Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Manually remove the newly found OSX/OpinionSpy spyware System
[crarko adds: OK, there are some serious questions raised about the procedure described below. I suggest waiting for further corroboration before trusting it.]

Here is some background on the recent announcement about a piece of malware which has been found to affect Macs. The spyware in question is called OSX/OpinionSpy and it’s a new variant of Windows spyware that has existed since 2008.

This link (to The Guardian) offers a manual method to remove the spyware which was installed with the screen savers from 7art, or other infected applications which may have been installed.

To see if you're affected, run Activity Monitor (in /Applications/Utilities) and set it to show All Processes in the dropdown menu. Look for a process called 'PremierOpinion' which will be owned by root. If it's there, you've been affected.

To summarize the removal procedure:
  • Go to the /Applications folder in the Finder.
  • Find the PremierOpinion folder.
  • [crarko adds: Possible dangerous step removed.]
  • Move the PremierOpinion folder to the Trash and empty the Trash; if won't delete, choose 'Empty Trash' while holding the Option key. You may need an administrator password. Reboot the Mac after doing this.
  • Check again in Activity Monitor to be sure the process 'PremierOpinion' is no longer there.
The submitter expresses thanks to Paul Mortgaat on the X4U mailing list for pointing out this tip.

[crarko adds: Thankfully, I haven't tested this one. I've removed one step in this procedure until it can be verified as not making the problem worse. And take a look at the procedure mentioned in this comment as a more comprehensive operation.]
    •    
  • Currently 2.40 / 5
  You rated: 2 / 5 (15 votes cast)
 
[16,649 views]  

Manually remove the newly found OSX/OpinionSpy spyware | 22 comments | Create New Account
Click here to return to the 'Manually remove the newly found OSX/OpinionSpy spyware' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
According to Intego, this hint will NOT help
Authored by: derekcurrie on Jun 03, '10 11:05:05AM

If removing this spyware / Trojan horse was so easy, I'd be very happy. But according to Intego, the procedure provided here may well be a total waste of time and fool you into thinking you've actually removed this malware when you have not.

Quoting a few points from Intego's 'Mac Security Blog':

http://blog.intego.com/2010/06/01/intego-security-alert-osxopinionspy-spyware-installed-by-freely-distributed-mac-applications/

• This application, which has no interface, runs as root (it requests an administrator’s password on installation) with full rights to access and change any file on the infected user’s computer.
• If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.
• It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations. (It infects the applications’ code in the Mac’s memory, and does not infect the actual applications’ files on the user’s hard disk.)
• The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this. It occasionally asks users for information, via the display of dialogs, such as their name, or asks them to fill out surveys.
• If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.

CONCLUSION: All of the above points indicate that this spyware is capable of doing literally anything to your Mac. It's ability to upgrade itself means that its abilities will change over time. It's ability to infect the RAM used by other applications indicates that removing its files may not remove it from memory, where it can potentially reinfect itself into hard memory and restart its own process. Its self-upgrade ability means it can change to any process name it likes, not just 'PremierOpinion'. This has been verified by further research by Intego. To quote:

http://blog.intego.com/2010/06/02/further-information-about-the-osxopinionspy-spyware/

"It has discovered that, after a certain time, the spyware makes an “upgrade” and installs another application, which is another variant of the same spyware, called PermissionResearch."

Therefore: Don't entirely count on this hint ridding you of the OSX/OpinionSpy malware. Sorry.

I keep track of Mac security at:

http://Mac-Security.blogspot.com



[ Reply to This | # ]
According to Intego, this hint will NOT help
Authored by: crarko on Jun 03, '10 12:10:57PM

Thanks for your input. The use of Little Snitch to monitor the network traffic is especially useful. If you become aware of a better method of manually combatting this malware and would be willing to submit that as a hint to the community, it would of course be greatly appreciated by all.

