Network News

X My Profile
View More Activity

Mac spyware alert is not all that new

Over the last few days, you may have seen a story or two warning about a new form of Mac spyware. But there's nothing too novel about this malware.

The pest in question is an application that downloads and installs itself in the background when users add what they think is a free screensaver or some other freebie application. An alert by the Austin, Tex.-based security-software firm Intego lists the crimes of the software that it calls "OSX/OpinionSpy" (but which labels itself "PremierOpinion"): scanning your files and network traffic; injecting its own code into Safari, Firefox and iChat; copying and uploading unknown types of data.

Intego's blog post also contains this sentence, in which I've highlighted the most relevant part:

This application, which has no interface, runs as root (it requests an administrator's password on installation) with full rights to access and change any file on the infected user's computer.

If you've been using a Mac for any length of time, you should know that most applications do not require you to type in your admin password. That is not the case in Windows (or, for that matter, in Linux), in which every application install requires additional consent--clicking through a "User Account Control" dialog in Windows, typing your password in Linux.

So for OSX/OpinionSpy to infect a Mac, you're going to have to do the equivalent of handing over your house keys first--when normal software is content to knock on the front door and wait for you to let it in. That's nothing new in the Mac market; see, for example, this 2007 explanation of an earlier trojan of this type.

The authors of OSX/OpinionSpy may, however, deserve credit for a different sort of innovation. Intego's post says the host applications for their malware were listed on such widely-cited Mac-software directories as VersionTracker and MacUpdate. At any of these sites, poor user ratings should suffice to warn off users. At MacUpdate, which says it rates and reviews every application before posting it, a trojan theoretically shouldn't have even showed up.

(MacUpdate chief operating officer Misha Sakellaropoulo e-mailed to say that the site hadn't noticed an issue until its users began discussing problems with these downloads in March and noted that Intego's own software didn't flag this problem until May 31.)

The relative obviousness of this one Mac trojan doesn't make Apple's platform invulnerable--for evidence to the contrary, see the successful attacks demonstrated against fully-patched versions of OS X at the annual Pwn2Own security conference.

But there's security in a worst-case scenario and there's safety in everyday computing. And it remains true that your odds of picking up malware are dramatically higher on Windows--due both to such OS X features as requiring an admin password for anything that would monkey with core system routines and to Windows' higher market share. If you use an older version of Windows or don't update your browser, your risks escalate dramatically. But if you think somebody's gunning for you in particular, you can't count on your choice of software alone to save you.

A Financial Times report on Monday that Google was moving away from Windows in favor of OS X or Linux on its own desktops and laptops illustrates all those dimensions of computing security and safety (if the story is true; Google declined to comment). Yes, Google employees will face fewer random threats on a Mac or in Linux. But if Chinese hackers craft precise attacks against its systems, Google will need to step carefully no matter what operating systems it installs--and failing to keep its browsers up to date, as reports have suggested it did before, would represent an indifference to risk that amounts to computing malpractice.

By Rob Pegoraro  |  June 3, 2010; 9:54 AM ET
Categories:  Mac , Security  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Steve Jobs questions iPhone cartoonist's account; cartoonist returns the favor
Next: Apple Web-standards demo requires Apple browsers


The Google computer that was hacked was compromised through Flash running in IE6 on XP which are both almost 10 years old. Nobody should be surprised that outdated software is vulnerable. There have been _no_ widespread viruses on Windows since Vista or 7 have been released because they are significantly more secure.

As Rob points out with the Mac spyware, just as is true for modern versions of Windows, you have to do something stupid yourself to get infected these days. No company can protect you from being dumb.

Posted by: scarper86 | June 3, 2010 12:47 PM | Report abuse

On my Mac I have a User Account and an Admin Account. I spend most of my time in the User Account. Anytime I install any software at all from that account, the computer will request that I sign in with my Admin name and password to authenticate the install.

Posted by: Ken_G | June 3, 2010 2:21 PM | Report abuse

I had actually downloaded one of these screensavers from Versiontracker at least 6 months ago, but as far as I can tell, at that point it didn't carry the malware. If so, I hope my firewall settings prevented any mischief--I haven't seen any evidence that I have it. I did a full system scan with ClamXav, but I don't honestly know if it would have found it.

