Mac Trojan prowls porn sites

Changes DNS settings, shunts users to more porn, phishing sites

A Trojan horse targeting Macs -- among the rarest of security events -- has been spotted on numerous pornographic Web sites, researchers said Wednesday.

First reported by Mac security software maker Intego and later confirmed by Sunbelt Software, McAfee, and the SANS Institute's Internet Storm Center, "OSX.RSPlug.a" changes the Mac's DNS (Domain Name System) settings to redirect users to alternate or spoofed sites.

"The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows," said Bojan Zdrnja, an analyst at Internet Storm Center (ISC) in a warning posted early Thursday. The DNSChanger exploit is well-known to Windows Trojan watchers.

"The bad guys are taking Mac seriously now," Zdrnja added. "This is a professional attempt at attacking Mac systems, and they could have been much more damaging."

Alex Eckelberry, Sunbelt's CEO, echoed Zdrnja. "This is the first targeted, real attack on Mac users by a professional malware group," said Eckelberry in a posting to his blog.

When users click on a link to watch video on one of the malicious porn sites, a dialog box tells them QuickTime needs to install additional software. "Quicktime Player is unable to play movie file. Please click here to download new version of codec."

Depending on the browser's settings, the download may mount a disk image and launch an installer automatically. In Safari, for instance, the checked-by-default "Open 'safe' files after downloading" option will mount and launch. Firefox, however, does not have a comparable setting, and will not auto-mount the image or launch the installer. In every case, the user must enter an administrator password to install the masquerading Trojan.

After that, OSX.RSPlug.a silently changes the DNS server the Mac looks to for resolving addresses, and lets the attackers decide which legitimate page requests -- say, www.google.com -- to silently shunt to URLs of their choosing. Intego's advisory claims the redirects are to sites crammed with ads for more porn sites, or to phishing sites.

The DNS change will be invisible and difficult to verify for most users, because Mac OS X 10.4 doesn't show changed settings in Network Preferences. The new Leopard OS, however, will show modified settings as grayed. For more information on how to tell whether a machine has been hit by the Trojan, check out this story on MacWorld, a Computerworld sister site.

As of early Thursday, it was unclear how many porn sites hosted the bogus codec-cum-Trojan, although Intego claimed a "great deal" of bait spam had been seeded to Mac-specific forums to attract users to the sites. Eckelberry, meanwhile, said his company's researchers were able to find a sample of the Trojan in under three minutes using only a Google. Of the larger security vendors, only McAfee Inc., had posted an analysis of the Trojan by 2:00 a.m. Thursday, Eastern time.

While Macs have generally escaped the attention of attackers -- even security researchers who graded Leopard yesterday called Apple's small market share its secret security weapon -- that may be coming to a close, said Eckelberry. "I'm not trying to overhype. Mac users, hungry for porn, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the [iPod] touch and iPhone, running OS X."

And Mac owners aren't any different from people running Windows, said Zdrnja. Some will click and download and install until the cows come home. "Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?