How to Check for Spyware on the Mac

Jun 1, 2010 - 3 Comments

spyware on the mac

Spyware is generally something you don’t have to worry about on the Mac, but TheLoop is reporting that a company named ‘7art-screensavers’ is releasing malware on the Mac platform with a series of free screensaver downloads. Apparently the screensavers themselves do not include the spyware, but they attempt to download and install the “OSX/OpinionSpy” app during the screensaver installation process. TheLoop describes the spyware behavior as follows:

Dubbed “OSX/OpinionSpy,” the spyware does a number of things on the users system including recording user activity and sending information to remote servers. The spyware runs as the root user, giving it full system permissions, and opens port 8254 on infected computers.

So what’s the best thing to do? Don’t install dubious screensavers from 7art. If you have installed any suspect screen savers, check your Mac for this particular spyware infection by seeing if the above mentioned port is being used and to see if the spyware process is running.

Check your Mac for Spyware

If you are worried your Mac has been infected by the OSX/OpinionSpy spyware, you can easily check to see if the port 8254 is in use by running the following command at the Terminal:
lsof -i tcp:8254
If anything is reported back, you may have the spyware app installed on your Mac so you’ll want to pay special attention to what is being returned by the lsof command.

Check to see if Spyware process is running:
Next you will want to check to see if a process called “PremierOpinion” is running, to do this:

* Open Activity Monitor which is located in /Applications/Utilities/
* Selet ‘All Processes’ from the dropdown menu
* In the searchbox type: “PremierOpinion”
* If there are no results, you do not have the spyware installed on your Mac
* If you see the PremierOpinion process running, you will want to kill the process and track down it’s source to prevent it from relaunching

Mac Spyware screensavers/apps blacklist

Here is the full list of screensavers to avoid installing:

  • Secret Land ScreenSaver v.2.8
  • Color Therapy Clock ScreenSaver v.2.8
  • 7art Foliage Clock ScreenSaver v.2.8
  • Nature Harmony Clock ScreenSaver v.2.8
  • Fiesta Clock ScreenSaver v.2.8
  • Fractal Sun Clock ScreenSaver v.2.8
  • Full Moon Clock ScreenSaver v.2.8
  • Sky Flight Clock ScreenSaver v.2.8
  • Sunny Bubbles Clock ScreenSaver v.2.9
  • Everlasting Flowering Clock ScreenSaver v.2.8
  • Magic Forest Clock ScreenSaver v.2.8
  • Freezelight Clock ScreenSaver v.2.9
  • Precious Stone Clock ScreenSaver v.2.8
  • Silver Snow Clock ScreenSaver v.2.8
  • Water Color Clock ScreenSaver v.2.8
  • Love Dance Clock ScreenSaver v.2.8
  • Galaxy Rhythm Clock ScreenSaver v.2.8
  • 7art Eternal Love Clock ScreenSaver v.2.8
  • Fire Element Clock ScreenSaver v.2.8
  • Water Element Clock ScreenSaver v.2.8
  • Emerald Clock ScreenSaver v.2.8
  • Radiating Clock ScreenSaver v.2.8
  • Rocket Clock ScreenSaver v.2.8
  • Serenity Clock ScreenSaver v.2.8
  • Gravity Free Clock ScreenSaver v.2.8
  • Crystal Clock ScreenSaver v.2.6
  • One World Clock ScreenSaver v.2.8
  • Sky Watch ScreenSaver v.2.8
  • Lighthouse Clock ScreenSaver v.2.8

Also included in the list is an FLV to mp3 converter called ‘MishInc FLV To Mp3’ and it reportedly downloads spyware as well, so be sure to avoid that as well.

Remember this is pretty rare and only pertains to the list of screensavers/apps above, so the chance of your Mac being infected is slim at best.

.

Related articles:

Posted by: Manish Patel in Mac OS, Security

3 Comments

» Comments RSS Feed

  1. […] you want to dig into the nittygritty of it, we have covered how to check spyware on the Mac before using completely manual methods, it’s a much more technical approach than using a 3rd […]

  2. unixguy says:

    correct me if i’m wrong but if you dont place “sudo” infront of the lsof command you can only see the files which have ports open from YOUR user. so if the spyware is using a different user to do it’s dirty work this command won’t work.

  3. Kevin says:

    Little Snitch ftw!

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site