Posted by: krazykat23 | June 3, 2010 2:24 PM | Report abuse

ClamXav is supposed to be updated soon to catch this. The OS X firewall does not catch outgoing traffic, I think. The utility Cocktail is supposed to delete it now.

Posted by: fall1 | June 3, 2010 4:21 PM | Report abuse

How many operating systems do you know of that will get infected by merely web browsing? I know of one and it isn't a *nix OS.

Posted by: freakyfreddy | June 3, 2010 8:36 PM | Report abuse

It is routine for Mac applications to request your password during installation, and Apple trains its users to routinely enter their passwords during their frequent auto-updates. I don't see how you can expect a novice user to be able to differentiate between legitimate vs. fraudulent password requests, since entering your password is such a routine aspect of software installation. Virus writers have learned that there is one security hole in every OS which can never be fixed -- the end-user...

Posted by: jerkhoff | June 4, 2010 4:04 AM | Report abuse

The software in question is from ONE company, and the software is screensavers... who uses screensavers anymore? It's not 1990...

Plus OS X comes with a bunch of screensavers...

Posted by: kkrimmer | June 4, 2010 6:58 AM | Report abuse

I thank in the future we will see how good the OSX can stand aginst attacks. Now that they have the Ipad people are buying it like gangbusters. More Hackers will be trying to write trojans and ect.
Welcome to the wonderful world of windows problems.
Apple wants to be in the game with the big dog(microsoft) let's see how they fair. lol

Posted by: shamken | June 4, 2010 7:07 AM | Report abuse

My 80 year-old father uses his Mac all the time. I don't give him the Admin password, so the odds of him downloading malware is low. I shudder to think what would happen on even a Windows 7 machine.

Posted by: will4567 | June 4, 2010 7:22 AM | Report abuse

An indispensable tool for both security and privacy issues is Little Snitch ... a wonderful piece of software that monitors incoming and outgoing traffic. Once configured to allow traffic from certain apps (Skype, Firefox), when it encounters traffic from something not on the approved list, the user is notified immediately and given the option to block forever. It doesn't prevent infection, but the user is notified immediately about unapproved communications.

Posted by: declineToState | June 4, 2010 1:08 PM | Report abuse

freakyfreddy wrote: "How many operating systems do you know of that will get infected by merely web browsing? I know of one"

You must of course be talking about Mac OS X. 2 years ago when OS X went up against Windows Vista (and Ubuntu) it was the OS X system that was taken down first, a whole day ahead of the Vista machine. And it was taken down through Safari.

Unfortunately, you probably didn't mean OS X, and it just illustrates the ignorance of Mac users when it comes to security. They actually believe their system is more secure, not just less attacked.

Posted by: CharlesLD | June 4, 2010 7:02 PM | Report abuse

CharlesLD wrote: Unfortunately, you probably didn't mean OS X, and it just illustrates the ignorance of Mac users when it comes to security. They actually believe their system is more secure, not just less attacked

Take a step back an think hard. This security test that you linked are targeted attacks without any hardware firewalls in between. Not behind hardware firewalls like google employee computers are. *nix operating systems can be attacked directly, but at this point in time they cannot be compromised by merely web browsing as windows can. In googles case their system was breached by an unpatched Windows PC being behind a hardware firewall and infected by merely web browsing.

I have seen many Vista machines infected by people who didn't install anything but did use their windows machine for only internet browsing. I am beginning to have customers bring in Win7 machines with the same situation. Windows auto installs software without the users knowledge. *nix machines do not.
OS X will actually warn you that a program was downloaded from the internet and will not install until you tell it to do so.

For a *nix machine to get infected you have to be stupid and install infected software first. *nix machines will not auto execute and install any code from merely browsing web sites.

So again I stand by my statement. Microsoft Windows operating system is the only OS that will get infected by merely browsing the web.

If you can provide proof of a website that will infect a *nix computer by merely browsing to it then I will test it for myself, pat you on the back, and retract my statement.

