It's a new age folks! The very (very) first Mac malware is now
available in the wild. It is a Trojan Horse. It is what I call
'Psych-Malware' in that it has to psych you into installing the
crap. For the moment it is specific to porn sites. But nothing at
all is keeping it from being used anywhere under different guises.

I first read about this today at MacDailyNews, and was going to
post about it. But Michelle Steiner very kindly beat me to it by
a few hours. Therefore, I am going to provide here post below
with the added URL to Intego, who have been instrumental in
working on this problem.

The Intego report can be found at:

<http://www.intego.com/news/ism0705.asp>

BTW: The description below indicates that the activities of this
malware would be stopped dead in their tracks through the use of
the shareware 'reverse firewall' program Little Snitch. I highly
recommend it. I own it.

:-Derek
============

Michelle sez:


This is from Intego's web site.

Does typing one's password in an installer dialog really give the
trojan "full root privileges", or is that simply hype from
Intego?

Besides, no Mac user would ever be browsing porn sites, would he?


Description: A malicious Trojan Horse has been found on several
pornography web sites, claiming to install a video codec
necessary to view free pornographic videos on Macs. A great deal
of spam has been posted to many Mac forums, in an attempt to
lead users to these sites. When the users arrive on one of the
web sites, they see still photos from reputed porn videos, and
if they click on the stills, thinking they can view the videos,
they arrive on a web page that says the following: Quicktime
Player is unable to play movie file.

Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically
downloads to the user¹s Mac. If the user has checked Open ³Safe²
Files After Downloading in Safari¹s General preferences (or
similar settings in other browsers), the disk image will mount,
and the installer package it contains will launch Installer. If
not, and the user wishes to install this codec, they
double-click the disk image to mount it, then double-click the
package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse
installs; installation requires an administrator¹s password,
which grants the Trojan horse full root privileges. No video
codec is installed, and if the user returns to the web site,
they will simply come to the same page and receive a new
download.

This Trojan horse, a form of DNSChanger, uses a sophisticated
method, via the scutil command, to change the Mac¹s DNS server
(the server that is used to look up the correspondences between
domain names and IP addresses for web sites and other Internet
services). When this new, malicious, DNS server is active, it
hijacks some web requests, leading users to phishing web sites
(for sites such as Ebay, PayPal and some banks), or simply to
web pages displaying ads for other pornographic web sites. In
the first case, users may think they are on legitimate sites and
enter a user name and password, a credit card, or an account
number, which will then be hijacked. In the latter case, it
seems that this is being done solely to generate ad revenue.

Under Mac OS X 10.4, there is no way to see the changed DNS
server in the operating system¹s GUI. Under Mac OS X 10.5, this
can be seen in the Advanced Network preferences; the added DNS
servers are dimmed, and cannot be removed manually. (Intego is
currently testing previous versions of Mac OS X; it is likely
that they can be infected as well, since all versions of Mac OS
X have the scutil command.)

The Trojan horse also installs a root crontab which checks every
minute to ensure that its DNS server is still active. Since
changing a network location could change the DNS server, this
cron job ensures that, in such a case, the malicious DNS server
remains the active server.

This Trojan horse also provides different versions of itself,
perhaps according to the country in which the user is located to
provide country-specific spoofing. Repeated downloads of the
disk image show that there are several different versions.

Means of protection: The best way to protect against this exploit
is to run Intego VirusBarrier X4 with its virus definitions
dated October 31,2007. Intego VirusBarrier X4 eradicates the
malicious code and prevents the Trojan horse from being
installed. Intego recommends that users never download and
install software from untrusted sources or questionable web
sites.
This is from Intego's web site.

Does typing one's password in an installer dialog really give the
trojan "full root privileges", or is that simply hype from
Intego?

Besides, no Mac user would ever be browsing porn sites, would he?


Description: A malicious Trojan Horse has been found on several
pornography web sites, claiming to install a video codec
necessary to view free pornographic videos on Macs. A great deal
of spam has been posted to many Mac forums, in an attempt to
lead users to these sites. When the users arrive on one of the
web sites, they see still photos from reputed porn videos, and
if they click on the stills, thinking they can view the videos,
they arrive on a web page that says the following: Quicktime
Player is unable to play movie file.

Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically
downloads to the user¹s Mac. If the user has checked Open ³Safe²
Files After Downloading in Safari¹s General preferences (or
similar settings in other browsers), the disk image will mount,
and the installer package it contains will launch Installer. If
not, and the user wishes to install this codec, they
double-click the disk image to mount it, then double-click the
package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse
installs; installation requires an administrator¹s password,
which grants the Trojan horse full root privileges. No video
codec is installed, and if the user returns to the web site,
they will simply come to the same page and receive a new
download.

This Trojan horse, a form of DNSChanger, uses a sophisticated
method, via the scutil command, to change the Mac¹s DNS server
(the server that is used to look up the correspondences between
domain names and IP addresses for web sites and other Internet
services). When this new, malicious, DNS server is active, it
hijacks some web requests, leading users to phishing web sites
(for sites such as Ebay, PayPal and some banks), or simply to
web pages displaying ads for other pornographic web sites. In
the first case, users may think they are on legitimate sites and
enter a user name and password, a credit card, or an account
number, which will then be hijacked. In the latter case, it
seems that this is being done solely to generate ad revenue.

Under Mac OS X 10.4, there is no way to see the changed DNS
server in the operating system¹s GUI. Under Mac OS X 10.5, this
can be seen in the Advanced Network preferences; the added DNS
servers are dimmed, and cannot be removed manually. (Intego is
currently testing previous versions of Mac OS X; it is likely
that they can be infected as well, since all versions of Mac OS
X have the scutil command.)

The Trojan horse also installs a root crontab which checks every
minute to ensure that its DNS server is still active. Since
changing a network location could change the DNS server, this
cron job ensures that, in such a case, the malicious DNS server
remains the active server.

This Trojan horse also provides different versions of itself,
perhaps according to the country in which the user is located to
provide country-specific spoofing. Repeated downloads of the
disk image show that there are several different versions.

Means of protection: The best way to protect against this exploit
is to run Intego VirusBarrier X4 with its virus definitions
dated October 31,2007. Intego VirusBarrier X4 eradicates the
malicious code and prevents the Trojan horse from being
installed. Intego recommends that users never download and
install software from untrusted sources or questionable web
sites.

--
Fortune Magazine 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering in 1975.]