New Mac Trojan targets porn viewers (i.e. Everyone)
Intego has issued a rare “critical” security alert for Mac users pertaining to a new Trojan Horse application – primarily spread through visiting adult websites.
Exploit: OSX.RSPlug.A Trojan Horse
Discovered: October 30, 2007
Risk: Critical
Description: A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:
“Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe†Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.
If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.
This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.
Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)
The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.This Trojan horse also provides different versions of itself, perhaps according to the country in which the user is located to provide country-specific spoofing. Repeated downloads of the disk image show that there are several different versions.
Perhaps not coincidentally, Intego suggests the best way to combat this Trojan (asides from getting a girlfriend, of course) is ” to run Intego VirusBarrier X4 with its virus definitions dated October 31,2007. Intego VirusBarrier X4 eradicates the malicious code and prevents the Trojan horse from being installed. Intego recommends that users never download and install software from untrusted sources or questionable web sites.”
If you think you might be infected by the Trojan but don’t want to fork over $80 for VirusBarrier (free trial available), Macworld has published a tutorial on how to check for and remove the Trojan using Terminal.
Intego’s site is loading very slowly. Looks like the got what they wanted with this sensationalized story.
Trojan horse? Seriously though, aren’t they supposed to be very bad because they install on your system Without you doing anything active for it? This Trojan horse seems to require you to launch its installer, then provide it with an administrator password(!).
It does seriously make you wonder about the origins of these viruses when the companies promoting their existence just “happen” to have already created a fix for them doesn’t it ?
The virus industry depends on new virus development for their existence and it must piss them off something rotten that there is still no real virus available for OS X as it removes one avenue of development for them. They must be doubly bothered now they can see that the rate of take up of OS X and Macs is increasing as quickly as it is….
—
Scott
http://ukmac.net
Aviad, I believe you’re confusing a trojan and a virus.
A trojan masquerades as a useful piece of software that the user installs. Since they rely so heavily on social engineering, trojans aren’t as dangerous as viruses or worms. The piece of malware above is a trojan.
A virus installs with minimal user interface; Usually all that’s required of the user is that he open an email, visit a website, or insert a disk. Since they do require some form of interaction, viruses are not quite as dangerous as worms. Think MyDoom.
A worm self-replicates through a network by exploiting security holes. Think Nachi.
Thanks, Intego, for letting me know that “The best way to protect against this exploit is to run Intego VirusBarrier X4.” All this time I thought the best way to protect against this exploit was to use the default OS X settings, and not install unsolicited software from Porn Sites! (I’m still trying to find a viewer to decode that naked jpeg of Anna Kournikova somebody emailed me back in 1999).
Here’s my $80 to protect me from this “critical” security alert. Wait, let’s go with the package deal for an extra 35 bucks. For that I get your VirusBarrier, a free copy of my credit report, enrollment in your do-not-call phone list, my preferred membership card, and you change the fluid in my windshield washer reservoir.
Whoever came up with this idea better get stock options. Just keep them away from my mother’s pension account.