OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

OpinionSpy is back!

Published February 9th, 2015 at 8:08 PM EST , modified February 13th, 2015 at 6:36 AM EST

e-biohazard

OpinionSpy first appeared in 2010, installed along with a number of screensavers made by a company named 7art, as well as a few other applications. OpinionSpy – officially called PremierOpinion by its developers – was spyware disguised as marketing software. It was described by Intego at the time, who attributed to it the ability to capture data from the infected Mac as well as from the network it connected to, as well as having backdoor functionality.

OpinionSpy was one of the first few pieces of malware to be added to the XProtect anti-malware protection in Mac OS X. Despite the fact that all OpinionSpy installers informed the user that data was going to be collected and transmitted back to the developer, it was widely identified as malware due to the data harvesting capabilities. It was quickly driven into extinction at the time, and has not been seen since.

Until now. Yesterday, I found an installer on CNET’s Download.com containing a new variant of the OpinionSpy malware. As regular readers know, this is hardly the first time Download.com has been found distributing bad software, and I have previously recommended boycotting it (and still stand behind that recommendation). However, this may push Download.com one notch further along the badware distribution scale, depending on the capabilities of the latest variant of OpinionSpy.

At this time, it’s still unknown exactly what the capabilities of the new variant are. Is the new variant just another adware program, or does it actually cross the line into malware territory, as the 2010 variant did? An expert from a security company that I have been consulting with tells me it “is not ‘more adware’,” but it’s still too soon for specifics.

I’ll update this article as more details become available. However, if this is as bad as I’m afraid it may be, infected computers will need to have their hard drives erased and everything reinstalled from scratch. This may turn out to be overkill, but it’s what I would recommend if the capabilities mirror those of the 2010 variant.

In addition, assuming that this new variant also collects data, including network transactions, all passwords for online accounts will need to be changed. This may even be necessary for uninfected devices that happened to connect to some online account while on the same network as the infected Mac.

Again, until more information is available, there’s a lot of speculation involved here. I’m intentionally choosing the most conservative, safest approaches to dealing with an OpinionSpy infection. Once more information becomes available, it may turn out this is overkill… or it may be right on target. When I know more, I’ll add an update here.

Updates

Friday, February 13, 2015 @ 6:30 am EST: Apple has added a new OpinionSpy definition to the XProtect anti-malware system in Mac OS X. Testing it against this new variant of OpinionSpy shows that it is, indeed, prevented from opening by this update. Another one bites the dust. (Apple added a slew of other adware definitions as well… I’ll be writing a separate article on that shortly.)

I still know very little about the actual capabilities of this adware/spyware/malware/whatever-you-call-it. Graham Cluley has published a post on Intego’s page with a few additional minor details, but still no hard details about whether there’s a backdoor and exactly what information gets collected.

Tags: , , ,

23 Comments

This post is more than 90 days old and has been locked. No further comments are allowed.