source: MacNN

Trojan horse targets Mac OS X

A new trojan horse designed specifically for Mac OS X systems has been discovered on several pornography websites that can hijack Web traffic, according to security firm Intego. Affected systems are used to hijack some Web requests that lead users to other phishing sites, or simply display ads for other pornographic websites to generate ad revenue. Phishing attacks may lead users to believe they are surfing to eBay, Paypal, or various banks when in fact they are accessing specially-crafted mockups designed to retrieve usernames and passwords for those sites. The trojan, titled OSX.RSPlug.A, is rated as a critical risk by Intego, and is known to affect Mac OS X 10.4 Tiger as well as Mac OS X 10.5 Leopard. Intego is testing prior versions of Mac OS X, but believes them to be vulnerable as well.

The trojan claims to install a video codec necessary for viewing free pornographic videos on Macs, but when users click on the still images to view the content they are directed to a Web page stating that they must download a new version of a codec to play the movie file with QuickTime. Safari users who have checked the "Open 'Safe' Files After Downloading" option in General Preferences will find that the disk image which is downloaded to their Mac automatically mounts, and the installer application will automatically launch.

Proceeding with the installation installs the trojan horse, and requires users to enter their administrator password which grants the malicious software full root privileges. No codec is installed and users who return to the website simply receive another download request.

The trojan itself is a form of DNSChanger, using the scutil command to change the Mac's DNS server -- a service that translates hostnames like macnn.com to their numerical IP addresses. Using a poisoned DNS server, the Mac hijacks some Web requests for phishing or to generate revenue from pornographic advertisements.

What's more, under Mac OS X 10.4 Tiger there is no way to see the changed DNS server in the operating system's graphical user interface, although in Mac OS X 10.5 Leopard users can see the change in the Advanced Network preferences; the added DNS servers are dimmed and cannot be removed manually.

Intego says all versions of Mac OS X include the scutil command, suggesting that all versions are vulnerable to the new trojan.