Trojan horse targets Mac OS X
updated 01:25 pm EDT, Wed October 31, 2007
New trojan targets Macs
A new trojan horse designed specifically for Mac OS X systems has been discovered on several pornography websites that can hijack Web traffic, according to security firm Intego. Affected systems are used to hijack some Web requests that lead users to other phishing sites, or simply display ads for other pornographic websites to generate ad revenue. Phishing attacks may lead users to believe they are surfing to eBay, Paypal, or various banks when in fact they are accessing specially-crafted mockups designed to retrieve usernames and passwords for those sites. The trojan, titled OSX.RSPlug.A, is rated as a critical risk by Intego, and is known to affect Mac OS X 10.4 Tiger as well as Mac OS X 10.5 Leopard. Intego is testing prior versions of Mac OS X, but believes them to be vulnerable as well.
The trojan claims to install a video codec necessary for viewing free pornographic videos on Macs, but when users click on the still images to view the content they are directed to a Web page stating that they must download a new version of a codec to play the movie file with QuickTime. Safari users who have checked the "Open 'Safe' Files After Downloading" option in General Preferences will find that the disk image which is downloaded to their Mac automatically mounts, and the installer application will automatically launch.
Proceeding with the installation installs the trojan horse, and requires users to enter their administrator password which grants the malicious software full root privileges. No codec is installed and users who return to the website simply receive another download request.
The trojan itself is a form of DNSChanger, using the scutil command to change the Mac's DNS server -- a service that translates hostnames like macnn.com to their numerical IP addresses. Using a poisoned DNS server, the Mac hijacks some Web requests for phishing or to generate revenue from pornographic advertisements.
What's more, under Mac OS X 10.4 Tiger there is no way to see the changed DNS server in the operating system's graphical user interface, although in Mac OS X 10.5 Leopard users can see the change in the Advanced Network preferences; the added DNS servers are dimmed and cannot be removed manually.
Intego says all versions of Mac OS X include the scutil command, suggesting that all versions are vulnerable to the new trojan.










intego
10/31, 01:41pm reply
From the Intego page:
"Means of protection: The best way to protect against this exploit is to run Intego VirusBarrier X4 with its virus definitions dated October 31,2007. Intego VirusBarrier X4 eradicates the malicious code and prevents the Trojan horse from being installed. Intego recommends that users never download and install software from untrusted sources or questionable web sites."
What's in it for them? (You don't have to answer that).
sgirard
Fresh-Faced Recruit
Joined: Aug 2005
Aaron
10/31, 01:49pm reply
Turn off the Safari option to automatically open "safe" files to avoid this instead of buying Intego's software. They have a history of exaggerating threats to sell software.
afaby
Fresh-Faced Recruit
Joined: Jul 2005
Social Engineering
10/31, 01:58pm reply
This type of social engineering cant be fixed by any patch. If you give a person the keys to your house you shouldnt wonder what happened when they break in while your gone and steal all of your stuff.
Sounds like it may have been created by this virus company. Funny how they seem to already have a fix available..
More fud if you ask me.
MacZealot36
Fresh-Faced Recruit
Joined: Jan 2007
or. . .
10/31, 01:58pm reply
or, don't continue with the installation.
It'd be nice to know how one could remove the effects of this in the event it happens also. (I mean, other than buy their software)
gudin
Fresh-Faced Recruit
Joined: May 2000
Yeah...
10/31, 02:15pm reply
What a joke. Seeing as how this won't install without user intervention, it's hardly a serious threat.
MacnTX
Fresh-Faced Recruit
Joined: Apr 2004
Show of Hands?
10/31, 02:17pm reply
Show of hands -- how many Mac users get their Apple software updates from p*** sites? I've been getting mine from Apple via the "Software Update" utility. Am I doing something wrong... :--)
davoud
Fresh-Faced Recruit
Joined: Jan 2005
Checking DNS on 10.4
10/31, 02:21pm reply
The statement from Intego that:
"Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI."
is not entirely true either. You can use Network Utility to do a lookup and the result will show the DNS used. You can at least verify that DNS is one your ISP supplies. Clearly this doesn't provide all the DNS entries but it does give you the one currently being used which invalidates the statement above.
roblively
Fresh-Faced Recruit
Joined: Nov 2005
Trying to spin up busines
10/31, 02:21pm reply
There trying to spin up business again. They have done this several times already in the past. All of there supposed threats they have found have all been proven FALSE!
horvatic
Fresh-Faced Recruit
Joined: Apr 2002
sheesh...
10/31, 02:22pm reply
...is it a bad thing that i've been getting my OS updates from redtube.com?
rtbarry
Fresh-Faced Recruit
Joined: Aug 2001
One good thing
10/31, 02:37pm reply
Good or bad intentions, this comes up at a good time, with the Mac market share growing quickly. Windows users need to know that while there's virtually no risk of just casual surfing, OS X won't stop you from doing stupid things either.
I do have an issue with using the term "in the wild". A very limited set of websites, to me, is not the same as "in the wild".
JTh
Fresh-Faced Recruit
Joined: Sep 2007