Mac Sniffer Monitors IM Chats and RTMP Data Packets

TrendLabsSM engineers Alvin Bacani and Jayson Pryde recently analyzed a new spyware (detected by Trend Micro as OSX_OPINIONSPY.A) that came bundled with screensavers, according to Intego, in sites that host free applications and software updates like MacUpdate, Softpedia, and VersionTracker.
Interestingly, the same spyware was also found in the Apple Downloads site. Users browsing the legitimate site might have been exposed to this threat unknowingly. However, Apple’s swift takedown minimized the exposure time and prevented the continued spread of the said spyware.
The said screensavers were found to be nonmalicious but did download information-stealing spyware, which robbed users of their email addresses, iChat message headers and URLs, as well as other personal data like user names, passwords, credit card numbers, and Web browser bookmarks and histories. Once installed, the spyware connects to a certain site to send the data (e.g., campaign ID, OS version, OS type) it gathers from affected systems.
What makes OSX_OPINIONSPY.A more interesting, however, is its monitoring routine. It connects to a URL to download an upgraded copy of itself—another spyware that sniffs for instant-messaging (IM) application (i.e., AIM, GoogleTalk, MSN Messenger, and Yahoo! Messenger) as well as Real-Time Messaging Protocol (RTMP) data packets. This allows cybercriminals to acquire user names and passwords from both IM and RTMP streams. Sniffing packets off of these applications may also include information sent and received (continue reading...)