Free apps install spyware on Macs

The high-risk spyware, dubbed OSX/OpinionSpy, was being installed along with nearly 30 screensavers developed by a company called 7art and an app called MishInc FLV to MP3, according to a list compiled by Intego.

They were found on Softpedia, MacUpdate, and CNET-owned VersionTracker, according to a post on Intego's Mac Security Blog.

VersionTracker had removed all of the items on the Intego list by late afternoon. A MacUpdate representative said the company disabled the screensavers earlier on Tuesday and had never offered the MishInc converter. "Our users were discussing the software installed alongside the 7art screensavers as far back as March," the company said in an e-mail. Softpedia, 7art, and MishInc publisher Brothersoft did not immediately respond to e-mails seeking comment late on Tuesday.

The spyware, a Windows version of which has existed since 2008, is not contained in the apps but is downloaded during the installation process. It is often marked as a "market research" program called PremierOpinion that claims to collect browsing and purchasing information for use in market reports, but it can also come with no warning or message, Intego said.

It's unclear exactly what data is collected and sent to the remote server, but it could include personal information like usernames, passwords, and credit card numbers, the post said.

Here is what the spyware does:

-runs as root with full rights to access and change any file on the computer,

-opens a back door using port 8254,

-scans all accessible files on local and network drives,

-analyzes packets entering and leaving the computer over a local area network, enabling one infected Mac to collect data from different computers on a school or business local network,

-injects code with no user action required into Firefox, Safari, and iChat and copies personal data from those applications, infecting the code of the applications in the Mac's memory but not the actual application files,

-regularly sends encrypted data to a number of servers using ports 80 and 442 about files scanned, as well as other information including e-mail addresses, iChat message headers, and URLs.

The spyware can be automatically upgraded to add new features without the knowledge of the computer user. It occasionally asks for the user's name or prompts the user to fill out surveys via a dialog box.

In some cases the infected computer will not work correctly and the user will need to force a reboot. In addition, deleting the original app or screensaver will not delete or interfere with the spyware, Intego said.

"While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install," the company said. "Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location, and much more."

To see if your system is infected, there are several free Mac malware scanners including ClamXav and iAntiVirus.

This article was first published as a blog post on CNET News.