Hackers prey on Leopard

gallery

New malware targeting Mac users and that can be installed on systems running Apple's latest operating system, Mac OS X 10.5 Leopard as well as older versions has been identified.

A Trojan Horse has been found on several pornography websites and in links posted to Mac user forums that lead to the porn sites. It invites users to view free videos and, once the user clicks on the video stills, displays the message, "Quicktime Player is unable to play movie file".

Users are then prompted to download a "new version of codec". But instead users are downloading an executable .dmg file granting the Trojan it contains full user privileges.

Graham Cluely, security consultant for security firm, Sophos told IT PRO that, although this Trojan represented "a raindrop in a storm" of malware written to exploit Windows vulnerabilities, "this attack was criminally motivated, proving attackers thought it was worth writing".

Intego said the Trojan, which requires the user to enter their administrative password to proceed with the installation, is a form of DNSChanger and uses a sophisticated method to change a Mac's domain name system (DNS) server.

Once active, this new DNS server leads users to phishing sites made to look like those of eBay, PayPal and some banks, or simply to web pages displaying ads for other porn sites.

"In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue," security vendor, Intego said in a memo issued yesterday.

Worryingly it said that, if running Mac OS X 10.4, there is no way to see the changed DNS server in the OS graphical user interface (GUI). With Mac OS X 10.5, this can be seen in the advanced network preferences, where the added DNS servers are dimmed and cannot be removed manually.

The security firm said it was currently testing previous versions of Mac OS X, but that it was is likely they could be infected as well, since all versions of Mac OS X have the scutil command the Trojan exploits.

It also installs a root crontab, which checks every minute to ensure and keep the Trojan DNS server is still active.

Cluely advised: "All users, including Mac ones, should run antivirus and firewall router products and essentially practice safe computing to protect themselves against these attacks."

The Trojan attack comes just days after Mac users reported issues installing the new operating system on their existing machines.

Email to a friend

Print this page