Mac Trojan Surfaces

Security firm Intego has reported the emergence of a Trojan that hits Macs, a very rare event, given the reputation of the Apple machine as malware free.

 

It’s been found in the likeliest of places – porn web sites. According to the company, when a user clicks on a still to view a movie, they’re instructed to click and download a codec to be able to use QuickTime.

 

Installing loads the Trojan onto the machine. The Trojan is a DNC changer – in other words, it changes the computer’s DNS server to a new, malicious one that hjacks some Web requests, to phishing or porn sites. This is a smart Trojan, too; it provides different versions of itself, depending on the user’s location.

 

According to Intego,

 

“Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command). The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.”