On mySimon: Deadwood - The Complete Series
BNET Business Network:
BNET
TechRepublic
ZDNet

August 11th, 2009

New Mac OS X DNS changer spreads through social engineering

Posted by Dancho Danchev @ 1:50 pm

Categories: Apple, Botnets, Hackers, Malware, Passwords

Tags: Apple Macintosh, DNS, Malware, Cyberthreats, Apple Mac OS X, Apple Mac OS, Security, Operating Systems, Dancho Danchev

TrendMicro is reporting on a newly discovered 4th member of the OSX_JAHLAV malware family.

The latest variant is once again relying on social engineering, this time spreading under a QuickTime Player update (QuickTimeUpdate.dmg) with a DNS changer component enabling the malware authors to redirect and monitor the traffic of the victim.

More info on OSX_JAHLAV.D:

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

Not only are cybercriminals beginning to acknowledge the “under-served” Mac OS X segment, but also, they’re already borrowing tricks from the Microsoft Windows playbook such as OS-independent tactics like fake codecs and bogus video players. The irony? Both the Mac OS X and Windows malware are hosted on the same domains, with copies of each served on the basis on browser detection.

From fake ActiveX objects at adult sites like the “Macintosh Porn Tube”, to bogus codecs and players, these tactics have been dominating the Windows threatscape for years, and will continue to do so, simply because they work. However, among the key advantages a cybercriminal coding/generating malware targeting Apple’s Mac OS X has, is the overall perception of its invincibility to malware, a state of false feeling of security shared across a huge number of people.

Meanwhile, Apple Inc. is already offering security advice stating that “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.

Just like previous campaigns, the latest OSX_JAHLAV.D one issues an offensive message if it detects that security researchers are attempting to assess it. The gang is clearly motivated.

What do you think - is Mac OS X malware gaining momentum, or are they just scratching the surface?

