Share post

Airo Security (AiroAV) has recently discovered that a Comscore product for macOS, called PremierOpinion, uses a harmful Man-In-The-Middle (MITM) practice to facilitate its Spyware functionalities. It is developed, distributed and orchestrated by VoiceFive, Inc. a subsidiary of Comscore, Inc.(NASDAQ: SCOR).

This Comscore spyware installs a proxy on ports 8888, 8443 and 8254, where it captures all machine’s SSL/TLS traffic of the user. The spyware is being installed as a bundled application that is offered along with the installation flow of other software products. It installs a local system certificate which any application then automatically trusts. At this point, with all user’s traffic goes through its proxy, PremierOpinion decrypts all SSL encryption in the proxy, and eavesdrop on all user online activity, including emails, banking information, governmental websites and potentially beyond.

If that’s not enough, it imposes a severe security breach by not generating a unique certificate for each machine on which it is installed but rather installs the exact same root certificate for all machines. This is a known bad practice, to say the least, and was in the heart of the infamous “Lenovo Superfish” case of 2015 issued at the time by the US Department of Homeland Security.

Consequently, this Comscore product does not only compromise the user’s privacy and system security but also exposes machines to further, broader attacks. Since the private key can easily be recovered from PremierOpinion, this poor practice renders all machines vulnerable to a mass SSL eavesdropping and spoofing attacks by others.

In a world where privacy and security are becoming a significant concern, we expect those companies who gain access to our utmost sensitive data to be over cautious and refrain from compromising our sensitive data and system security.

About PremierOpinion

PremierOpinion is a decade old spyware developed by VoiceFive, a ComScore company (NASDAQ: SCOR). Dubbed as “OpinionSpy” by the security community, it performs numerous malicious activities. Those include recording user activity such as mouse clicks, fingerprinting machine’s status, running applications and more. The spyware, unsurprisingly, sends the collected information to remote servers.

VoiceFive, according to its website, is a “leading global market research company” which claims to collect data only from “participants who are invited to share their opinion”, or “select groups who ask to join these special panels”. They commit to “protect the anonymity and privacy of all research participants”. But do they?

As we demonstrate in this analysis, none of these claims seems to be true. PremierOpinion’s distribution methods are mostly reliant on user’s lack of intention and automatic acceptance of its full terms, with no actual or explicit consent.

All in all, users who install this spyware are not aware of the installation or its implications. Accordingly, Comscore users gain no real value from “using” it, despite taking a performance hit and despite (unknowingly) waiving privacy rights.

Distribution

PremierOpinion is being distributed by various distribution players and download sites. When being installed, it is usually bundled with an additional software offer.

For this analysis, we will be showcasing one example, in which PremierOpinion is being offered to end users as an additional offer to a product software called “BitLord”, by BitTorrent.

As demonstrated below, the installation process is designed to have PermierOpinion installed, supposedly being part of the Bitlord application.

While users do have the option to declining the offering to install PremierOpinion, it’s not the default choice (i.e. to opt out).

The PremierOpinion app, supposedly an app that presents polls to the users is being installed to: /Applications/PremierOpinion/PremierOpinion.app

The application has a valid and signed developer ID, by VoiceFive Networks.

PremierOpinion also installs two (2) persistent processes to the system’s agents:

A Launch Agent to: /Library/LaunchAgents/ which runs a background process called PremierOpinionAgent . The agent is set to run at boot and relaunch itself in case it is killed. A launch daemon to: /Library/LaunchDaemons/

The Daemon is launching an on-demand job using another plist, which runs a hidden bash script from /Applications/PremierOpinion/.PremierOpinionrn.sh

The bash checks whether the accessibility permissions are enabled, by checking the .AccessibilityAPIEnabled file. When permissions are disabled, the bash makes an attempt to enable them by modifying the file. This practice only works with older versions of macOS.

Then the script executes the final Daemon process, correlating with an app called PremierOpinionD. The app is a sub-app of PremierOpinion.app and resides in PremierOpinion.app/Resources.

PremierOpinionD is the process that runs the actual proxy. A quick look at the code reveals that it is actually based on a project called CSProxy. It is configured to listen to incoming connections on ports 8888, 8443 and 8254.

The process then changes the local HTTPS proxy settings by loading SystemConfiguration library and calling the following system APIs:

The proxy settings are being set to localhost:8888, as can be viewed from the MacOS Network configuration panel:

We can see that from that point on, traffic from the browser is being routed to that location:

What happens inside the proxy? Well, first, we can see that the proxy Terminates, decrypts and inspects all TLS traffic. This is accomplished by installing a system trusted certificate, done by the PremierOpinionD process using system Security APIs:

The certificate which is self-signed is issued to VoiceFive Networks Inc. It is installed as a trusted system root certificate. The proxy issues a derived certificate for the sites that the user browses, which are now trusted by the browser. This allows the proxy to decrypt browsing requests.

Then, the proxy creates connections to the actual browsed websites, on the user’s behalf. The result is flawless, and only observant users can notice that the certificate for visa.com, as an example, shouldn’t actually be issued by VoiceFive:

To top this, based on a test we ran on a few machines, we found that PremierOpinion installs the exact same certificate on all machines. Since the private key can easily be recovered from PremierOpinion, this allows third-party eavesdroppers to intercept and decrypt TLS secure communications without triggering browser warnings.

This can be done by creating a specially crafted phishing site, for example, or by hijacking user’s traffic and placing another MITM proxy that replaces that certificate. This is a design flaw, similar to the design flaw seen with the infamous Superfish incident. Other apps that use a local proxy, such as the web debugger fiddler for example, generate a unique certificate separately on each machine. This mitigates the risk of having the private key leaked to that specific machine. Needless to add that explicit user consent is required at all cases.

User Data Exfiltration

The PremierOpinionD process is constantly pinging its C&C (*.securestudies.com), sending data which has been collected about the user and the machine, in clear text HTTP requests. We captured information which includes the list of open applications, characteristics of mouse clicks and machine information.

We find these highly concerning, as we couldn’t find any actual usage of the proxy for the purpose claimed by PermierOpinion. However, we did find encrypted TLS traffic to the same domain coming from PremierOpinionD.

In order to find out what was being sent, we decided to give the spyware a taste of its own medicine. We ran another MITM proxy (using mitmproxy project) and set it up to run in transparent mode. Using the built-in pf command in macOS, we chained them together by redirecting all traffic coming in from PremierOpinionD’s proxy to our own. Finally, we generated our own certificate (using openssl) and installed it into keychain as a system certificate in ‘always trust’ mode.

Now, we got to see the contents of the traffic PremierOpinion is sending to its server. We notice the amount of traffic is changing in parallel to the user’s activities, especially when web browsing.

PremierOpinion was logging every web site the user was navigating to, along with the application that was used (pid), user-agent, certificate (in this case it shows our own fake one, but in general it’ll be the remote site’s) and more.

And on a different flow, list of all current open application.

Final Thoughts

PremierOpinion Spyware has been around for quite some time now, under different names and guise. We were able to find evidence of its activity dating as early as 2007, both on Mac and Windows. However, similar proxy implementations and behaviors go so far back, only on Windows-based machines.

With MacOS, the MITM practice is fairly new. We found evidence of this attack dating as far as a year ago. It managed to successfully go under the radar for this entire time, especially because the MITM proxy was only used to collect data, rather than modify it. This, in contrast with other MITM attacks seen recently, which inject or modify content as well.

With PremierOpinion the user is unaware of either its traffic-hijacking or the fact that the exact same certificate is installed on countless machines, compromising privacy and security. Consequently, PremierOpinion also renders the machine vulnerable to additional remote attacks, such as phishing or eavesdropping.

PremierOpinion is quite a popular spyware and is actively being spread in the masses, these days. This makes PremierOpinion a serious threat both to user privacy and security.

About the authors: