On Wed, 31 Oct 2007 15:11:02 -0600, Derek Currie wrote
(in article
<derekcurrie-6A7D2B.17110231102007@johnf2.biosci.ohio-state.edu>):

> It's a new age folks! The very (very) first Mac malware is now
> available in the wild. It is a Trojan Horse. It is what I call
> 'Psych-Malware' in that it has to psych you into installing the
> crap. For the moment it is specific to porn sites. But nothing at
> all is keeping it from being used anywhere under different guises.
>
> I first read about this today at MacDailyNews, and was going to
> post about it. But Michelle Steiner very kindly beat me to it by
> a few hours. Therefore, I am going to provide here post below
> with the added URL to Intego, who have been instrumental in
> working on this problem.
>
> The Intego report can be found at:
>
> <http://www.intego.com/news/ism0705.asp>
>
> BTW: The description below indicates that the activities of this
> malware would be stopped dead in their tracks through the use of
> the shareware 'reverse firewall' program Little Snitch. I highly
> recommend it. I own it.
>
>> -Derek
> ============
>
> Michelle sez:
>
>
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
>
>

Could someone explain to me how definitions work? Let's say a worm injects
some code into an application. Does it md5() the code or match it?