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 157 Talkback(s)
Social Engineering = Illegal Free Stuff
Social Engineering is a way of saying "trick people into installing stuff". Whether that is popping up a window in a browser and convincing them to give you all their money, or offering copyrighted so... (Read the rest)
Posted by: slylabs13 Posted on: 09/02/09 You are currently: a Guest | | Terms of Use
I cannot be  honeymonster | 08/11/09
No, the apology has had to change with the recent iLife trojan botnet  NonZealot | 08/11/09
LOL  mrohwohlt@... | 08/12/09
LOL, ditto  deepee912 | 08/13/09
Dittio... HAHAHAHA  electroman76 | 08/13/09
Heh heh. Thanks for quoting me, Zealot.  vulpine@... | 08/12/09
No problems vulpine happy  NonZealot | 08/12/09
King of the straw men.  DeusExMachina | 08/13/09
Projection?  ShadowGIATL | 08/13/09
Put up or...  DeusExMachina | 08/13/09
@DeusExMachina  ShadowGIATL | 08/13/09
Just copy these rehashed comments  gkrwc | 08/12/09
Its just a matter of time  snafu_77 | 08/11/09
Well, good luck  honeymonster | 08/11/09
A Checkbox Supreme  DannyO_0x98 | 08/11/09
In my recent browsing  snafu_77 | 08/12/09
All your security needs in one package  shanee25 | 08/12/09
Thanks!  snafu_77 | 08/12/09
Every Mac malware...  arminw | 08/12/09
Basic economics - Investment vs profit  brendan@... | 08/12/09
Bull  DeusExMachina | 08/13/09
The market share "myth"  rtk | 08/13/09
The danger of universally quantified statements  DeusExMachina | 08/13/09
Agreed, your universally quantified statements are dangerous.  rtk | 08/13/09
You clearly don't understand basic predicate calculus  DeusExMachina | 08/13/09
@DeusExMachina  ShadowGIATL | 08/13/09
Factual points  DeusExMachina | 08/14/09
Weak  notsofast | 08/14/09
re: Factual points  rtk | 08/14/09
Arguments with logical flaws are weak.  DeusExMachina | 08/14/09
Market Share  brble | 08/13/09
Law of the jungle  DeusExMachina | 08/13/09
Yes, law of the jungle  brble | 08/13/09
Nature and habitat  DeusExMachina | 08/13/09
@DeusExMachina  brble | 08/13/09
Supreme beings with better things to do  DeusExMachina | 08/14/09
Hackers vs. Crackers  brble | 08/14/09
Hackers  DeusExMachina | 08/14/09
You crack me up (no pun intended)  brble | 08/14/09
facts and the joy of cherry picking  DeusExMachina | 08/14/09
@DeusEx  ShadowGIATL | 08/14/09
of the burden of proof  DeusExMachina | 08/15/09
universally and existentially...  ShadowGIATL | 08/15/09
That means a lot  DeusExMachina | 08/15/09
Net Applications changed their metric  DeusExMachina | 08/14/09
WHAT SAY IT An't So  rparker009 | 08/12/09
WHAT SAY IT An't So This is can not be right  rparker009 | 08/12/09
let the firework begins!  Mectron | 08/11/09
Apple should ask the experts  shanee25 | 08/12/09
Ostriches  M.R. Kennedy | 08/12/09
The prediction of...  arminw | 08/12/09
Realy?  jdbukis@... | 08/12/09
I knew that one was coming.  vulpine@... | 08/12/09
um so....  JABBER_WOLF | 08/12/09
Wrong  DeusExMachina | 08/13/09
re: wrong  rtk | 08/13/09
Again, wrong  DeusExMachina | 08/13/09
Again, it's you that's wrong  rtk | 08/13/09
Not without privilege escalation  DeusExMachina | 08/13/09
DeusExMachina  ShadowGIATL | 08/13/09
mirrors  DeusExMachina | 08/14/09
Just to clarify  rtk | 08/14/09
No, it isn't  DeusExMachina | 08/14/09
You're right, it's 3.7, not 4  rtk | 08/14/09
AS opposed to where you pull your numbers from  DeusExMachina | 08/15/09
I attributed my numbers, they're from net applications  rtk | 08/15/09
Pay attention  DeusExMachina | 08/15/09
wow, the koolaid is so thick it's syrup.  rtk | 08/12/09
Prediction?  compudog | 08/12/09
Megatron, (yes, I know I misspelled that) You have no clue.  vulpine@... | 08/12/09
Notice the emphasis on social engineering in the title?  NonZealot | 08/11/09
That's how most Windows malware gets installed. (nt)  CobraA1 | 08/11/09
Agreed  frgough | 08/11/09
It's been the same with Windows since SP2 was released in 2004.  ye | 08/11/09
Heh  CobraA1 | 08/11/09
technically...  ShadowGIATL | 08/11/09
