February 27, 2015

Doctor Web analysts conducted a research of a new version of the backdoor Trojan for Mac OS X named Mac.BackDoor.OpinionSpy.3. This malicious program is intended to spy on Mac users: it can collect and transmit information about loaded web pages to the attackers, analyze the traffic passing through the computer's network card, intercept the network packets sent by instant messaging programs and perform some other dangerous features.

Mac.BackDoor.OpinionSpy programs have been known to information security experts since 2010, but recently a new version of this malware got into the Doctor Web's virus laboratory. This backdoor was named Mac.BackDoor.OpinionSpy.3.

Mac.BackDoor.OpinionSpy.3 uses a three-stage scheme for its spreading. On various websites offering all kinds of software for Mac OS X, the user finds seemingly innocuous programs. In their distributions, however, they contain the poinstall file launched when installing. If during the installation of such downloaded application, the user agrees to provide it with administrator privileges, poinstall sends series of POST requests to intruders' server, and in return receives a link to download the package with .osa extension, which contains a ZIP archive. Poinstall unpacks this archive, extracting an executable file called PremierOpinion and an XML file with necessary for its operation configuration data, and then launches the program.

When launched on the target Mac, PremierOpinion also connects to the command and control server and receives a link to download another one .osa package, from which the complete application with the same name, PremierOpinion, is extracted and installed. This application contains several executable files: the PremierOpinion program which does not have any malicious payload and the PremierOpinionD backdoor which implements dangerous features to the user of Mac OS X.

The Trojan gets the administrative rights when installing and operates in the system with administrator privileges. If initially the user chooses “I Disagree” in the Set up dialogue box, only the program that the user downloaded from the Internet is installed on the computer without any additional spy components.

If the user chooses “I Agree”, PremierOpinion is installed on the computer besides the downloaded application. Its icon appears in the command bar and in the list of installed applications.

The PremierOpinion's interface is quite concise.

By clicking the application icon in the command bar, the user runs the browser with a loaded page that contains a description of PremierOpinion presented as a marketing research tool. However, the developer's website does not report that it collects and transmits the information about the Apple computer running this application to the remote server.

The developers claim that PremierOpinion just monitors the user's shopping history, and from time to time offers to take part in marketing research which requiring to answer a number of questions from a special form. In practice, the features of Mac.BackDoor.OpinionSpy.3 are much wider and are defined by the configuration files received from the command and control server. The Trojan is installed into the /Library/LaunchDaemons/ folder; due to this, it is launched automatically if the program fails to run or the system is rebooted. Then Mac.BackDoor.OpinionSpy.3 installs special extension which is tracking user's activity into the Google Chrome and Mozilla Firefox browsers, and transmits to the command and control server all the information about visited sites (data is collected according to specified rule sets), opened tabs and followed links. Besides, Mac.BackDoor.OpinionSpy.3 injects its own library into the browser's processes and iChat to intercept some functions of networking. It also monitors the traffic transmitted through the network card of the Apple computer. HTTP packets, traffic of the instant messaging clients (such as Microsoft Messenger, Yahoo! Messenger, AIM, iChat), and RTMP-traffic are tracked on all the available Ethernet interfaces. With one of the Trojan's module, it can scan the hard drive and all mounted media in the system, search the files matching the virus writers' rules, and send these files to the remote server. Also, the Trojan sends information about the infected computer to the attackers, including the information about the hardware configuration, the list of running processes and so on. The Trojan is able to install its own updates without user intervention, downloading them from the command and control server. It should be noted that Mac.BackDoor.OpinionSpy.3 disrupts the operation of the localization module in Safari.

While exchanging information with the command and control server, the Trojan encrypts some data and transmits some data in plain text. Among other issues, Mac.BackDoor.OpinionSpy.3 can gather and send the information about the videos watched by the user to the criminals.

The signature of this malware has been added to Dr.Web virus database. We warn the users of computers running Mac OS X to pay careful attention to the applications they download from the Internet.

More about this threat