On GameSpot: What are the Best Games of 2009?
BNET Business Network:
BNET
TechRepublic
ZDNet

November 1st, 2007

Mac Attack: Porn video lures dropping DNS-changer Trojan

Posted by Ryan Naraine @ 8:05 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, McAfee, Metasploit, Passwords, Patch Watch, Pen testing, Rootkits, Spam and Phishing, Spyware and Adware, Zero-day attacks

Tags: Web, Apple Macintosh, DNS Server, Trojan Horse, Server, Video, Web Page, Attack, Dmg, Corporate Communications

Organized identity thieves are using porn video lures to deliver malware to Mac OS X users, confirming fears among security researchers that it’s only a matter of time before Apple’s fast-growing platform becomes a big malware target.

The ongoing attack, first spotted by Intego, includes spammed links to Mac forums that point to free adult-themed videos. Clicking on the one of the videos pops up Web page that looks like this:

Porn videos deliver malware to Mac OS X

The site uses that pop-up to get users to download a disk image (.dmg) file disguised as a codec that’s required for viewing the video. If the Mac machine’s browser is set to to open “Safe” files after downloading, the .dmg gets mounted and the Installer is launched.

The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine.

According to anti-virus vendors, the Trojan is programmed to change the Mac’s DNS server, a trick used by phishers to load fake Web pages and hijack valuable user data.

Offensive Computing provides a walk-through of the risk scenario:

This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.

MacWorld provides step-by-step removal instructionsTechmeme discussion.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 177 Talkback(s)
Nope.
It's safe to view.

Just don't download and install shady programs
that it says you need. Only get
flash/quicktime/etc from their official websites.
"Problem" solved.... (Read the rest)
Posted by: AzuMao Posted on: 01/04/10 You are currently: a Guest | | Terms of Use
Lets see...  Jim888 | 11/01/07
*eye roll*  sv650touring@... | 11/01/07
Bzzzt, wrong  No_Ax_to_Grind | 11/01/07
Besides that...  thx-1138_@... | 11/01/07
Especially since...  bigsibling | 11/02/07
I tend to agree  notsofast | 11/02/07
It IS in all practical meaning secure  Mikael_z | 11/05/07
Bzzzt, wrong  aussieblnd@... | 11/01/07
Beating around bushes...much?  santuccie | 11/02/07
RE: Bzzzt, wrong  gnugen | 11/03/07
Nope.  AzuMao | 09/28/09
But there is a truth here...  pfvolpe@... | 11/03/07
Two years later...  vulpine@... | 09/25/09
its that arrogance that will unleash a firestorm against macs  pcguy777 | 11/05/07
ITS kind of like those who though the TITANIC was unsinkable  pcguy777 | 11/05/07
Never will happen.  powershaker | 09/25/09
Let's not see!  aussieblnd@... | 11/01/07
for those that are saying if you don't look at porn no worries but what  SO.CAL Guy | 11/02/07
It's not just porn....  Uncle Buck | 11/02/07
Nope.  AzuMao | 01/04/10
I love my free porn, just...  Hrothgar - PCLinuxOS User | 11/09/07
Lets see...SOME PROOF!  aussieblnd@... | 11/01/07
What's your point?  santuccie | 11/02/07
Oh man!  People | 11/01/07
me too  johnson12 | 11/01/07
I hate OSX  NonZealot | 11/01/07
PS Funny double standard with Mac zealots  NonZealot | 11/01/07
No double standards, just ignorance...  olePigeon | 11/01/07
OSX is immune to drive by exploits?  NonZealot | 11/01/07
Wrong, wrong, and wrong again...  olePigeon | 11/01/07
Vista doesn't become infected merely by visting a web site either.  ye | 11/01/07
Then why bring up drive bys in Windows?  NonZealot | 11/01/07
This is no different then 98% of the ....  ShadeTree | 11/08/07
All OS's are vulnerable to exploits... its a fact  bonchi74@... | 11/13/07
What does that prove?  NonZealot | 11/13/07
So you were an MS advocate when you were 7?  *Gman* | 09/28/09
Gee I didnt know you were an OSX user ???  mrOSX | 11/01/07
he is not  sfazly | 11/01/07
This isn't a trojan, and has nothing to do with the security of the OS..  olePigeon | 11/01/07
How isn't it a trojan?  JoshNorton | 11/01/07
I think he's thinking worm.  People | 11/01/07
Humm,,,  Mectron | 11/01/07
LOL  tikigawd | 11/02/07
Don't you ahve anything better to do with your life?  Rude Union | 11/01/07
@Rude Union Where is YOUR productive opinion?  *Gman* | 09/28/09
Yes, I suppose I'm feeding the troll - but it beats actually working...  JoshNorton | 11/01/07
They tried their best already  kevinet | 11/01/07
Thats it. my Nephew and his Band Mates are Done!  bka1959 | 11/01/07
Possible Solution  Jkirk3279 | 11/01/07
I'm glad your Nephew allows you to take over his Mac  bka1959 | 11/01/07
Sounds to me...  thx-1138_@... | 11/01/07
Read the thred Dude. You dont just turn you back  bka1959 | 11/02/07
Your words pal - not mine...  thx-1138_@... | 11/02/07
your Nephew  aussieblnd@... | 11/01/07
LOL, he's gotten more trim b y the time he was 16  bka1959 | 11/02/07
Use a Live Linux CD  Hrothgar - PCLinuxOS User | 11/09/07
One way to mitigate this problem  RestonTechAlec | 11/01/07
and I thought only windoze users download porn!  Linux Geek | 11/01/07
Because, of course  frgough | 11/01/07
Huh??  none none | 11/01/07
Back up for a second  laura.b | 11/02/07
Stereotypes  LadyGray | 11/07/07
Actually mostly Linux Geeks - they can't get dates...  ItsTheBottomLine | 11/01/07
users download porn!  aussieblnd@... | 11/01/07
I can see the MS (non)zealots now  Stuka | 11/01/07
Important difference...  RestonTechAlec | 11/01/07
(nt)You doth protest too much, methinks  toadlife | 11/01/07
You doth protest too much  aussieblnd@... | 11/01/07
Yep  toadlife | 11/02/07
Vista is better  frgough | 11/01/07
I turned it off the first day.  msalzberg | 11/01/07
Ok here we go again...  BroGnorik | 11/01/07
W2K/XP Virii  Stuka | 11/01/07
I have to disagree.  BroGnorik | 11/01/07
I think it does...  Badgered | 11/01/07
You may be right...  Stuka | 11/01/07
Off topic  Magikx21 | 11/01/07
Now it's Apple playing catch up  Paul Fletcher | 11/01/07
I'm happy to let Windows users continue to blaze the virus trail.  Resuna | 11/01/07
Actually - it's Macs that will be blazing trails...  ItsTheBottomLine | 11/01/07
No it doesn't  Rude Union | 11/01/07
How to infect your Mac from Parallels.  Resuna | 11/02/07
No they wouldn't  Rude Union | 11/01/07
This could be a problem for all those College  bka1959 | 11/01/07
Maybe liquor before breakfast really is bad.  *Gman* | 09/28/09
Porn is essential!  Protector | 11/01/07
Just for you.  Suicida| | 11/01/07
HAHAHAHAHAHAHA!!!!  NonZealot | 11/01/07
Understand your laughter  frgough | 11/01/07
Come on, Grow Up!!! Nt.  bka1959 | 11/01/07
Get a grip  TripleII | 11/01/07
Funny, I've been saying that for years  NonZealot | 11/01/07
Amen!  Heatlesssun1 | 11/01/07
Wrong.  frgough | 11/01/07
