TrendLabsSM engineers Alvin Bacani and Jayson Pryde recently analyzed a new spyware (detected by Trend Micro as OSX_OPINIONSPY.A) that came bundled with screensavers, according to Intego, in sites that host free applications and software updates like MacUpdate, Softpedia, and VersionTracker.
Interestingly, the same spyware was also found in the Apple Downloads site. Users browsing the legitimate site might have been exposed to this threat unknowingly. However, Apple’s swift takedown minimized the exposure time and prevented the continued spread of the said spyware.
The said screensavers were found to be nonmalicious but did download information-stealing spyware, which robbed users of their email addresses, iChat message headers and URLs, as well as other personal data like user names, passwords, credit card numbers, and Web browser bookmarks and histories. Once installed, the spyware connects to a certain site to send the data (e.g., campaign ID, OS version, OS type) it gathers from affected systems.
What makes OSX_OPINIONSPY.A more interesting, however, is its monitoring routine. It connects to a URL to download an upgraded copy of itself—another spyware that sniffs for instant-messaging (IM) application (i.e., AIM, GoogleTalk, MSN Messenger, and Yahoo! Messenger) as well as Real-Time Messaging Protocol (RTMP) data packets. This allows cybercriminals to acquire user names and passwords from both IM and RTMP streams. Sniffing packets off of these applications may also include information sent and received during conversations.
Based on our analysis, the spyware does not only target Macs but also affects Windows-based systems (detected as SPYW_RELEKNOW). The threat may also come in the form of another application and not just a screensaver. Threat Research Manager, Ivan Macalintal, describes the code used in this attack as “very persistent and sneaky,” as it is possible for the spyware infection to go unnoticed. “This is just another example that debunks the legend that MAC is secure and is malware-free. We will see more and more of cyber-criminals attacking the MAC platform as more and more people are converting from Windows to MAC, ” Macalintal further adds.
TrendLabs has reported several other instances when Mac malware were distributed in the same manner—posing as legitimate applications in the following entries:
- New Malware Cracks Macs
- Mac OS X DNS-Changing Trojan in the Wild
- Mac Malware Disguised as iPhoto Installer
- More Mac Malware In The Wild
- Not One but Two New OS X Malware
Users, regardless of OS, can stay protected from this threat via the Trend Micro™ Smart Protection Network™. Trend Micro products prevent access to sites where the malicious files are hosted via the Web reputation service. They also prevent the download and execution of the malicious files—OSX_OPINIONSPY.A and SPYW_RELEKNOW—on user systems via the file reputation service.
Update as of June 6, 2010, 9:16 p.m. (GMT -8:00)
OSX_OPINIONSPY.A includes the ability to download updated copies of itself, and the cybercriminals behind this attack are now using that feature. These variants are now being detected as OSX_OPNIONSPY.SM.