Archive

Posts Tagged ‘how to check DNS in Mac’

“PremierOpinion” Spyware Now in Mac OS X

From Intego security advisory today:

——————————————————————————————————–

Malware: OSX/OpinionSpy

Risk: High

Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdateVersionTracker and Softpedia.
——————————————————————————————————–

Who’s PremierOpinion?

PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.

Website: http://www.premieropinion.com/Home.aspx

So, who’s the partner?

“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml

Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]

There are 48 screensaver Mac OS X apps in this source, and there are two different packages.

How to spot “PremierOpinion” Mac OS X Spyware?

1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different7art while the other izpack.icns.

2. IzPack generated installers are in Java Archive (.JAR) file.

3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.

4. Spyware installs software without user’s consent or notification.   It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).

“Package once. Deploy everywhere.”

This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.

Be cautious and stay safe!

——–> Threat Info FYI

File Name: poinstaller

File Type: Mach-O executable i386

File Size: 470,352 bytes

Threat Type: Backdoor, Downloader, Sniffer, Stealer,

Installation Requirement:  root

Remote Activity: Installation of other threats

Remote Download File: Rule14.xml

Remote Download: PermissionResearch.zip

Installation: RunPermissionResearch.sh

Package Name: PermissionResearch.app

File Name: PermissionResearch

File Type: Mach-O executable i386

File Size: 4.1 MB
Resource Package Name: InjectCode.app
File Name: InjectCode
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size: 34,088 bytes
Resource Package Name: macmeterhk.bundle
File Name: macmeterhk
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size:  894,836 bytes

OS X Tips: How To Check Your DNS Settings

Option 1 – Locate and click the Apple icon in your upper left corner and click “System Preferences”, then “Network” and search for “DNS Server”.  If you want to modify and remove malicious entry, you can simply click the box and input the right address.  However, if you are not sure simply try release & renew as instructed below.

Preference

Option 2 – Open Terminal (~/Applications/Utilities or you can search it using spotlight)

From the terminal, type “cat /etc/resolv.conf”. This command will return your  domain and name servers.

Another command is, “scutil –-dns”. Check resolver #1, this often returns domain and name servers as well.

Release and Renew to remove malicious DNS entry

From the terminal, type the following:

sudo ifconfig en1 down
sudo ifconfig en1 up

**Note: sudo means run as root user, so it will require you to input password. Also, en1 is often interfaced to LAN and en0 to Wireless – just try and see which one will work.

Another way is to unplug your internet connnection and reconnect. This will also work (”,)