Author Topic: New trojan Horse on OS X  (Read 5845 times)

0 Members and 1 Guest are viewing this topic.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
New trojan Horse on OS X
« on: October 31, 2007, 06:47:37 PM »
http://www.macworld.com/news/2007/10/31/trojan/index.php

Quote
Security research company Intego on Monday issued a security alert about a new Trojan Horse called OSX.RSPlug.A that specifically targets Mac users. The Trojan is a form of DNSChanger that changes the Mac’s Domain Name Server (DNS) address.

According to Intego, the Trojan has been found on several pornographic Web sites. When trying to view a movie, the user is told that “Quicktime Player is unable to play movie file. Please click here to download new version of codec.”

When the user clicks the link a disk image (.dmg) is downloaded to the desktop. When the user installs the software, they are actually installing the Trojan, not a free video codec. The Trojan is installed with full root privileges, which means it has access to all files and commands on the system.

When the malicious DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks) or to web pages displaying ads for other pornographic web sites, according to Intego.

The Trojan also installs a root crontab which checks every minute to ensure that its DNS server is still active, the company said. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.

Obviously its ITW. I hope ALWIL got a sample to add to the VPS.


"People who are really serious about software should make their own hardware." - Alan Kay

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: New trojan Horse on OS X
« Reply #1 on: October 31, 2007, 08:11:07 PM »
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s


Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: New trojan Horse on OS X
« Reply #3 on: November 01, 2007, 03:49:37 AM »
Wll Id be intrested to know if it was included in the VPS update. As mac malware will most likely not be very widespread I wonder if there will be probelms getting samples to analyze?
"People who are really serious about software should make their own hardware." - Alan Kay

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: New trojan Horse on OS X
« Reply #4 on: November 01, 2007, 07:00:15 AM »
Hey Mac, Is this anything for mac users to be concerned about?

 http://www.news.com/8301-10784_3-9807471-7.html
« Last Edit: November 01, 2007, 07:07:44 AM by marc57 »
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: New trojan Horse on OS X
« Reply #5 on: November 01, 2007, 03:31:47 PM »
Hey Mac, Is this anything for mac users to be concerned about?

 http://www.news.com/8301-10784_3-9807471-7.html
Until this is fixed ( 10.5.1? ) it is an issue for those that do not have a router or some other kind of hardware firewall.
"People who are really serious about software should make their own hardware." - Alan Kay

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: New trojan Horse on OS X
« Reply #6 on: November 02, 2007, 07:28:26 AM »
Thanks Mac.
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: New trojan Horse on OS X
« Reply #7 on: November 07, 2007, 03:28:25 AM »
UPDATE: There have been lots of new variants of this trojan created to avoid detection by AV scanners. I Hpe ALWIL is getting these Variants added to the VPS.

F-Secure Weblog in the variants:
http://www.f-secure.com/weblog/archives/00001312.html
"People who are really serious about software should make their own hardware." - Alan Kay

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: New trojan Horse on OS X
« Reply #8 on: November 07, 2007, 03:43:38 AM »
I see various DNS changer itsms in the VPS changelog bt they are for the Win32 variants.
Quote
Win32:DNSChanger-OL [trj], Win32:DNSChanger-OM [trj], Win32:DNSChanger-ON [trj], Win32:DNSChanger-OO [trj], Win32:DNSChanger-OP [trj], Win32:DNSChanger-OQ [trj], Win32:DNSChanger-OR [trj], Win32:DNSChanger-OS [trj], Win32:DNSChanger-OT [trj], Win32:DNSChanger-OU [trj],

No mention of the OS X variants.

"People who are really serious about software should make their own hardware." - Alan Kay

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: New trojan Horse on OS X
« Reply #9 on: November 07, 2007, 09:22:00 AM »
this malware downloads a specific variant of dnschanger dependant to OS... we got more windows samples than the mac ones... anyway - also the mac variant should be supported..

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: New trojan Horse on OS X
« Reply #10 on: November 07, 2007, 12:01:33 PM »
this malware downloads a specific variant of dnschanger dependant to OS... we got more windows samples than the mac ones... anyway - also the mac variant should be supported..

Quote
Also, malware researchers: You may be able to find the DNS Changer Trojan by going to a DNS changer codec site, and using “.dmg” as your file extension instead of “.exe”. As an example, vivacodec(dot)net/download/vivacodec1000.exe downloads the Windows trojan. But going to vivacodec(dot)net/download/vivacodec1000.dmg brings down the Mac binary. Remember to set your user agent to look like a Mac. (Obviously, don’t download these binaries unless you know what you’re doing.)

http://sunbeltblog.blogspot.com/

Happy hunting!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: New trojan Horse on OS X
« Reply #11 on: November 07, 2007, 12:56:25 PM »
ook.. we'll try to download the files via wget or similar stuff.. thanx

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: New trojan Horse on OS X
« Reply #12 on: November 12, 2007, 04:22:36 AM »
Update on the firewall problems.

It appears Apple is going to have the fix in the 10.5.1 update which has entered beta-testing:

http://www.appleinsider.com/articles/07/11/07/first_builds_of_mac_os_x_10_5_1_pack_over_two_dozen_fixes.html
"People who are really serious about software should make their own hardware." - Alan Kay