New Mac malware - OSX/Onionspy

Published: 2010-06-02
Last Updated: 2010-06-02 14:48:38 UTC
by Rob VandenBrink (Version: 1)
8 comment(s)

A new strain of MAC Malware is being reported by Intego - OSX/OpinionSpy. 

You can find details here:

So far, it has been seen on a number of screensavers, and a small java/php app generally named  "mac_flv_to_mp3.php" or similar, but be cautious on downloads, it's a simple bolt-on, so be on the lookout for it elsewhere.

The neat thing about this malware is that it passes most static scan tests - the downloaded software itself is clean, the malware is downloaded as part of the installation process.  This highlights the requirement for an on-access  virus scanner for your OSX computers.  I hate to bring "that advertisement" up again, but the "viruses? oh, mac's don't have that problem" statement was both not true and a huge red flag for malware authors.

Thanks to several readers for both pointing us to this article, and shooting us a copy of the actual code !

=============== Rob VandenBrink Metafore

8 comment(s)


Is this Onionspy or Opinionspy? It's called both in the article above. Which one is it?

New Mac malware - OSX/Onionspy
A new strain of MAC Malware is being reported by Intego - OSX/OpinionSpy.

Thanks, Alex
Also, the abbreviation for a Macintosh is not MAC, that's used for Media Access Controller. The proper abbreviation is Mac or mac. PC is used for Personal Computer since it is two words. Since Macintosh is only one word, the proper abbreviation only has the first letter capitalized if at all.

Thanks, Alex
What bugs me most is that Intego found this spyware, yet refuses to tell how to detect if you're infected, and how to remove, other than buying (or using) their virus scanner.

In the past, I downloaded one of the mentioned screen savers, but it must have been an older version (cannot verify), since I didn't find any strange open ports or services running.
We got lots'o'more coming too. Pulling a few allnighters in Grandma's Basement so we can push out at least 5 more by the 10th of Junio. Thank you Ladies and Gentlemen, for our next trick......
Is there anything to this item other than what is typically known as a Trojan? I am trying to figure out if this is leveraging a security hole other than social engineering. So far I can not find anything useful. Anyone have anything they can share?

Everything old is new again - Marketscore by any other name. Note the store at

Does anyone have word of when we might expect A/V (besides Intego) to detect this? Portscanning 8254 on my local networks only works against the customers who *didn't* follow my advice and deploy default-deny rulesets :|
Sorry - s/store/story/ above.
I found this statement odd: "the downloaded software itself is clean, the malware is downloaded as part of the installation process."

Isn't something designed to download and deploy malware, inherently unclean, in and of itself?

I consider downloading it, no different than if it had self-extracted it.

More stealthy, but the downloader should still be considered malicious.

Diary Archives