OpinionSpy is back!
Published February 9th, 2015 at 8:08 PM EST , modified February 13th, 2015 at 6:36 AM EST
OpinionSpy first appeared in 2010, installed along with a number of screensavers made by a company named 7art, as well as a few other applications. OpinionSpy – officially called PremierOpinion by its developers – was spyware disguised as marketing software. It was described by Intego at the time, who attributed to it the ability to capture data from the infected Mac as well as from the network it connected to, as well as having backdoor functionality.
OpinionSpy was one of the first few pieces of malware to be added to the XProtect anti-malware protection in Mac OS X. Despite the fact that all OpinionSpy installers informed the user that data was going to be collected and transmitted back to the developer, it was widely identified as malware due to the data harvesting capabilities. It was quickly driven into extinction at the time, and has not been seen since.
Until now. Yesterday, I found an installer on CNET’s Download.com containing a new variant of the OpinionSpy malware. As regular readers know, this is hardly the first time Download.com has been found distributing bad software, and I have previously recommended boycotting it (and still stand behind that recommendation). However, this may push Download.com one notch further along the badware distribution scale, depending on the capabilities of the latest variant of OpinionSpy.
At this time, it’s still unknown exactly what the capabilities of the new variant are. Is the new variant just another adware program, or does it actually cross the line into malware territory, as the 2010 variant did? An expert from a security company that I have been consulting with tells me it “is not ‘more adware’,” but it’s still too soon for specifics.
I’ll update this article as more details become available. However, if this is as bad as I’m afraid it may be, infected computers will need to have their hard drives erased and everything reinstalled from scratch. This may turn out to be overkill, but it’s what I would recommend if the capabilities mirror those of the 2010 variant.
In addition, assuming that this new variant also collects data, including network transactions, all passwords for online accounts will need to be changed. This may even be necessary for uninfected devices that happened to connect to some online account while on the same network as the infected Mac.
Again, until more information is available, there’s a lot of speculation involved here. I’m intentionally choosing the most conservative, safest approaches to dealing with an OpinionSpy infection. Once more information becomes available, it may turn out this is overkill… or it may be right on target. When I know more, I’ll add an update here.
Updates
Friday, February 13, 2015 @ 6:30 am EST: Apple has added a new OpinionSpy definition to the XProtect anti-malware system in Mac OS X. Testing it against this new variant of OpinionSpy shows that it is, indeed, prevented from opening by this update. Another one bites the dust. (Apple added a slew of other adware definitions as well… I’ll be writing a separate article on that shortly.)
I still know very little about the actual capabilities of this adware/spyware/malware/whatever-you-call-it. Graham Cluley has published a post on Intego’s page with a few additional minor details, but still no hard details about whether there’s a backdoor and exactly what information gets collected.
Tags: adware, malware, OpinionSpy, trojan
23 Comments
This post is more than 90 days old and has been locked. No further comments are allowed.
Thanks. I’ve added download.com to my opendns blocklist.
I’ve taken the installer far enough to know a few things about it. The good news is that you must either agree or disagree with the terms, so it isn’t an opt-out type of installer like most adware has been. If you agree then the installer attempts to connect to did.securestudies.com over port 442 (https) and displays a form asking for your age, who owns the computer, how many people in your home, how many children under 18 use the computer, total annual household income, Spanish or Hispanic decent or origin, race and Zip Code.
The installer will place an executable named “poinstaller” in a system temporary location. No idea what it does, but a post-install script then deletes it, presumably after it’s accomplished it’s task, which might simply be communicating your answers back or it might be used to install additional files.
That’s as far as I am willing to take it.
I’m not sure that you are describing the malware itself. As far as I see (atm) it silently do it’s job without asking something or paintings windows. But the connection you mentioned is a malicious one.
Btw it will only work if you provide root access to it.
Al Varnell, I apologise. My previous comment was too hasty.
>> It was quickly driven into extinction at the time, and has not been seen since. Until now.
It is nice that you managed to find it in the wild, but to be honest this sample (exactly malware sample, not full package) has been known at least since November 2014. Most likely vendors just didn’t spend time for analysing it and just added it to the virus bases.
Proof: https://www.virustotal.com/ru/file/a0dcb14b9e00ad12680527d76195b91b9bc05c7ec366d90270306a689b8971cc/analysis/
Anyway, good job @ catching it on CNET’s site.
jesus, is there anyway to get avast without using that site? boycott avast.
You shouldn’t use Avast anyway. It’s got a bad problem with false positives, even detecting system files from time to time. Plus, it recently included an adware feature that was turned on by default.
which antivirus do you recommend?
See my Mac Malware Guide.
For your information: a blog of EAM for (Windows) computer to warn users about dowload wrapper:
http://blog.emsisoft.com/2012/03/06/secure-download-resources-or-a-malware-cesspool-how-trustworthy-are-download-portals-nowadays/
Thank you for your good works.
Have any AVs and/or XProtect added this one to their signatures? Also, have you found it in the wild elsewhere?
Thanks as usual for your help.
XProtect, no. Some anti-virus apps have, but not all by a long shot. No idea where else it may be found, but it has evidently been circulating since November, according to VirusTotal submissions.
Well, that stinks 🙁 But there hasn’t been any reported drive-by download shenanigans or anything like that, right? Just a simple trojan?
Also, any news on whether this variant has a Developer ID?
No drive-by downloads, it’s just a trojan. And it is signed with a Developer ID, so I was able to open it in testing with the default Mac OS X security settings.
More questions, because I can never stop asking them: Thus far, has it been seen anywhere other than on Download.com and similar, or is it running rampant elsewhere?
No idea. Sounds like it may also be part of that video editor app’s official package, but beyond that, I’m not aware of other cases. I’m sure they’re out there, but I don’t know where they might be.
I recently downloaded Avast from the CNET website. I’ve uninstalled it now after reading this but is there any way of knowing/finding out if any extra nasties such as this malware came with it?
Any of the nasty software that piggybacks in with CNET downloads is fairly obvious. Either you’ll start getting pop-up ads all over the place, or in the case of OpinionSpy, you’ll have to fill out some basic demographic information as part of the install process. If you’re not having those problems, you’re fine… but should avoid CNET in the future.
Thanks!
Graham Cluley, writing for Intego, posted an article on February 11th citing Thomas’ article here and offering some minor additional details for those interested:
http://www.intego.com/mac-security-blog/opinionspy-rears-its-ugly-head-on-macs-once-again/
It’s indeed “minor” details. Let’s wait for a detailed description of this new sample.
Maybe give Dr.Web more information about Mac.BackDoor.OpinionSpy.3:
http://news.drweb.com/show/?i=9309&c=5&lng=en&p=0