Malware type: Others

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Machintosh OS X

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:


Distribution potential:



This malware may arrive bundled with freely distributed Mac application and screen savers found on a specific website.

Upon installation, the malware connects to specific URL to send specific information.

It then connects to another site to download an updated copy of itself. This file is also detected as OSX_OPINIONSPY.A.

This malware is capable of monitoring the network activities of the affected system. As a result, sensitive information can be stolen from the user.

The malware then connects specific URLs to possibly download other other malicious files and/or send the stolen information. As a result, routines of the downloaded files are exhibited in the system.

Read more about this threat incident in the Malware Blog entry "Mac Sniffer Monitors IM Chats and RTMP Data Packets."

For additional information about this threat, see:

Description created: Jun. 3, 2010 6:38:48 PM GMT -0800


File type: Other

Memory resident:  Yes

Size of malware: 470,352 Bytes

Initial samples received on: Jun 2, 2010

Payload 1: Downloads files

Payload 2: Steals information


Arrival Details

This malware may arrive bundled with freely distributed Mac application and screen savers found on the following website:

  • http://{BLOCKED}creensavers.com

Upon installation, the malware connects to the URL https://{BLOCKED}ecurestudies.com:443/campaignstatus.aspx? to send the following information:

  • Campaign ID
  • Operating System Type
  • Operating System Version
  • Monitor
  • Monitor Version
  • Time
  • Executable Name

This malware then connects to http://{BLOCKED}groutecn.com:8081/rulefiles/rule14.xml to download the file PermissionResearch, which is an updated copy of itself. It is saved in the following directory:

  • /Library/LaunchDaemons

This allows the application to be relaunched by launchd. The downloaded file is also detected as OSX_OPINIONSPY.A.

Information Theft

This malware is capable of monitoring the affected system for the following network activities:

  • Sniff Instant Messaging Applications
  • :
    • AIM
    • GoogleTalk
    • MSN
    • Yahoo! Messenger
  • Monitor Real Time Messaging Protocol (RTMP) Data Packets

It also gathers information from the following applications:

  • Safari
  • ITunes
  • iChat
  • Firefox

It monitors the Internet browsing habits of the user to possibly steal information when users access the following online banking sites:

  • americanexpress.com
  • bankofamerica.com
  • chase.com

As a result, sensitive information can be stolen from the user.

Download Routine

The malware then connects to the following URLs to possibly download other other malicious files and/or send the stolen information:

  • http://{BLOCKED}urestudies.com/efsi.aspx
  • http://{BLOCKED}urestudies.com/oss_speed_save.asp
  • http://{BLOCKED}urestudies.com:8080/dd/dd.aspx
  • http://{BLOCKED}urestudies.com:8080/dm/dm.aspx
  • http://{BLOCKED}urestudies.com:8080/ei/ei.aspx
  • http://{BLOCKED}urestudies.com:8080/fd/fd.aspx
  • http://{BLOCKED}urestudies.com:8080/ita/ita.aspx
  • http://{BLOCKED}ey.securestudies.com/oss/survey.asp
  • http://{BLOCKED}urestudies.com/ossremove.aspx
  • http://{BLOCKED}curestudies.com/oss/rule1.asp
  • http://{BLOCKED}curestudies.com/oss/rule10m.asp
  • http://{BLOCKED}curestudies.com/oss/rule11.asp
  • http://{BLOCKED}curestudies.com/oss/rule14m.asp
  • http://{BLOCKED}curestudies.com/oss/rule15.asp
  • http://{BLOCKED}curestudies.com/oss/rule17.asp
  • http://{BLOCKED}curestudies.com/oss/rule19.asp
  • http://{BLOCKED}curestudies.com/oss/rule21.asp
  • http://{BLOCKED}curestudies.com/oss/rule22.asp
  • http://{BLOCKED}curestudies.com/oss/rule23.asp
  • http://{BLOCKED}curestudies.com/oss/rule24.asp
  • http://{BLOCKED}curestudies.com/oss/rule29.asp
  • http://{BLOCKED}curestudies.com/oss/rule4.asp
  • http://{BLOCKED}curestudies.com/oss/rule6.asp
  • http://{BLOCKED}curestudies.com/oss/rule7.asp
  • https://{BLOCKED}tent.securestudies.com/scripts/contentidpost.dll
  • https://{BLOCKED}curestudies.com/getmembers.aspx
  • https://{BLOCKED}curestudies.com/ossreceive.aspx

Other Details

It drops the following component files used to open port 8254:

  • /private/tmp/poinstallerM
  • /private/tmp/script.sh

Analysis By: Romeo dela Cruz

Updated By: Karl Dominguez


Minimum scan engine version needed: 8.900

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.


 Step 1: Scan your computer with your Trend Micro product to delete files detected as OSX_OPINIONSPY.A  

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.