

Remote Activity: Installation of other threats

Remote Download File: Rule14.xml

Remote Download: PermissionResearch.zip

Installation: RunPermissionResearch.sh

Package Name: PermissionResearch.app

File Name: PermissionResearch

File Type: Mach-O executable i386

File Size: 4.1 MB
Resource Package Name: InjectCode.app
File Name: InjectCode
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size: 34,088 bytes
Resource Package Name: macmeterhk.bundle
File Name: macmeterhk
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size:  894,836 bytes
  1. June 2, 2010 at 10:56 am

    As the IzPack opensource project lead, I would like to stress out the fact that we have nothing to do with this spyware…

    • June 2, 2010 at 11:35 am

      Thanks for dropping by.

      Yes, your project is good and attractive for organized groups to easily deploy threats in Mac.

  2. June 3, 2010 at 8:14 am

    What do you mean by that???

    Lots of respectable companies use IzPack to deploy very respectable software. We do not make it for deploying spywares, and we don’t have special “spyware”-friendly tricks to offer… contrarily to what your comment suggests.

    Blame the spyware authors, and blame users for downloading trojan screensavers and blindly clicking through security checks…

  3. June 3, 2010 at 9:08 am

    Hi Julien,

    My apologies for confusion. I mean, IzPack was used to deploy this threat but it doesn’t mean it is related, responsible or in any way indicated as malicious. The malicious JAR file is now distributed in many sources online (as apps and screensaver), I have to explain a visual awareness for Mac users to spot possible infected packages. Apparently, I have to point out that this threat is using IzPack installer and as you’ve noticed I have added further information about the threat itself.

  4. TheDude
    June 3, 2010 at 9:50 am

    Hi Methusela,

    is it known where the files get installed in the filesystem? Or does Intego hide the information to sell more of their antivirus software?

    Best regards

  5. June 4, 2010 at 3:03 am

    Yes, the installation locations is known. (I’ll try to put up some details later.)

    If new threat are discovered, the first response would be awareness and detection. Then, followed by detailed description indicating the complete behaviour of the threat. This enable users to identify suspicious behaviour that is possible undetected. The complete description should also include the installation details as well. Sometimes vendors release portable detection and cleanup (removal) tools to assist possible infected users.

    As consumer, I believe people pay for service and product when they find it useful, trustworthy and reliable especially when there is help, in times when users needed the most.

  6. TheDude
    June 4, 2010 at 4:37 pm

    Thanks for the feedback.

    Best regards

  7. Logan Smith
    March 7, 2011 at 6:48 pm

    Do you have the instructions to uninstall this malware? If so, please share.

  1. June 12, 2010 at 3:44 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: