OverSight
Mac malware often spies on users by recording audio and video sessions...sometimes in an undetected manner.
OverSight monitors a mac's mic and webcam, alerting the user when the internal mic is activated, or whenever a process accesses the webcam.
compatibility: OS X 10.10+
current version: 1.0.0 (change log)
zip's sha-1: 44bba3b2bfd68405b8d418787eca33fd1ec93a18
current version: 1.0.0 (change log)
zip's sha-1: 44bba3b2bfd68405b8d418787eca33fd1ec93a18
One of the most insidious actions of malware, is abusing the audio and video capabilities of an infected host to record an unknowing user. Macs, of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, OSX/Mokes, and others, all attempt to spy on OS X users. OverSight constantly monitors a system, alerting a user whenever the internal microphone is activated, or the built-in webcam is accessed. And yes, while the webcam's LED will turn on whenever a session is initially started, new research has shown that malware can surreptitious piggyback into such existing sessions (FaceTime, Sykpe, Google Hangouts, etc.) and record both audio and video - without fear of detection.
As with any security tool, direct or proactive attempts to specifically bypass OverSight's protections will likely succeed. Moreover, the current version over OverSight utilizes user-mode APIs in order to monitor for audio and video events. Thus any malware that has a kernel-mode or rootkit component may be able to access the webcam and mic in an undetected manner.
Also, as this is the initial release of the tool, there will definitely be improvements in future versions!
Also, as this is the initial release of the tool, there will definitely be improvements in future versions!
To install OverSight, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:
Then, simply double-click on 'OverSight_Installer.app'. Click 'Install' to install the tool:
Once OverSight is installed, it will be running and is set to automatically start each time you log in.
When running, OverSight adds an icon (
) to the status menu. Clicking on this icon will display a menu with various information and configuration options:
While OverSight is running, anytime the internal microphone is activated, or a process accesses the built-in webcam, OverSight will alert you of this fact.
More, specifically, whenever the internal microphone is activated, the following notification will be shown:
For webcam usage, OverSight is a little more intelligent, in the sense that it can identify the process that is using the camera. Moreover, if a secondary process accesses the camera (while it's already in use), OverSight can detect this as well. While the secondary process may not be inherently malicious (maybe you're FaceTiming and Skyping at the same time?), malware can piggyback into existing sessions in order to record them. As there are no visible indications of this activity (as the LED light is already on), the malware can record both audio and video without fear of detection....until now!
The webcam notifications will contain the name of the process (i.e. OSX/Mokes) and its process identifier. Moroever, the notification allows one to terminate the process via the 'block' option.
In order to configure OverSight, simply click on its icon (
) in the status menu. Then click on 'Preferences':
Unchecking the 'Log Activity' will stop OverSight from logging audio and video events to the system log (syslog). If the 'Automatically check for updates' option is unchecked, OverSight will not check for new versions.
To manually uninstall OverSight, first stop it (via the 'Quit' menu option), then delete the 'Oversight.app' from the /Applications folder. Finally delete the login item (System Preferences, Groups & Users -> Current User -> Login Items). Or, one can re-run 'OverSight_Installer.app'. Clicking the 'Uninstall' button will both stop and remove OverSight from your mac:
Components/Capabilities/Footprints
The following table briefly summarizes OverSight's components, capabilities, and system footprint:
| Executable Component | Capability | System Footprint/Impact |
|---|---|---|
| OverSight_Installer.app | Installs or uninstalls OverSight | Install: a) copies OverSight.app to /Applications b) starts OverSight_Helper.app Uninstall: a) stops OverSight_Helper.app b) removes OverSight.app (+ all sub-components) |
| OverSight.app | Located in /Applications. Displays OverSight's preferences pane |
Contains OverSight_Helper.app |
| OverSight_Helper.app | Located in /Applications/OverSight.app/ Contents/Library/LoginItems/ Monitors for audio and video events Automatically started by the OS when the user logs in |
Contains OverSightXPC.xpc |
| OverSightXPC.xpc | Located in / OverSight_Helper.app/Contents /XPCServices Performs high-privileged actions, such as determining what process is using the webcam |
None |
In terms of networking code, each time OverSight starts, it queries https://objective-see.com/products/versions/oversight.json to see if there is a new version of the tool. This can be disabled via the 'Automatically check for updates' option in OverSight's preferences pane. Other than this simple version check, it contains no other networking capabilities.
FAQs
Q: Why does the OverSight Installer need my password?
A: In order to determine what process(es) is/are using the webcam, OverSight interfaces with Apple's 'camera daemon.' This requires elevated privileges. Also if the user clicks, 'block' when a process is detected using the camera, OverSight will terminate the process. Again, this action (may) require elevated privileges.
Q: How can I tell if OverSight is installed and running?
A: When started, OverSight adds an icon (
) to the status menu. The presence of this icon, indicates that the process is running. One can also check if it's running, via the Activity Monitor.app. Select View->All Processes, and look for a running process named OverSight_Helper
Q: Why does it take OverSight, a few seconds to display the webcam usage notification?
A: There is not easy way to determine what process is using the webcam, when the camera is activated. Worse, there is no direct indication that a new process is accessing an existing session. Thus OverSight has to perform various tests and has to poll the system (only when the camera is active) in order to determine what process(es) is/are accessing the camera. This takes a few seconds...mahalo for your patience ;)
Q: Why can't OverSight detect what process is using the webcam?
A: While there is no direct way to determine what process is using the webcam, OverSight can almost always figure this via indirect means. If it fails to identify any process (but can still detect that the webcam was activated), Oversight will still generate a notification stating the webcam was activated. However, this notification will not contain any process information, nor of course the ability to 'allow'/'block' the process.
Q: How is OverSight different than other tools (such as MicroSnitch)?
A: OverSight is unqiue in a variety of ways:
- OverSight is 100% free (no demo mode, limited functionality, etc).
- OverSight is able to identify the process that is accessing the webcam.
When your webcam's LED light randomly comes on, you'd want to know what process triggered that, right? - OverSight provides the means to either 'allow' or 'block' a process that is accessing the webcam.
- OverSight can detect secondary 'consumer' processes that may be piggy-backing off a legitimate webcam session in order to stealthily record the user without detection. (See: "Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings" for details on this novel attack).
Q: Any other questions?
A: Feel free to shoot me an email at patrick@objective-see.com.