Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'According to Intego, this hint will NOT help' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
According to Intego, this hint will NOT help
Authored by: derekcurrie on Jun 03, '10 11:05:05AM

If removing this spyware / Trojan horse was so easy, I'd be very happy. But according to Intego, the procedure provided here may well be a total waste of time and fool you into thinking you've actually removed this malware when you have not.

Quoting a few points from Intego's 'Mac Security Blog':

• This application, which has no interface, runs as root (it requests an administrator’s password on installation) with full rights to access and change any file on the infected user’s computer.
• If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.
• It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations. (It infects the applications’ code in the Mac’s memory, and does not infect the actual applications’ files on the user’s hard disk.)
• The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this. It occasionally asks users for information, via the display of dialogs, such as their name, or asks them to fill out surveys.
• If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.

CONCLUSION: All of the above points indicate that this spyware is capable of doing literally anything to your Mac. It's ability to upgrade itself means that its abilities will change over time. It's ability to infect the RAM used by other applications indicates that removing its files may not remove it from memory, where it can potentially reinfect itself into hard memory and restart its own process. Its self-upgrade ability means it can change to any process name it likes, not just 'PremierOpinion'. This has been verified by further research by Intego. To quote:

"It has discovered that, after a certain time, the spyware makes an “upgrade” and installs another application, which is another variant of the same spyware, called PermissionResearch."

Therefore: Don't entirely count on this hint ridding you of the OSX/OpinionSpy malware. Sorry.

I keep track of Mac security at:

[ Reply to This | # ]
According to Intego, this hint will NOT help
Authored by: crarko on Jun 03, '10 12:10:57PM

Thanks for your input. The use of Little Snitch to monitor the network traffic is especially useful. If you become aware of a better method of manually combatting this malware and would be willing to submit that as a hint to the community, it would of course be greatly appreciated by all.

~ Craig

[ Reply to This | # ]
According to Intego, this hint will NOT help
Authored by: hamarkus on Jun 03, '10 01:03:28PM

And nothing in your post (or the five bullet points) is a clear proof or even a clear indication that removing the application (and its second version if present) does not solve the problem. Sure, the application has nefarious purposes and uses highly dubious means but there is no indication beyond some vague suspicions that it uses deeper hooks yet.

[ Reply to This | # ]
Read the research please
Authored by: derekcurrie on Jun 04, '10 05:04:05AM

AND YET... I posted my message to help people, not attract troll replies. Read the ongoing research regarding this spyware / Trojan horse please. Your opinion is incorrect. I'll trust the research. What I posted is entirely within the results discovered about this malware and nothing more. Your further opinions are not required.

[ Reply to This | # ]
Read the research please
Authored by: hamarkus on Jun 04, '10 07:42:11AM

If the research contains any reasonable indication that simply removing the application will not fix it, why do you not post that?
Your post just said that this spyware does nasty things (as widely reported) and thus you *believe* simply removing it won't resolve the issue.
You have posted an opinion (maybe based on solid facts which you simply failed to present). I just asked you on what facts your opinion/recommendation was based on.

[ Reply to This | # ]
Requesting that infected apps be removed
Authored by: derekcurrie on Jun 04, '10 05:10:56AM

I've written to Misha at MacUpdate to let him know about the current research on the OSX/OpinionSpy malware and requested that the site take down pages relevant to all the infection vector applications / screensavers. (I note the warnings already posted at the 7art pages).

VersionTracker does not list any of the affected software.

If folks have other favorite shareware download sites, please let them know the situation.

[ Reply to This | # ]