Mac trojan in video codec used on porn websites
Security firms Intego and Sunbelt have discovered a trojan designed for Mac users. According to Intego, spam pointing to porn websites that attempt to get Mac users to install the contaminant OSX.RSPlug.A has been sent to several Mac forums.
The social engineering variant has been known for some time and was used, for instance, at the beginning of the year to distribute Windows trojans. When users click on what appears to be a link for a video, they first receive an error message stating that the video codec needed to play the video is not installed. According to the security advisory, the codec is then automatically downloaded to Macs. Installation is automatic if the setting Open “Safe” Files After Downloading is set in Safari; otherwise, users have to double-click. Users then have to enter the administrator password to complete installation, which they will probably do without suspecting they are under attack because they believe a codec is being installed.
The trojan then redirects DNS entries to a server controlled by the malware authors, which redirects browsers to phishing websites by means of manipulated DNS replies for eBay, PayPal, and a number of bank websites; it also creates a cronjob that checks these settings once a minute and resets them if they have been changed. Intego writes that there is no way under Mac OS X 10.4 to find the DNS entries in the user interface, though it can be found under extended network settings in Mac OS X 10.5 (Leopard).
Sunbelt says that no virus scanner reacts to the contaminant yet. Intego has found a number of downloads indicating that multiple variations of the trojan are in circulation. However, no information is yet available on how widespread the contaminant is. Users can therefore only be careful and use a virus scanner for Mac OS X in the hope that the antivirus software vendor has already detected the contaminant and provides a signature.
It seems that online criminals are now taking a closer look at Mac users. Attackers may soon step up the exploitation of vulnerabilities in system software for Macs. As this recent trojan demonstrates, Mac users are just as vulnerable to social engineering attacks as users of other systems are. Mac users are also advised to heed the tips for the safe handling of e-mail at heise Security's antivirus sites.
- Mackanapes can now can feel the pain of the fake media codec, Sunbelt's blog entry
- OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to Redirect to Malicious DNS Servers, Intego's security advisory
- Leopard with chinks in its armour, a second look at the firewall in Mac OS X Leopard, article by heise Security
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
