Intego Warns of Mac OS X Trojan Horse

October 31st, 2007 at 3:00 PM - News by John Martellaro

Intego warned of a new Trojan Horse on Wednesday that affects Mac OS X and has been found on several pornography Websites. The Trojan Horse installs a modification to the Macis DNS server that allows it to redirect Web requests to alternate servers, phishing sites. Personal data can then be stolen at the redirected site. However, a long series of poor decisions by the user is required for it to become active.

Intego described the process of infiltration as follows:

When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file. Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open "Safe" Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.

TMO notes that this is not a reportable security weakness in Mac OS X. Rather, it is a carefully orchestrated sequence of events that, while specific to Mac OS X, could be replicated on any other OS.

The installation, in fact, depends on a long series of catastrophic failures of judgment by the user. The user must download an unknown file from a pornography Website, have Safariis general settings set to "Open isafei files after downloading," and then enter an administrator password for the installation of an untrusted package.

There have been previous discussions of such destructive packages, for example, a disguised shell script that contains an "rm -rf" command, which would erase the useris disk when double-clicked. This falls in the same category.

Intego suggested that one way to protect against this is to buy their VirusBarrier X4. However, itis always good to have a well planned personal security policy for a Mac exposed to the Internet. That includes not double-clicking downloaded files or attachments unless they are trusted, and just say no to installers that ask for an administrator password unless you really trust the commercial software vendor and inspect a provided list of what will be installed and where. Trustworthy companies also supply de-installers in case something goes wrong. Finally, deselect that Safari General preference regarding the opening of isafei files -- if itis on. Itis wise to leave it deselected unless thereis a compelling reason not to.

Commenting is not available in this section entry.

Recent Headlines - Updated November 10th

Mon, 7:20 PM: Rumor - Apple May Update iPod touch in December
6:45 PM: Product News - MacUpdate Desktop Updated to 5.0.1 with New Features, Bug Fixes
5:16 PM: Apple Releases Mac OS X 10.6.2 - Guest Account Bug Fixed, Much More
4:12 PM: Games - New For iPhone: Star Rangers, Air Force Supremacy, Blood Beach, More
2:51 PM: Apple Stock Watch - Radio Shack Jumps 14% on iPhone Deal, Apple Up 3%
2:25 PM: Games - EA Scoops Up Social Games Publisher Playfish
1:51 PM: Deal Brothers - Western Digital 1TB SATA Intellipower Hard Drive: $84.99
10:58 AM: News - StarHub Signs Singapore iPhone Deal
10:36 AM: Hot Forum Topic - Reader Speculation: What’s in Apple’s Tablet?
10:08 AM: News - Apple Kicks Off New Credit Program
9:26 AM: News - Apple Launches Reserve and Pick Up Program
8:49 AM: News - ikee Worm Rickrolls Jailbroken iPhones

The Mac Observer Reader Specials

TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
RamJet Memory: Mac Pro 8-core 8GB Kit $199.99, 4GB Kits $109.99! Sale on MacBook and MacBook Pro 8GB kits $549.99! New MacBook DDR3 2GB for $49.99. iMac and Mac mini 4GB Kits for $79.99! 1TB SATA Hard Drives for $109.99! Click here
OWC: Get the Right Memory / Ram for your Mac. Top Quality, Competitive Prices, Lifetime Warranty. Expert Support and Video Installation Guidies too! 4.0GB Matched Sets from $87.99, Options up to 32GB. Click here
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!
For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.

Apple Stock Quote

AAPL: $201.46. Change: 0.00.
(Prices delayed up to 20 minutes.)
Discuss in our Apple Finance Board

Hot Topics

What's the buzz? These articles have TMO readers talking.

Psystar to Court: Just Say We’re Legit - 27 Comments
Apple Magic Mouse is no Magic Bullet - 18 Comments
AT&T Sues Verizon Alleging Misleading “There’s A Map For That” Ads - 18 Comments
CNET Dubs iPhone the Worst Phone in the World - 17 Comments
Fortune CEO of the Decade: Steve Jobs - 14 Comments
Adobe: Flash-free iPhone is All Apple’s Fault - 12 Comments

TMO Express

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday. Find out more!

Top Deals From DealBrothers.com

Recent Features

Get the latest installments of TMO Columns, Podcasts, & Blogs.

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.