Security firm Intego has found a downloader for spyware being installed by a number of applications and screen savers from download sites including MacUpdate, VersionTracker and Softpedia. The name: OSX/OpinionSpy.
Intego researchers said they found the malcode in the MishInc FLV To Mp3 media converter and screensavers created by 7art-screensavers:
Secret Land ScreenSaver v.2.8
Color Therapy Clock ScreenSaver v.2.8
7art Foliage Clock ScreenSaver v.2.8
Nature Harmony Clock ScreenSaver v.2.8
Fiesta Clock ScreenSaver v.2.8
Fractal Sun Clock ScreenSaver v.2.8
Full Moon Clock ScreenSaver v.2.8
Sky Flight Clock ScreenSaverv.2.8
Sunny Bubbles Clock ScreenSaver v.2.9
Everlasting Flowering Clock ScreenSaver v.2.8
Magic Forest Clock ScreenSaver v.2.8
Freezelight Clock ScreenSaver v.2.9
Precious Stone Clock ScreenSaver v.2.8
Silver Snow Clock ScreenSaver v.2.8
Water Color Clock ScreenSaver v.2.8
Love Dance Clock ScreenSaver v.2.8
Galaxy Rhythm Clock ScreenSaver v.2.8
7art Eternal Love Clock ScreenSaver v.2.8
Fire Element Clock ScreenSaver v.2.8
Water Element Clock ScreenSaver v.2.8
Emerald Clock ScreenSaver v.2.8
Radiating Clock ScreenSaver v.2.8
Rocket Clock ScreenSaver v.2.8
Serenity Clock ScreenSaver v.2.8
Gravity Free Clock ScreenSaver v.2.8
Crystal Clock ScreenSaver v.2.6
One World Clock ScreenSaver v.2.8
Sky Watch ScreenSaver v.2.8
Lighthouse Clock ScreenSaver v.2.8
“The spyware itself is not contained in these applications, but is downloaded during the installation process,” they said.
“The information provided with some of these applications contains a misleading text that users must accept explaining that a ‘market research’ program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.
“The malware, a version of which has existed for Windows since 2008, claims to collect browsing and purchasing information that is used in market reports.”
In reality it installs a backdoor (port 8254); injects code into Safari, Firefox and iChat; finds personal data and transmits it in encoded form.
Intego blog here.
Paul Ducklin at Sophos AV dug in to the malcode a bit further – running one of the 7art screen savers. The app was bundled with something called PremierOpinion from VoiceFive Inc. Duicklin found that VoiceFive had the same address in Reston, Va., as notorious spyware distributor comScore. That group delivered spyware named MarketScore several years ago. Ducklin also found that the 7art domain was registered in Moscow, Russia.
Ducklin blog here.
Tom Kelchner