Intego Warns of Mac OS X Trojan Horse

Intego warned of a new Trojan Horse on Wednesday that affects Mac OS X and has been found on several pornography Websites. The Trojan Horse installs a modification to the Macis DNS server that allows it to redirect Web requests to alternate servers, phishing sites. Personal data can then be stolen at the redirected site. However, a long series of poor decisions by the user is required for it to become active.

Intego described the process of infiltration as follows:

When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file. Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to the user?s Mac. If the user has checked Open "Safe" Files After Downloading in Safari?s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator?s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac?s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.

TMO notes that this is not a reportable security weakness in Mac OS X. Rather, it is a carefully orchestrated sequence of events that, while specific to Mac OS X, could be replicated on any other OS.

The installation, in fact, depends on a long series of catastrophic failures of judgment by the user. The user must download an unknown file from a pornography Website, have Safariis general settings set to "Open isafei files after downloading," and then enter an administrator password for the installation of an untrusted package.

There have been previous discussions of such destructive packages, for example, a disguised shell script that contains an "rm -rf" command, which would erase the useris disk when double-clicked. This falls in the same category.

Intego suggested that one way to protect against this is to buy their VirusBarrier X4. However, itis always good to have a well planned personal security policy for a Mac exposed to the Internet. That includes not double-clicking downloaded files or attachments unless they are trusted, and just say no to installers that ask for an administrator password unless you really trust the commercial software vendor and inspect a provided list of what will be installed and where. Trustworthy companies also supply de-installers in case something goes wrong. Finally, deselect that Safari General preference regarding the opening of isafei files -- if itis on. Itis wise to leave it deselected unless thereis a compelling reason not to.