Macs under attack by high-risk spyware

All those employees at Google who reportedly feel a whole lot safer running Mac OS X instead of Windows might want to sit down for this: Security company Intego today announced that a high-risk spyware application called OSX/OpinionSpy is spreading via “a number of freely distributed Mac applications and screen savers found on a variety of Web sites.”

Under the guise of a “market research program,” the spyware — a variant of malware that’s existed for Windows since 2008 — is designed to collect a wealth of data on accessible local and network volumes, then send it off to its servers for likely unsavory uses. That data, according to Intego, may include user names, passwords, credit card numbers, Web browser bookmarks, and history.

The timing of the announcement is ironic in that just yesterday, reports emerged that Google was phasing out Windows internally, mostly in favor of Mac OS X, for security reasons. “Particularly since the China scare, a lot of people here are using Macs for security,” one anonymous Google employee reported told The Financial Times.

Apple has garnered a reputation for offering more secure platforms than Microsoft, but evidence has emerged in recent months and years to suggest that Apple’s primary defense against security threats has been its significantly smaller user base. Apple has been dinged for security lapses on Mac OS, Safari, iPhone OS, and iPad OS. As reported by InfoWorld Tech Watch contributor Paul Roberts, Apple will only find itself the target of more attacks as its profile and user bass continues to swell.

The OSX/OpinionSpy spyware, which opens an HTTP backdoor using port 8254, sends the data it collects, in encrypted form, to a number of servers using ports 80 and 443. OpinionSpy also gathers and inspects incoming and outgoing packets, plus it injects code, without user intervention, into Safari, Firefox, and iChat, and copies personal data from the apps.

The malware is spreading via various software sites, including MacUpdate, VersionTracker, and Softpedia. When downloading apps or screen savers, users may inadvertently download OpinionSpy as well, according to Intego. The spyware is not contained in the apps; it’s downloaded during the installation process.

OpinionSpy is especially insidious in that is has no interface and runs as a root, requesting an administrator’s password in installation, according to Integro. If granted that permission, it has full rights to access and changes files at will on an infected system.

Intego has updated its VirusBarrier X5 and X6 antimalware offerings to detect and eradicate OSX/OpinionSpy.

This article, “Macs under attack by high-risk spyware” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.