Mac Trojan prowls porn sites

Changes DNS settings, shunts users to more porn, phishing sites

A Trojan horse targeting Macs -- among the rarest of security events -- has been spotted on numerous pornographic Web sites, researchers said Wednesday.

First reported by Mac security software maker Intego and later confirmed by Sunbelt Software, McAfee, and the SANS Institute's Internet Storm Center, "OSX.RSPlug.a" changes the Mac's DNS (Domain Name System) settings to redirect users to alternate or spoofed sites.

"The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows," said Bojan Zdrnja, an analyst at Internet Storm Center (ISC) in a warning posted early Thursday. The DNSChanger exploit is well-known to Windows Trojan watchers.

"The bad guys are taking Mac seriously now," Zdrnja added. "This is a professional attempt at attacking Mac systems, and they could have been much more damaging."

Alex Eckelberry, Sunbelt's CEO, echoed Zdrnja. "This is the first targeted, real attack on Mac users by a professional malware group," said Eckelberry in a posting to his blog.

When users click on a link to watch video on one of the malicious porn sites, a dialog box tells them QuickTime needs to install additional software. "Quicktime Player is unable to play movie file. Please click here to download new version of codec."

Depending on the browser's settings, the download may mount a disk image and launch an installer automatically. In Safari, for instance, the checked-by-default "Open 'safe' files after downloading" option will mount and launch. Firefox, however, does not have a comparable setting, and will not auto-mount the image or launch the installer. In every case, the user must enter an administrator password to install the masquerading Trojan.

After that, OSX.RSPlug.a silently changes the DNS server the Mac looks to for resolving addresses, and lets the attackers decide which legitimate page requests -- say, www.google.com -- to silently shunt to URLs of their choosing. Intego's advisory claims the redirects are to sites crammed with ads for more porn sites, or to phishing sites.

The DNS change will be invisible and difficult to verify for most users, because Mac OS X 10.4 doesn't show changed settings in Network Preferences. The new Leopard OS, however, will show modified settings as grayed. For more information on how to tell whether a machine has been hit by the Trojan, check out this story on MacWorld, a Computerworld sister site.

As of early Thursday, it was unclear how many porn sites hosted the bogus codec-cum-Trojan, although Intego claimed a "great deal" of bait spam had been seeded to Mac-specific forums to attract users to the sites. Eckelberry, meanwhile, said his company's researchers were able to find a sample of the Trojan in under three minutes using only a Google. Of the larger security vendors, only McAfee Inc., had posted an analysis of the Trojan by 2:00 a.m. Thursday, Eastern time.

While Macs have generally escaped the attention of attackers -- even security researchers who graded Leopard yesterday called Apple's small market share its secret security weapon -- that may be coming to a close, said Eckelberry. "I'm not trying to overhype. Mac users, hungry for porn, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the [iPod] touch and iPhone, running OS X."

And Mac owners aren't any different from people running Windows, said Zdrnja. Some will click and download and install until the cows come home. "Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?