The return of a malicious Trojan for Mac OS X

Doctor Web security experts examined a new version of the Trojan backdoor type for Mac OS X called Mac. BackDoor. OpinionSpy. 3. This malicious program was created to spy on Mac users: can collect and send information about the attackers loaded Web pages, analyze the flow of traffic through the network adapter of the computer, capture packets the network sent by Instant Messaging and perform other malicious features.

Mac programs. BackDoor. OpinionSpy are known experts d/s safety from 2010, but a new version of this malware was last to virus Doctor Web. It was named Mac. BackDoor. OpinionSpy. 3.

To disseminate to Mac. BackDoor. OpinionSpy. 3 uses the three-schema operations. On different Web pages offering different types of software for Mac OS X, you are seemingly innocuous programs. However, they contain files of type in their distributions postinstall run at the end of the installation. During installation, if the previously downloaded application, the user agrees to provide her administrator privileges, the postinstall sends to server intrusion series of POST requests and receive a link to download the package from the osa extension, containing the ZIP archive. Postinstall unpacks the archive, extracts an executable file named PremierOpinion and XML file that contains the required configuration data for this operation, and then runs the program.

When you run on the computer that is running the attack PremierOpinion connects to server control-managing an download link another package. osa, which is a stub then unpackages and installed a complete application with the same name- PremierOpinion. This application includes several executables: PremierOpinion, that does not contain any malicious functions and backdoor PremierOpinionD, which introduces a dangerous functionality against user of Mac OS X.

The Trojan during the installation acquires administrative rights and works in Windows with administrator privileges. If at the beginning of the user selects "and Disagree" ("I disagree") in the Setup dialog box, the program will be installed on your computer without any additional spyware components:

If you choose "I Agree" ("I agree"), PremierOpinion will be installed on your computer in addition to the downloaded application. Its icon will appear on the toolbar and in the list of installed applications:

By clicking on the application icon on the Baseboard Management controller, the user starts the browser from the loaded page that contains a description of PremierOpinion, presenting it as a tool for marketing research. However, the creator of the page in any way does not report on it because the collection and upload it to a remote server information about Apple computers with this running.

The developers of the program argue that PremierOpinion only monitors user purchase history and, from time to time, offers to participate in marketing research asking them to answer a few questions in a special form.

In practice, the functionality of the Mac. BackDoor. OpinionSpy. 3 are much wider and are defined by the configuration files received from the server control. The Trojan installs itself in the directory/Library/LaunchDaemons/, thanks to start automatically when the break on error or when you restart the operating system. Then Mac. BackDoor. OpinionSpy. 3 installs a special extension that tracks user activity in Google Chrome and Mozilla Firefox and sends to the server the control-manages all the information about the Web pages you have visited ( data are collected based on a specific set of rules), open tables and clicked the links. In addition to this Mac. BackDoor. OpinionSpy. 3 injects his own library in the browser and the iChat application to capture some network features. Also monitors the traffic transmitted by the network adapter Apple computer. HTTP packets, the traffic originating from Instant Messaging (such as Microsoft Messenger, Yahoo! Messenger, AIM, iChat) and RTMP traffic are tracked on all Ethernet interfaces are available for your computer. With the use of one of its modules Trojan can scan the hard disk and all other media mounted on your system, search for files that match the rules specified by the creators of the virus and send these files to a remote server. Besides, the Trojan sends to attack the information about the infected computer, including information about the hardware configuration, list of running processes, and so on. A Trojan is able to install their own updates without user intervention, by downloading it from the test server. It is worth noting that Mac. BackDoor. OpinionSpy. 3 interferes with the work of the module localization of Safari:

During the exchange of information with the server and managing Trojan encrypts data and sends some of them open text. Among other things, Mac. BackDoor. OpinionSpy. 3 can collect and send criminals information about files and video streams viewed by the user.

The signature of this malware has been added to the Dr.Web virus database. Be warned, however, users of computers running Mac OS X and we recommend paying attention to applications you download from the Internet.

Source: Doctor Web

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.