NEWS: New Trojan Horse targets Mac users
Terry Willis Intego warns of nasty malware that targets Macs
Jim Dalrymple, Macworld.com
Security research company Intego on Monday issued a security alert about a new Trojan Horse called OSX.RSPlug.A that specifically targets Mac users. The Trojan is a form of DNSChanger that changes the Mac's Domain Name Server (DNS) address.
According to Intego, the Trojan has been found on several pornographic websites. When trying to view a movie, the user is told that "Quicktime Player is unable to play movie file. Please click here to download new version of codec."
When the user clicks the link a disk image (.dmg) is downloaded to the desktop. When the user installs the software, they are actually installing the Trojan, not a free video codec. The Trojan is installed with full root privileges, which means it has access to all files and commands on the system.
When the malicious DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as eBay, PayPal and some banks) or to web pages displaying ads for other pornographic web sites, according to Intego.
The Trojan also installs a root crontab which checks every minute to ensure that its DNS server is still active, the company said. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.
Intego says that using Mac OS X 10.4, there is no way to see the changed DNS server in the operating system's interface. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. Intego has updated its virus definitions to remove the malicious code and prevent it from being installed.
==========
Puper Mac malware 'not a drill' McAfee warns
Mac users get second warning over nasty DNS-affecting Trojan Horse
Jonny Evans
Hot on the heels of Intego's declaration of a Trojan Horse exploit affecting Macs comes similar news from McAfee Avert Labs. McAfee Avert Labs has discovered that the malware family called Puper, which has been plaguing Windows users, is now targeting Mac users.
The description of the exploit - which is given on the blog of virus researcher Allysa Myers - sounds remarkably similar to that of the Trojan Horse announced (and named) last night by Intego. Mac users are being directed to fake codec websites which host malware that changes the settings on their server, warns McAfee.
"This means that when they attempt to visit a website, the malware is able to re-direct them to another website in the background which could be a phishing site." The Puper malware family has been "plaguing" Windows users since 2005, McAfee warns. It is the same bug that has recently been reported as installing itself from infected MySpace pages.
At present the malware is surfacing on pornographic websites. Like the Intego bug, McAfee warns that users are led to sites which say they must install a new codec to view the videos they offer. When the newest Puper fake codec site is accessed by a Mac, the file which is offered is a .DMG file rather than the usual .EXE file one would see on Windows. Depending on your browser settings, this may run automatically. Once it runs, it begins installing an application called MacCodec.
In the background, a script is created which then creates a scheduled task to change the DNS to point to a malicious server. In effect, instead of getting valid entries for websites like you would expect, you’re now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you.
Avert Labs has identified dozens of different fake codec sites currently serving this Mac malware. "People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues. This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows," warns Myers.
Posted on behalf of Euan Williams, who spotted this information. I've no information to add, has anyone any experience of this..?