It's a new age folks! The very (very) first Mac malware is now
available in the wild. It is a Trojan Horse. It is what I call
'Psych-Malware' in that it has to psych you into installing the
crap. For the moment it is specific to porn sites. But nothing at
all is keeping it from being used anywhere under different guises.

I first read about this today at MacDailyNews, and was going to
post about it. But Michelle Steiner very kindly beat me to it by
a few hours. Therefore, I am going to provide here post below
with the added URL to Intego, who have been instrumental in
working on this problem.

The Intego report can be found at:

<http://www.intego.com/news/ism0705.asp>

BTW: The description below indicates that the activities of this
malware would be stopped dead in their tracks through the use of
the shareware 'reverse firewall' program Little Snitch. I highly
recommend it. I own it.

:-Derek
============

Michelle sez:


This is from Intego's web site.

Does typing one's password in an installer dialog really give the
trojan "full root privileges", or is that simply hype from
Intego?

Besides, no Mac user would ever be browsing porn sites, would he?


Description: A malicious Trojan Horse has been found on several
pornography web sites, claiming to install a video codec
necessary to view free pornographic videos on Macs. A great deal
of spam has been posted to many Mac forums, in an attempt to
lead users to these sites. When the users arrive on one of the
web sites, they see still photos from reputed porn videos, and
if they click on the stills, thinking they can view the videos,
they arrive on a web page that says the following: Quicktime
Player is unable to play movie file.

Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically
downloads to the user¹s Mac. If the user has checked Open ³Safe²
Files After Downloading in Safari¹s General preferences (or
similar settings in other browsers), the disk image will mount,
and the installer package it contains will launch Installer. If
not, and the user wishes to install this codec, they
double-click the disk image to mount it, then double-click the
package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse
installs; installation requires an administrator¹s password,
which grants the Trojan horse full root privileges. No video
codec is installed, and if the user returns to the web site,
they will simply come to the same page and receive a new
download.

This Trojan horse, a form of DNSChanger, uses a sophisticated
method, via the scutil command, to change the Mac¹s DNS server
(the server that is used to look up the correspondences between
domain names and IP addresses for web sites and other Internet
services). When this new, malicious, DNS server is active, it
hijacks some web requests, leading users to phishing web sites
(for sites such as Ebay, PayPal and some banks), or simply to
web pages displaying ads for other pornographic web sites. In
the first case, users may think they are on legitimate sites and
enter a user name and password, a credit card, or an account
number, which will then be hijacked. In the latter case, it
seems that this is being done solely to generate ad revenue.

Under Mac OS X 10.4, there is no way to see the changed DNS
server in the operating system¹s GUI. Under Mac OS X 10.5, this
can be seen in the Advanced Network preferences; the added DNS
servers are dimmed, and cannot be removed manually. (Intego is
currently testing previous versions of Mac OS X; it is likely
that they can be infected as well, since all versions of Mac OS
X have the scutil command.)

The Trojan horse also installs a root crontab which checks every
minute to ensure that its DNS server is still active. Since
changing a network location could change the DNS server, this
cron job ensures that, in such a case, the malicious DNS server
remains the active server.

This Trojan horse also provides different versions of itself,
perhaps according to the country in which the user is located to
provide country-specific spoofing. Repeated downloads of the
disk image show that there are several different versions.

Means of protection: The best way to protect against this exploit
is to run Intego VirusBarrier X4 with its virus definitions
dated October 31,2007. Intego VirusBarrier X4 eradicates the
malicious code and prevents the Trojan horse from being
installed. Intego recommends that users never download and
install software from untrusted sources or questionable web
sites.
This is from Intego's web site.

Does typing one's password in an installer dialog really give the
trojan "full root privileges", or is that simply hype from
Intego?

Besides, no Mac user would ever be browsing porn sites, would he?