A virus, computer or biological...  arminw | 08/12/09
just an FYI  rtk | 08/12/09
A virus, computer or biological...  compudog | 08/12/09
ROFL  NonZealot | 08/12/09
The thing is...  Jesse Marchant-Shapiro | 08/11/09
YES!!!!  NonZealot | 08/11/09
Read the message 'Non-Zealot'  Macintoshtoffy | 08/11/09
And the excuse continues....  CrashPad | 08/12/09
While I tend to consider you a bit extreme...  ShadowGIATL | 08/11/09
I second your "YES!!!!"  compudog | 08/12/09
And that IS the point.  ShadowGIATL | 08/12/09
This is not an OS security issue  mysidia | 08/12/09
Interesting...  ShadowGIATL | 08/12/09
As usual...  DeusExMachina | 08/13/09
re: as usual  rtk | 08/13/09
Huh?  DeusExMachina | 08/13/09
@DeusExMachina  ShadowGIATL | 08/13/09
@DeusExMachina  rtk | 08/14/09
What he said EXACTLY does support my conclusion  DeusExMachina | 08/14/09
wow, just.... wow.  rtk | 08/14/09
Basic English and cherry picking Charlie Miller  DeusExMachina | 08/14/09
I'll quote you.  rtk | 08/14/09
@DeusExMachina  ShadowGIATL | 08/14/09
Quote away  DeusExMachina | 08/15/09
Return the favor  rtk | 08/15/09
Pwned  DeusExMachina | 08/15/09
Quotes, and more qoutes...  ShadowGIATL | 08/15/09
ad nauseam  DeusExMachina | 08/17/09
"these tactics have been dominating the Windows threatscape for years"  honeymonster | 08/11/09
*face palm*  Macintoshtoffy | 08/11/09
The NSA suggests if you want to secure your computer...  ShadowGIATL | 08/11/09
Back up...  ShadowGIATL | 08/11/09
Idiots  Macintoshtoffy | 08/11/09
Some  NStalnecker | 08/11/09
I understand what you mean  Macintoshtoffy | 08/11/09
Rethinking needed here...  CrashPad | 08/12/09
You're correct  Macintoshtoffy | 08/12/09
You're nuts  compudog | 08/12/09
@ Macintoshtoffy  M.R. Kennedy | 08/11/09
Mac users are ignorant?  shanee25 | 08/12/09
And here we have the most vunerable....  CrashPad | 08/12/09
@ shanee25  M.R. Kennedy | 08/12/09
Study virology then  JABBER_WOLF | 08/12/09
Bio 101  DeusExMachina | 08/13/09
Idiots?  compudog | 08/12/09
RE: Idiots?  hiccius doccius | 08/12/09
Because  mysidia | 08/12/09
Id10T?  stroutner@... | 08/12/09
For the LOVE of GOD, hasn't anyone ever heard of OPENDNS.  AdventTech67 | 08/12/09
RE: New Mac OS X DNS changer spreads through social engineering  jmgzirfas@... | 08/12/09
Then you know very few Mac users  baileysc | 08/12/09
I suspect that it is you who knows very few mac users  DeusExMachina | 08/13/09
Hmmm.  ShadowGIATL | 08/13/09
Oh please  DeusExMachina | 08/14/09
Post format  rtk | 08/14/09
That...  ShadowGIATL | 08/14/09
Uh, my line breaks are just fine  DeusExMachina | 08/14/09
Uh, no, they are not.  rtk | 08/14/09
Again it is simple logic, or lack thereof  DeusExMachina | 08/14/09
My posts read fine in every browser.  rtk | 08/14/09
@DeusEx  ShadowGIATL | 08/14/09
So it's an Mac/OSX issue?  ShadowGIATL | 08/14/09
Nonsense  DeusExMachina | 08/15/09
DuesEx  ShadowGIATL | 08/15/09
The shifting sands  DeusExMachina | 08/17/09
RE: New Mac OS X DNS changer spreads through social engineering  online@... | 08/12/09
RE: New Mac OS X DNS changer spreads through social engineering  powershaker | 08/12/09
Yep Denial is a strategy  tonymcs@... | 08/12/09
Neither have I  DeusExMachina | 08/14/09
Law of averages...  ShadowGIATL | 08/14/09
I did just fine at stats  DeusExMachina | 08/14/09
You miss the points.  ShadowGIATL | 08/14/09
I addressed EVERY point you made, no matter how dull.  DeusExMachina | 08/15/09
And you still missed the point...  ShadowGIATL | 08/15/09
Would that it were so  DeusExMachina | 08/17/09
You can sit on the crapper and get a virus...  stroutner@... | 08/12/09
RE: New Mac OS X DNS changer spreads through social engineering  trm1945 | 08/13/09
RE: New Mac OS X DNS changer spreads through social engineering  electroman76 | 08/13/09
RE: New Mac OS X DNS changer spreads through social engineering  electroman76 | 08/13/09
A little over the top maybe?  ShadowGIATL | 08/15/09
Social Engineering = Illegal Free Stuff  slylabs13 | 09/02/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here