~ Craig



[ Reply to This | # ]
According to Intego, this hint will NOT help
Authored by: hamarkus on Jun 03, '10 01:03:28PM

And nothing in your post (or the five bullet points) is a clear proof or even a clear indication that removing the application (and its second version if present) does not solve the problem. Sure, the application has nefarious purposes and uses highly dubious means but there is no indication beyond some vague suspicions that it uses deeper hooks yet.



[ Reply to This | # ]
Read the research please
Authored by: derekcurrie on Jun 04, '10 05:04:05AM

AND YET... I posted my message to help people, not attract troll replies. Read the ongoing research regarding this spyware / Trojan horse please. Your opinion is incorrect. I'll trust the research. What I posted is entirely within the results discovered about this malware and nothing more. Your further opinions are not required.



[ Reply to This | # ]
Read the research please
Authored by: hamarkus on Jun 04, '10 07:42:11AM

If the research contains any reasonable indication that simply removing the application will not fix it, why do you not post that?
Your post just said that this spyware does nasty things (as widely reported) and thus you *believe* simply removing it won't resolve the issue.
You have posted an opinion (maybe based on solid facts which you simply failed to present). I just asked you on what facts your opinion/recommendation was based on.



[ Reply to This | # ]
Requesting that infected apps be removed
Authored by: derekcurrie on Jun 04, '10 05:10:56AM

I've written to Misha at MacUpdate to let him know about the current research on the OSX/OpinionSpy malware and requested that the site take down pages relevant to all the infection vector applications / screensavers. (I note the warnings already posted at the 7art pages).

VersionTracker does not list any of the affected software.

If folks have other favorite shareware download sites, please let them know the situation.



[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: MJCube on Jun 03, '10 11:37:45AM
So apparently the name "Uninstall" is a lie. If the above comment is true, this "hint" is not only wrong, but dangerous disinformation!

To simplify, as I understand it: They just want you to run Uninstall and give your password, and then they've got you!

[ Reply to This | # ]

Manually remove the newly found OSX/OpinionSpy spyware
Authored by: robogobo on Jun 03, '10 12:46:25PM

This hint sounds dangerous. Perhaps it should be removed/modified until it can be verified, in case the uninstall procedure is actually making things worse.



[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: crarko on Jun 03, '10 01:29:04PM

Agreed. If/when the procedure is verified I'll put the removed steps back in.

~Craig



[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: hamarkus on Jun 03, '10 01:06:36PM

On what exactly do you base your 'conclusion' that this won't remove the application:
"Alternatively, move the PremierOpinion folder to the Trash and empty the Trash; if won't delete, choose 'Empty Trash' while holding the Option key. You may need an administrator password. Reboot the Mac after doing this."



[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: crarko on Jun 03, '10 01:31:53PM

I couldn't verify that it works. I agree that it's best to err on the side of caution with this.

~Craig

Edited on Jun 03, '10 01:32:32PM by crarko



[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: barrym on Jun 03, '10 01:37:41PM

This is a good reason to never log in as Administrator. Once your new Mac has been configured the way you like it, it's actually quite rare you need admin privileges; typical examples are when installing a full-blown third party app, performing a system update, or if there's a problem with the print queue.

I never enter my admin password for a small "free" app, plugin, etc. Rather, I copy its Application icon to my home directory instead of the systemwide App folder. (If I'm really concerned about a new app, I will try it under the Guest account.) Only apps obtained/purchased directly from reputable third parties (e.g. Lightroom, OpenOffice) will get my admin password.

I've ensured my family's Macs are setup this way too. At the very least, it makes them think twice before keying in the admin password. Now that Apple has surpassed Microsoft in market cap, and Google is phasing out all its Windows desktops, OSX becomes a bigger target.

If your local user account is compromised, it's easy to reboot, login as Admin, delete it, and restore just your documents from a backup, without affecting the rest of the machine or other users.

Barry.



[ Reply to This | # ]
Not so worrying . . .
Authored by: bedouin on Jun 03, '10 01:51:36PM

Why would anyone be foolish enough to give a screensaver admin access, after it tells you it wants to do market research?