Description: A malicious Trojan Horse has been found on several
pornography web sites, claiming to install a video codec
necessary to view free pornographic videos on Macs. A great deal
of spam has been posted to many Mac forums, in an attempt to
lead users to these sites. When the users arrive on one of the
web sites, they see still photos from reputed porn videos, and
if they click on the stills, thinking they can view the videos,
they arrive on a web page that says the following: Quicktime
Player is unable to play movie file.

Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically
downloads to the user¹s Mac. If the user has checked Open ³Safe²
Files After Downloading in Safari¹s General preferences (or
similar settings in other browsers), the disk image will mount,
and the installer package it contains will launch Installer. If
not, and the user wishes to install this codec, they
double-click the disk image to mount it, then double-click the
package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse
installs; installation requires an administrator¹s password,
which grants the Trojan horse full root privileges. No video
codec is installed, and if the user returns to the web site,
they will simply come to the same page and receive a new
download.

This Trojan horse, a form of DNSChanger, uses a sophisticated
method, via the scutil command, to change the Mac¹s DNS server
(the server that is used to look up the correspondences between
domain names and IP addresses for web sites and other Internet
services). When this new, malicious, DNS server is active, it
hijacks some web requests, leading users to phishing web sites
(for sites such as Ebay, PayPal and some banks), or simply to
web pages displaying ads for other pornographic web sites. In
the first case, users may think they are on legitimate sites and
enter a user name and password, a credit card, or an account
number, which will then be hijacked. In the latter case, it
seems that this is being done solely to generate ad revenue.

Under Mac OS X 10.4, there is no way to see the changed DNS
server in the operating system¹s GUI. Under Mac OS X 10.5, this
can be seen in the Advanced Network preferences; the added DNS
servers are dimmed, and cannot be removed manually. (Intego is
currently testing previous versions of Mac OS X; it is likely
that they can be infected as well, since all versions of Mac OS
X have the scutil command.)

The Trojan horse also installs a root crontab which checks every
minute to ensure that its DNS server is still active. Since
changing a network location could change the DNS server, this
cron job ensures that, in such a case, the malicious DNS server
remains the active server.

This Trojan horse also provides different versions of itself,
perhaps according to the country in which the user is located to
provide country-specific spoofing. Repeated downloads of the
disk image show that there are several different versions.

Means of protection: The best way to protect against this exploit
is to run Intego VirusBarrier X4 with its virus definitions
dated October 31,2007. Intego VirusBarrier X4 eradicates the
malicious code and prevents the Trojan horse from being
installed. Intego recommends that users never download and
install software from untrusted sources or questionable web
sites.

--
Fortune Magazine 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering in 1975.]

In article
<derekcurrie-6A7D2B.17110231102007@johnf2.biosci.ohio-state.edu>,
Derek Currie <derekcurrie@mac.com.invalid> wrote:

> It's a new age folks! The very (very) first Mac malware is now
> available in the wild. It is a Trojan Horse. It is what I call
> 'Psych-Malware' in that it has to psych you into installing the
> crap. For the moment it is specific to porn sites. But nothing at
> all is keeping it from being used anywhere under different guises.

This is *exactly* how most Windows malware works - a Trojan Horse that
tricks you into installing it.

Bob Campbell

In article <bob-801C84.17344931102007@news.supernews.com>,
Bob Campbell <bob@bob.bob> wrote:

> This is *exactly* how most Windows malware works - a Trojan Horse that
> tricks you into installing it.

Officially the method used to psych you into installing the crap
is called:

Social Engineering

<http://en.wikipedia.org/wiki/Social_engineering_(security)>

It has become an incredibly elaborate field. The manipulation of
DNS services to send suckers to Phishing sites is new to me.

Most of us have heard of the ultra-stupid come ons: The Nigerian
refugee who has mega $millions he wants you to help smuggle out
of the country, at a price. Or the 'You won the Slobovian
Lottery! First send us the tax payments." But consistently there
are ignorant, and I must say dim-witted, people who fall for this
garbage.

Now the con-jobs are coming thicker, with added cunning and
malice. The perpetrators are the bottom scum in the bucket of
humanity. These are people at their absolute worst, short of
murdering you, which they probably would do if they could make a
buck and do it anonymously over the Internet.

So it pays to keep up on the latest methods being used and to
learn how to tell what is a con-job and what is not. Example:
Anyone who has a basic knowledge of HTML can sniff out phishing
email in 10 seconds flat.

Equally: Installing some unknown piece of software, without
investigating it beforehand for reputation and source reviews, is
incredibly dopey. But we are all very dopey at one time or
another.

Vigilance sadly is required these days, even on Macs.

:-Derek

--
Fortune Magazine 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering in 1975.]

In article
<derekcurrie-C35518.01574101112007@johnf2.biosci.ohio-state.edu>,
Derek Currie <derekcurrie@mac.com.invalid> wrote:

> In article <bob-801C84.17344931102007@news.supernews.com>,
> Bob Campbell <bob@bob.bob> wrote:
>
> > This is *exactly* how most Windows malware works - a Trojan Horse that
> > tricks you into installing it.
>
> Officially the method used to psych you into installing the crap
> is called:
>
> Social Engineering

You just now learning this? So of us have know this for years.

Bob Campbell

Derek Currie <derekcurrie@mac.com.invalid> wrote:

> It's a new age folks! The very (very) first Mac malware is now
> available in the wild.

The Windroids are right - the Mac is behind Windows. When it comes to
malware, it is... what... 12 years lagging?

Oh the horror :]

--
regards , Peter B. P. http://titancity.com/blog , http://macplanet.dk
"Blame freedom for the problems caused by its lack" <--- is the essence
of the arguments of most anti-libertarians.

In article <bob-D7602F.06315901112007@news.supernews.com>,
Bob Campbell <bob@bob.bob> wrote:

> > Officially the method used to psych you into installing the crap
> > is called:
> >
> > Social Engineering
>
> You just now learning this? So of us have know this for years.

No. But the vast majority of Mac users don't know anything about
security. They haven't needed to bother. As per usual I seek to
educate. That is the only reason I write this thread on a regular
basis.

:-D

--
Fortune Magazine 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering in 1975.]

In article
<derekcurrie-B7F36C.14383401112007@johnf2.biosci.ohio-state.edu>,
Derek Currie <derekcurrie@mac.com.invalid> wrote:

> In article <bob-D7602F.06315901112007@news.supernews.com>,
> Bob Campbell <bob@bob.bob> wrote:
>
> > > Officially the method used to psych you into installing the crap
> > > is called:
> > >
> > > Social Engineering
> >
> > You just now learning this? So of us have know this for years.
>
> No. But the vast majority of Mac users don't know anything about
> security. They haven't needed to bother.

Yes, they have needed to bother. It applies to other areas - real
areas - of life besides computers. Social Engineering is the fancy
term for any kind of "Confidence Tricks" whereby one party
talks/convinces/persuades a second party to do something they otherwise
know they shouldn't do, because the rewards APPEAR to far outweigh the
risks.

Confidence Tricksters/Con Artists/Scam Artists are the 2nd oldest
profession. It's only recently been applied to computers. Wake up.

Bob Campbell

In article <1i6wxdq.ek8njg1mcow70N%peter@nospamplease.dk>,
peter@nospamplease.dk (Peder B. Pels) wrote:

> Derek Currie <derekcurrie@mac.com.invalid> wrote:
>
> > It's a new age folks! The very (very) first Mac malware is now
> > available in the wild.
>
> The Windroids are right - the Mac is behind Windows. When it comes to
> malware, it is... what... 12 years lagging?
>
> Oh the horror :]

Ah, there you are Peter! My ISP's news server is slow at updating.

Uh, yeah. I'd say so. This one piece of malware makes the grand
total, including old Mac OS malware (which doesn't work on Mac OS
X) and the proof-of-concept malware, to 65 (SIXTY-FIVE) pieces of
Malware for Mac in its ENTIRE history.