Posted by: freakyfreddy | June 5, 2010 12:23 AM | Report abuse

I have to agree with freakyfreddy. Windows machines are wide open to spyware/malware from simply browsing. AVG stated that a possible 1 in every 1000 web site is a threat. Most antivirus and spyware applications do nothing until the infection is installed. Some don't even install until reboot. The rouge installers set up to run at startup. Mac will warn the user about apps that have been downloaded from the internet, on the first run of the app. So if a Mac user has not installed anything and they see this message, they just deny the running of the app, and trash it. I have worked on way to many pc's and had people tell me, "I was just browsing and then went to bed. When I turned it on today it was doing this." But windows user's accept this as the way it is. Truth is, it is only that way for Windows OS's. Until you try Linux (IT IS FREE ), don't knock it. It truly is awesome. No computer is 100% secure, but windows pc are way easier to infect than Linux or Mac OS X.

Posted by: diamond4 | June 5, 2010 2:48 AM | Report abuse

Y'all have reading comprehension problems. I said nothing about *nix, and actually run Ubuntu on my personal machines. So don't bother telling me to try an operating system I currently use.

Additionally, the Mac OS X machine WAS taken over by visiting a link in the browser. Day 1 no machines went down when only remote pre-auth attacks were allowed. Day 2 at first only default applications were allowed to be attacked and you were allowed to use attacks that required the user to visit a website, or pre-installed software. It wasn't until the attack surface was expanded to non-default apps that the Vista machine was taken via Flash.

Saying that an unpatched computer can be infected is like saying the sky is blue. The pwn2own was done using fully patched systems. The Ubuntu machine wasn't taken.

I don't know why you want proof about *nix systems, I wasn't talking about *nix, the Ubuntu system wasn't hacked, the Mac OS X system went down first, just by sending the browser to a URL.

Posted by: CharlesLD | June 5, 2010 1:28 PM | Report abuse

Well CharlesLD I pat you on the back as it seems you are more educated than I am on this matter. OS X is a *nix OS since it is based off of BSD I believe and BSD is based off of Unix.
Enjoy your delicate operating system.

Posted by: freakyfreddy | June 5, 2010 3:51 PM | Report abuse

All it takes to be educated is to click the links in this article and read. Reading seems to be difficult for you because you again missed the point that I run Ubuntu. Oh well, I give up on making that point...

One last thing I'll leave you with. OS X isn't exactly BSD. It's an integration of Mach & BSD kernels. The integration is a bit flawed making Mac OS X less secure than BSD as you can use Mach specific calls to circumvent security features in BSD like secure levels.

Something tells me you won't take the time to read and understand that either though. Enjoy your bliss.

Posted by: CharlesLD | June 5, 2010 8:44 PM | Report abuse

Rob, your claim that "most applications do not require you to type in your admin password" is simply not true. A great many Mac OS X applications that come in installer packages require you to type in an administrator password to install. This is routine, not rare.

Posted by: cypherpunks3 | June 5, 2010 11:27 PM | Report abuse

I think everyone got way off topic here. FACT: browsing the web with Windows OS & Internet Explorer will result in Windows operating system potentially becoming infected with malware. NOTE, I SAID "Simply Browsing The Internet, With A Windows OS and Internet Explorer, Will Potentially Result, In The Windows OS Being Infected With Malware".
We are not talking about testing a specific vulnerability, or performing a specific attack on a specific application.

Simply surfing the net with Windows and Internet Explorer can get a Windows OS infected.

No windows user can say he has NEVER had Adware or Malware. We have all hit a site that claims to be scanning our system and finding malware, when in actuality, the site is infecting us.

This does not happen with a *nix system. *nix systems can't run .exe files and has no registry to corrupt or manipulate. Normally, with a *nix system, the rouge .exe file is dropped into the downloads folder, and the user discards it and moves on with what ever he/she was doing.

So simply surfing the web, with a Windows OS and Internet Explorer, Can & Will get the windows OS infected.

Posted by: diamond4 | June 6, 2010 2:37 PM | Report abuse

Most users are not aware of the kinds of tracking applications out there that are embedded in simple things like screensavers. As this case shows, voiceFive networks is behind this app apparently, which is actually a pseudonym for comScore Networks, a publicly traded internet research company. This post about VoiceFive provides some more details for the interested reader.

Posted by: zeronomy | June 6, 2010 9:22 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company