[ Reply to This | # ]
Trojan Horse Infection Info
Authored by: derekcurrie on Jun 04, '10 05:25:04AM
Intego have found that installing the infection vector applications / screensavers does not always offer a notification about the also installed spyware. It may well be installed without warning.

The very basic way that Trojan horses are installed is that you download something you have not verified as safe, you run the installer, it asks for your password, you provide it, the installation occurs. At this point the Trojan has all your user privileges and can anything you can do on your computer. If you provided your administrative password, the Trojan now has essentially got root privileges, which means your computer has been 'botted', aka 'zombied', aka 'pwned'.

To not expect root privileged malware to totally take over your computer is irrational. Expect the worst in all cases. This is the only way to be safe and take infection seriously. This is not an exaggerated response. It is a rational response. There is no need for fear if you've kept your backups up-to-date.

Also useful is reading the current professional information about the malware as opposed to settling for reading stuff people like me post about it. This will avoid making unrealistic assumptions and conclusions.
Edited on Jun 07, '10 02:26:45PM by crarko


[ Reply to This | # ]
Trojan Horse Infection Info
Authored by: asmeurer on Jun 04, '10 10:14:21AM
Oh geez! You forgot a </i> and now every comment below yours is in italics! Let's see if I can stop it.

EDIT: Nope.
Edited on Jun 04, '10 10:15:22AM by asmeurer


[ Reply to This | # ]
Trojan Horse Infection Info
Authored by: MJCube on Jun 04, '10 04:54:34PM

I found something similar in another topic just now, with code instead of italics. I can't understand how the tags persist through the headings of posts, which aren't affected.



[ Reply to This | # ]
Trojan Horse Infection Info
Authored by: crarko on Jun 07, '10 02:28:10PM

A Geeklog bug, I expect.



[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: joelbruner on Jun 03, '10 03:01:46PM
I dig a lot of digging and here's my steps:
Disconnect from the network first in case it is logging keystrokes, don't let it return that data!

sudo launchctl unload -w /Library/LaunchDaemons/PremierOpinion.plist
sudo rm /private/tmp/poinstaller
sudo rm /private/tmp/script.sh
sudo rm -rf /private/tmp/installtmp
sudo rm -rf /private/tmp/autoupgrade
sudo rm -rf /private/tmp/tapinstaller
sudo rm -rf /Applications/PremierOpinion

For more info: http://www.brunerd.com/blog/2010/06/03/tearing-apart-opinionspy/
Edited on Jun 03, '10 03:03:03PM by joelbruner


[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: joelbruner on Jun 03, '10 04:14:55PM
And to turn off Access for Assistive Devices...
sudo rm /private/var/db/.AccessibilityAPIEnabled

[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: Zeitkind on Jun 05, '10 04:07:02PM

And - if at all - remove trojans and such in single user mode, or better while booted from another drive/DVD, and don't use chroot! Wiping the infected installation is always the best way and most users are not really good in doing stuff with the shell.. Code signing may prevent infection of basic shell commands, but you never know, and I also suggest using /bin/rm instead of rm or using which (though which might be infected too).
I know this one is "only" some kind of a trojan, but we might see more and worse stuff in the future coming to OS X, so lightwight instructions to remove infections are not a real good idea.



[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: negritude on Jun 03, '10 10:07:24PM

Note that, a MacUpdate user with the ID of "WCityMike" (Mike Harris), warned about this spyware back in March (3 months ago!). He took the heroic step of posting a warning message on every single MacUpdate entry for the 7art screensavers. Intego and others are late to the party:

http://www.macupdate.com/users/WCityMike

This is one of the reasons that sites like MacUpdate are so important as filters for obtaining software, because they allow users to give each other direct feedback that is often far ahead of what "official" channels provide.



[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: negritude on Jun 03, '10 10:56:21PM

And just as an FYI, the company that makes the screensavers has a Twitter page:

https://twitter.com/7artStudio

Scary. Why would anyone be following them?



[ Reply to This | # ]