Mac Trojan prowls porn sites

Changes DNS settings, shunts users to more porn, phishing sites

A Trojan horse targeting Macs -- among the rarest of security events -- has been spotted on numerous pornographic Web sites, researchers said Wednesday.

First reported by Mac security software maker Intego and later confirmed by Sunbelt Software, McAfee, and the SANS Institute's Internet Storm Center, "OSX.RSPlug.a" changes the Mac's DNS (Domain Name System) settings to redirect users to alternate or spoofed sites.

"The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows," said Bojan Zdrnja, an analyst at Internet Storm Center (ISC) in a warning posted early Thursday. The DNSChanger exploit is well-known to Windows Trojan watchers.

"The bad guys are taking Mac seriously now," Zdrnja added. "This is a professional attempt at attacking Mac systems, and they could have been much more damaging."

Alex Eckelberry, Sunbelt's CEO, echoed Zdrnja. "This is the first targeted, real attack on Mac users by a professional malware group," said Eckelberry in a posting to his blog.

When users click on a link to watch video on one of the malicious porn sites, a dialog box tells them QuickTime needs to install additional software. "Quicktime Player is unable to play movie file. Please click here to download new version of codec."

Depending on the browser's settings, the download may mount a disk image and launch an installer automatically. In Safari, for instance, the checked-by-default "Open 'safe' files after downloading" option will mount and launch. Firefox, however, does not have a comparable setting, and will not auto-mount the image or launch the installer. In every case, the user must enter an administrator password to install the masquerading Trojan.

After that, OSX.RSPlug.a silently changes the DNS server the Mac looks to for resolving addresses, and lets the attackers decide which legitimate page requests -- say, www.google.com -- to silently shunt to URLs of their choosing. Intego's advisory claims the redirects are to sites crammed with ads for more porn sites, or to phishing sites.

The DNS change will be invisible and difficult to verify for most users, because Mac OS X 10.4 doesn't show changed settings in Network Preferences. The new Leopard OS, however, will show modified settings as grayed. For more information on how to tell whether a machine has been hit by the Trojan, check out this story on MacWorld, a Computerworld sister site.

As of early Thursday, it was unclear how many porn sites hosted the bogus codec-cum-Trojan, although Intego claimed a "great deal" of bait spam had been seeded to Mac-specific forums to attract users to the sites. Eckelberry, meanwhile, said his company's researchers were able to find a sample of the Trojan in under three minutes using only a Google. Of the larger security vendors, only McAfee Inc., had posted an analysis of the Trojan by 2:00 a.m. Thursday, Eastern time.

While Macs have generally escaped the attention of attackers -- even security researchers who graded Leopard yesterday called Apple's small market share its secret security weapon -- that may be coming to a close, said Eckelberry. "I'm not trying to overhype. Mac users, hungry for porn, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the [iPod] touch and iPhone, running OS X."

And Mac owners aren't any different from people running Windows, said Zdrnja. Some will click and download and install until the cows come home. "Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?