Comparing that to the over 140,000 pieces of malware for Windows,
we still have something over 80x more malware for Windows on a
per user basis. Frickin' horror on wheels! The Frankenstein OS!

But Vista is taking a stab at stopping this problem. The way it
is doing it is blatantly annoying to the user. Typical Microsoft
user-hostility. But it's better than the wide open doors of the
past. MS still need to kill their idiotic code structures for
Office macros as well as all of Active X. The Blue Pill threat is
till looming as well. (Look it up on the net if you don't know
what it is kids).

If, somehow, the Windows community ever moves over to 64 bit
Windows, all the old 32 bit malware won't work, just as all the
old 32 bit ANYTHING won't work. Which of course is the Catch 22.
If you go 64 bit you become free of the old malware, but you have
to buy all new software. So, you get burned one way or the other.

:-Derek

--
Fortune Magazine 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering in 1975.]

>
> If, somehow, the Windows community ever moves over to 64 bit
> Windows, all the old 32 bit malware won't work, just as all the
> old 32 bit ANYTHING won't work. Which of course is the Catch 22.
> If you go 64 bit you become free of the old malware, but you have
> to buy all new software. So, you get burned one way or the other.
>
> :-Derek

Not true. SOME 32 bit code won't work, but plenty of 32 bit code will
still work in a 64 bit environment. The sort of attack you are
describing in this thread does not need any sophisticated code behind
it. Simple .cmd files could pull it off, and they don't have any bit
dependancies.

In article <bob-801C84.17344931102007@news.supernews.com>,
Bob Campbell <bob@bob.bob> wrote:

> In article
> <derekcurrie-6A7D2B.17110231102007@johnf2.biosci.ohio-state.edu>,
> Derek Currie <derekcurrie@mac.com.invalid> wrote:
>
> > It's a new age folks! The very (very) first Mac malware is now
> > available in the wild. It is a Trojan Horse. It is what I call
> > 'Psych-Malware' in that it has to psych you into installing the
> > crap. For the moment it is specific to porn sites. But nothing at
> > all is keeping it from being used anywhere under different guises.
>
> This is *exactly* how most Windows malware works - a Trojan Horse that
> tricks you into installing it.
>
> Bob Campbell

Only if users are dumb enough to go to pr0n sites and/or click on
strange attachments.

--
Posted from my 1999 Apple G4 Sawtooth
A 450 MHz G4 running OS X 10.4.8

On Wed, 31 Oct 2007 15:11:02 -0600, Derek Currie wrote
(in article
<derekcurrie-6A7D2B.17110231102007@johnf2.biosci.ohio-state.edu>):

> It's a new age folks! The very (very) first Mac malware is now
> available in the wild. It is a Trojan Horse. It is what I call
> 'Psych-Malware' in that it has to psych you into installing the
> crap. For the moment it is specific to porn sites. But nothing at
> all is keeping it from being used anywhere under different guises.
>
> I first read about this today at MacDailyNews, and was going to
> post about it. But Michelle Steiner very kindly beat me to it by
> a few hours. Therefore, I am going to provide here post below
> with the added URL to Intego, who have been instrumental in
> working on this problem.
>
> The Intego report can be found at:
>
> <http://www.intego.com/news/ism0705.asp>
>
> BTW: The description below indicates that the activities of this
> malware would be stopped dead in their tracks through the use of
> the shareware 'reverse firewall' program Little Snitch. I highly
> recommend it. I own it.
>
>> -Derek
> ============
>
> Michelle sez:
>
>
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
>
>

Could someone explain to me how definitions work? Let's say a worm injects
some code into an application. Does it md5() the code or match it?