I don't understand the grips about the UAC  ItsTheBottomLine | 11/01/07
Levels of authorization  JoshNorton | 11/01/07
Unless you use a non Admin account UAC does not trip on...  ye | 11/01/07
UAC problem is overblown  fredfarkwater@... | 11/02/07
OSX is more secure  Resuna | 11/01/07
Blah, blah, blah - Time Will tell...  ItsTheBottomLine | 11/01/07
"Time will Tell" How much bloody time do you want?  Resuna | 11/02/07
And you're still wrong...  olePigeon | 11/01/07
Do you actually think about what you're saying before you start typing?  JoshNorton | 11/01/07
Then it's a good thing Windows was designed with security in mind  ye | 11/01/07
Plainly put, no. It won't.  JoshNorton | 11/01/07
OSX wasn't designed with security in mind  NonZealot | 11/01/07
I'm sure you're right. Because FUD is all the ABMers have left.  ye | 11/01/07
Guess you haven't been following Apple patches?  NonZealot | 11/01/07
What's your day job?  Resuna | 11/02/07
Best advice I've seen this discussion!  JoshNorton | 11/01/07
Don't be so quick to laugh, monkey boy.  Resuna | 11/01/07
you mean to say .....  Paul Fletcher | 11/01/07
I think you made my point.  Resuna | 11/01/07
you mean to say .....  aussieblnd@... | 11/01/07
yeah but  JetJaguar | 11/01/07
You'd think that, wouldn't you?  Resuna | 11/01/07
Actually we laugh alot...missy...nt  ItsTheBottomLine | 11/01/07
HAHAHAHA again  sfazly | 11/01/07
Only if your an idiot...nt  ItsTheBottomLine | 11/01/07
HAHAHAHA again  aussieblnd@... | 11/01/07
Did you read the article? At all? No, you didn't...  olePigeon | 11/01/07
You need to check the definition of "trojan"  rtk | 11/03/07
What's the difference between this "trojan"  Hrothgar - PCLinuxOS User | 11/09/07
If you'd write - "Finally 'flu'-writers fell in love with Mac OSX", ...  FX512 | 11/01/07
How do you know if an code is safe?  Heatlesssun1 | 11/01/07
There are at least 3 red flags with this "trojan:"  olePigeon | 11/01/07
The same holds true in any OS  rtk | 11/03/07
I've been blogging about this since 2004  Resuna | 11/01/07
Opening the safe files does nothing  i8thecat | 11/01/07
Open Safe Files is a bigger problem than that.  Resuna | 11/01/07
Have you used OS X???  i8thecat | 11/01/07
Just because  frgough | 11/01/07
Sometimes I wonder...  ItsTheBottomLine | 11/01/07
Since when?  Resuna | 11/02/07
RE: Mac Attack: Porn video lures dropping DNS-changer Trojan  robbys22 | 11/01/07
It was said best by....  fredfarkwater@... | 11/02/07
'Twas only a matter of time  bpolhemus@... | 11/01/07
It's still yet to come...  olePigeon | 11/01/07
Got the deny part down  rtk | 11/03/07
This is too funny....  middle of nowhere | 11/01/07
No real adult website would be "infected" with this...  olePigeon | 11/01/07
I just love it when Mac zealots steal rational Windows arguments  NonZealot | 11/01/07
"steal" really? So your claim is that only Windows Maniacs  Laff | 11/02/07
I have just created another trojan for linux.  drjohn25 | 11/01/07
Don't laugh  NonZealot | 11/01/07
Yeah, you're pretty much right.  drjohn25 | 11/01/07
Yeah, you're pretty much right.  aussieblnd@... | 11/01/07
RE: Mac Attack: Porn video lures dropping DNS-changer Trojan  very old techie | 11/01/07
RE: Mac Attack: Porn video lures dropping DNS-changer Trojan  okleadfoot@... | 11/01/07
Errr....  thx-1138_@... | 11/05/07
Rule 34 strikes agian.  Suicida| | 11/01/07
It Just goes to show...  pyrr | 11/01/07
I created a Windows malware trojan:  JoeBob_z | 11/01/07
malware you have to download, install, and authenticate? Sounds like work!  jjarman | 11/01/07
Now you know why we laugh at Mac zealots  NonZealot | 11/01/07
99.9% confirms that this is pure FUD  jjarman | 11/01/07
do you at least get to see the video?  jjarman | 11/01/07
ROTFLMAO! The most intelligent post yet!! NT.  bka1959 | 11/02/07
ahhh the slashdot effect  johnson12 | 11/02/07
Spreading Fast!  JRMac | 11/02/07
CLASSIC a Trojan from Porn..... Finally someone practicing  Laff | 11/02/07
I tried to put a Trojan on my Mac...  Userama | 11/02/07
My Trojans Fit, are you using the Xtra Large ones? wink NT.  bka1959 | 11/02/07
Users Trump Security!!  kerry.farina@... | 11/02/07
OS X is completely unrelated to OS 9  Resuna | 11/02/07
Is this the typical porn lure?  General Ludd | 11/02/07
Answer to my own question  General Ludd | 11/07/07
I don't trust on opendns.com because it could spy you  qmlscycrajg | 11/08/07
I don't trust on opendns.com because it could spy you  qmlscycrajg | 11/08/07
RE: Mac Attack: Porn video lures dropping DNS-changer Trojan  joe6pack_z | 11/02/07
RE: Mac Attack: Porn video lures dropping DNS-changer Trojan  Syzygy01 | 11/02/07
THIS PROVES ATTACKS = MARKET SHARE  pcguy777 | 11/05/07
Does it really matter!  dragonlen@... | 11/06/07
Why I don't worry too much...  Hrothgar - PCLinuxOS User | 11/09/07
exactly  rico181@... | 11/15/07
RE: Mac Attack: Porn video lures dropping DNS-changer Trojan  powershaker | 09/25/09
RE: Mac Attack: Porn video lures dropping DNS-changer Trojan  powershaker | 09/25/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads