Warning: Mac OS X Trojan Horse making the rounds

“A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs,” security software vendor Intego reports. “A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:”

Quicktime Player is unable to play movie file.
Please click here to download new version of codec.

Intego reports, “After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open ‘Safe’ Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.”

“If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download,” Intego reports.

“This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue,” Intego reports.

Intego reports, “Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)”

Intego reports, “The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.”

“This Trojan horse also provides different versions of itself, perhaps according to the country in which the user is located to provide country-specific spoofing. Repeated downloads of the disk image show that there are several different versions,” Intego reports.

MacDailyNews Note: Of course, Intego says that “the best way” to protect against this exploit is to purchase and run Intego VirusBarrier X4 with up-to-date virus definitions, but we suggest that an even better way to protect against such trojans is to use your head and not download, authorize, and install software from porn sites.

[Thanks to MacDailyNews Reader “RadDoc” for the heads up.]


  1. porn / ms

    in together to hack the Mac.

    I am glad QT doesn’t work with their sh_t.
    And can’t bother to add new codecs which I have no clue on managing.

    So being on a mac is like using a condom.

  2. MDN, I would say that the best way to protect against this IS to install Intego’s VirusBarrier. There are many computer users who don’t understand when to enter their password since they are asked so much for it. It’s like reading the license agreements. People just click by it. Many who are still not comfortable with computers (I know many older people like that) need something for protection. Intego is correct and their software is good. I also prefer NetBarrier to many of the options. Intego got a bad rap a few years back for handling something poorly. But they are going strong now and I think it is wise to have some background protection on the Mac for a time when something might sneak up on us.

  3. Difficult to believe, that anyone would use their administrator’s password to say “sure install whatever a porn site suggests…”

    No matter how secure an OS, still can’t stop the user from silly

  4. As a security researcher, this is most likely a case of FUD and an attempt to drive sells for their software. The Trojan that he is describing is a common Windows DNS hyjacker. Not saying that one could not be created for the MacOS. It’s just not very likely and I’ve looked at thousands of Trojans from Porn Websites in the past few weeks and have not found one yet that is targeting the MacOS (Windows IE 6 and IE 7 and even Vista).

    I’d take any claim that a company that sells software to protect against such things with a huge dose of salt. Until independent conformation is made in public, I’m sceptically.

  5. Demon, Rob Griffiths at MacWorld did some looking into this and seems convinced that this is legitimate. Unless new facts emerge, I doubt this is FUD. And of course a security firm will promote its own software. When you go to a car dealer, you expect them to promote their own cars. But you also expect information on their cars that you can’t get elsewhere. OK. Maybe cars is a bad example, but the point is that people in the field will give you information you sometimes need. So to disregard Intego (or any other legitimate company) is not always advisable, IMO. And what’s the problem anyway having some virus and other protection on the Mac? Are you trying to keep Macs clear of such things because your new career is in writing malware?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.