On Wed, 31 Oct 2007 15:11:02 -0600, Derek Currie wrote
(in article
<derekcurrie-6A7D2B.17110231102007@johnf2.biosci.ohio-state.edu>):

> It's a new age folks! The very (very) first Mac malware is now
> available in the wild. It is a Trojan Horse. It is what I call
> 'Psych-Malware' in that it has to psych you into installing the
> crap. For the moment it is specific to porn sites. But nothing at
> all is keeping it from being used anywhere under different guises.
>
> I first read about this today at MacDailyNews, and was going to
> post about it. But Michelle Steiner very kindly beat me to it by
> a few hours. Therefore, I am going to provide here post below
> with the added URL to Intego, who have been instrumental in
> working on this problem.
>
> The Intego report can be found at:
>
> <http://www.intego.com/news/ism0705.asp>
>
> BTW: The description below indicates that the activities of this
> malware would be stopped dead in their tracks through the use of
> the shareware 'reverse firewall' program Little Snitch. I highly
> recommend it. I own it.
>
>> -Derek
> ============
>
> Michelle sez:
>
>
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
>
>

Could someone explain to me how definitions work? Let's say a worm injects
some code into an application. Does it md5() the code or match it?

On Wed, 31 Oct 2007 15:11:02 -0600, Derek Currie wrote
(in article
<derekcurrie-6A7D2B.17110231102007@johnf2.biosci.ohio-state.edu>):

> It's a new age folks! The very (very) first Mac malware is now
> available in the wild. It is a Trojan Horse. It is what I call
> 'Psych-Malware' in that it has to psych you into installing the
> crap. For the moment it is specific to porn sites. But nothing at
> all is keeping it from being used anywhere under different guises.
>
> I first read about this today at MacDailyNews, and was going to
> post about it. But Michelle Steiner very kindly beat me to it by
> a few hours. Therefore, I am going to provide here post below
> with the added URL to Intego, who have been instrumental in
> working on this problem.
>
> The Intego report can be found at:
>
> <http://www.intego.com/news/ism0705.asp>
>
> BTW: The description below indicates that the activities of this
> malware would be stopped dead in their tracks through the use of
> the shareware 'reverse firewall' program Little Snitch. I highly
> recommend it. I own it.
>
>> -Derek
> ============
>
> Michelle sez:
>
>
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
>
>

Could someone explain to me how definitions work? Let's say a worm injects
some code into an application. Does it md5() the code or match it?

On Wed, 31 Oct 2007 15:11:02 -0600, Derek Currie wrote
(in article
<derekcurrie-6A7D2B.17110231102007@johnf2.biosci.ohio-state.edu>):

> It's a new age folks! The very (very) first Mac malware is now
> available in the wild. It is a Trojan Horse. It is what I call
> 'Psych-Malware' in that it has to psych you into installing the
> crap. For the moment it is specific to porn sites. But nothing at
> all is keeping it from being used anywhere under different guises.
>
> I first read about this today at MacDailyNews, and was going to
> post about it. But Michelle Steiner very kindly beat me to it by
> a few hours. Therefore, I am going to provide here post below
> with the added URL to Intego, who have been instrumental in
> working on this problem.
>
> The Intego report can be found at:
>
> <http://www.intego.com/news/ism0705.asp>
>
> BTW: The description below indicates that the activities of this
> malware would be stopped dead in their tracks through the use of
> the shareware 'reverse firewall' program Little Snitch. I highly
> recommend it. I own it.
>
>> -Derek
> ============
>
> Michelle sez:
>
>
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
>
>

Could someone explain to me how definitions work? Let's say a worm injects
some code into an application. Does it md5() the code or match it?

On Wed, 31 Oct 2007 15:11:02 -0600, Derek Currie wrote
(in article
<derekcurrie-6A7D2B.17110231102007@johnf2.biosci.ohio-state.edu>):

> It's a new age folks! The very (very) first Mac malware is now
> available in the wild. It is a Trojan Horse. It is what I call
> 'Psych-Malware' in that it has to psych you into installing the
> crap. For the moment it is specific to porn sites. But nothing at
> all is keeping it from being used anywhere under different guises.
>
> I first read about this today at MacDailyNews, and was going to
> post about it. But Michelle Steiner very kindly beat me to it by
> a few hours. Therefore, I am going to provide here post below
> with the added URL to Intego, who have been instrumental in
> working on this problem.
>
> The Intego report can be found at:
>
> <http://www.intego.com/news/ism0705.asp>
>
> BTW: The description below indicates that the activities of this
> malware would be stopped dead in their tracks through the use of
> the shareware 'reverse firewall' program Little Snitch. I highly
> recommend it. I own it.
>
>> -Derek
> ============
>
> Michelle sez:
>
>
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
> This is from Intego's web site.
>
> Does typing one's password in an installer dialog really give the
> trojan "full root privileges", or is that simply hype from
> Intego?
>
> Besides, no Mac user would ever be browsing porn sites, would he?
>
>
> Description: A malicious Trojan Horse has been found on several
> pornography web sites, claiming to install a video codec
> necessary to view free pornographic videos on Macs. A great deal
> of spam has been posted to many Mac forums, in an attempt to
> lead users to these sites. When the users arrive on one of the
> web sites, they see still photos from reputed porn videos, and
> if they click on the stills, thinking they can view the videos,
> they arrive on a web page that says the following: Quicktime
> Player is unable to play movie file.
>
> Please click here to download new version of codec.
>
> After the page loads, a disk image (.dmg) file automatically
> downloads to the user¹s Mac. If the user has checked Open ³Safe²
> Files After Downloading in Safari¹s General preferences (or
> similar settings in other browsers), the disk image will mount,
> and the installer package it contains will launch Installer. If
> not, and the user wishes to install this codec, they
> double-click the disk image to mount it, then double-click the
> package file, named install.pkg.
>
> If the user then proceeds with installation, the Trojan horse
> installs; installation requires an administrator¹s password,
> which grants the Trojan horse full root privileges. No video
> codec is installed, and if the user returns to the web site,
> they will simply come to the same page and receive a new
> download.
>
> This Trojan horse, a form of DNSChanger, uses a sophisticated
> method, via the scutil command, to change the Mac¹s DNS server
> (the server that is used to look up the correspondences between
> domain names and IP addresses for web sites and other Internet
> services). When this new, malicious, DNS server is active, it
> hijacks some web requests, leading users to phishing web sites
> (for sites such as Ebay, PayPal and some banks), or simply to
> web pages displaying ads for other pornographic web sites. In
> the first case, users may think they are on legitimate sites and
> enter a user name and password, a credit card, or an account
> number, which will then be hijacked. In the latter case, it
> seems that this is being done solely to generate ad revenue.
>
> Under Mac OS X 10.4, there is no way to see the changed DNS
> server in the operating system¹s GUI. Under Mac OS X 10.5, this
> can be seen in the Advanced Network preferences; the added DNS
> servers are dimmed, and cannot be removed manually. (Intego is
> currently testing previous versions of Mac OS X; it is likely
> that they can be infected as well, since all versions of Mac OS
> X have the scutil command.)
>
> The Trojan horse also installs a root crontab which checks every
> minute to ensure that its DNS server is still active. Since
> changing a network location could change the DNS server, this
> cron job ensures that, in such a case, the malicious DNS server
> remains the active server.
>
> This Trojan horse also provides different versions of itself,
> perhaps according to the country in which the user is located to
> provide country-specific spoofing. Repeated downloads of the
> disk image show that there are several different versions.
>
> Means of protection: The best way to protect against this exploit
> is to run Intego VirusBarrier X4 with its virus definitions
> dated October 31,2007. Intego VirusBarrier X4 eradicates the
> malicious code and prevents the Trojan horse from being
> installed. Intego recommends that users never download and
> install software from untrusted sources or questionable web
> sites.
>
>

Could someone explain to me how definitions work? Let's say a worm injects
some code into an application. Does it md5() the code or match it?