10/31/2007, 1:25pm, EDT
Wednesday, October 31st
Trojan horse targets Mac OS X
A new trojan horse designed specifically for Mac OS X systems has been discovered on several pornography websites that can hijack Web traffic, according to security firm Intego. Affected systems are used to hijack some Web requests that lead users to other phishing sites, or simply display ads for other pornographic websites to generate ad revenue. Phishing attacks may lead users to believe they are surfing to eBay, Paypal, or various banks when in fact they are accessing specially-crafted mockups designed to retrieve usernames and passwords for those sites. The trojan, titled OSX.RSPlug.A, is rated as a critical risk by Intego, and is known to affect Mac OS X 10.4 Tiger as well as Mac OS X 10.5 Leopard. Intego is testing prior versions of Mac OS X, but believes them to be vulnerable as well.
The trojan claims to install a video codec necessary for viewing free pornographic videos on Macs, but when users click on the still images to view the content they are directed to a Web page stating that they must download a new version of a codec to play the movie file with QuickTime. Safari users who have checked the "Open 'Safe' Files After Downloading" option in General Preferences will find that the disk image which is downloaded to their Mac automatically mounts, and the installer application will automatically launch.
Proceeding with the installation installs the trojan horse, and requires users to enter their administrator password which grants the malicious software full root privileges. No codec is installed and users who return to the website simply receive another download request.
The trojan itself is a form of DNSChanger, using the scutil command to change the Mac's DNS server -- a service that translates hostnames like macnn.com to their numerical IP addresses. Using a poisoned DNS server, the Mac hijacks some Web requests for phishing or to generate revenue from pornographic advertisements.
What's more, under Mac OS X 10.4 Tiger there is no way to see the changed DNS server in the operating system's graphical user interface, although in Mac OS X 10.5 Leopard users can see the change in the Advanced Network preferences; the added DNS servers are dimmed and cannot be removed manually.
Intego says all versions of Mac OS X include the scutil command, suggesting that all versions are vulnerable to the new trojan.
Filed under: troubleshooting
,
, 50
,
,
,
,

subscribe to comments
for this article
"Means of protection: The best way to protect against this exploit is to run Intego VirusBarrier X4 with its virus definitions dated October 31,2007. Intego VirusBarrier X4 eradicates the malicious code and prevents the Trojan horse from being installed. Intego recommends that users never download and install software from untrusted sources or questionable web sites."
What's in it for them? (You don't have to answer that).
Sounds like it may have been created by this virus company. Funny how they seem to already have a fix available..
More fud if you ask me.
It'd be nice to know how one could remove the effects of this in the event it happens also. (I mean, other than buy their software)
"Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI."
is not entirely true either. You can use Network Utility to do a lookup and the result will show the DNS used. You can at least verify that DNS is one your ISP supplies. Clearly this doesn't provide all the DNS entries but it does give you the one currently being used which invalidates the statement above.
I do have an issue with using the term "in the wild". A very limited set of websites, to me, is not the same as "in the wild".