“A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs,” security software vendor Intego reports. “A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:”
Quicktime Player is unable to play movie file.
Please click here to download new version of codec.
Intego reports, “After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open ‘Safe’ Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.”
“If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download,” Intego reports.
“This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue,” Intego reports.
Intego reports, “Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)”
Intego reports, “The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.”
“This Trojan horse also provides different versions of itself, perhaps according to the country in which the user is located to provide country-specific spoofing. Repeated downloads of the disk image show that there are several different versions,” Intego reports.
MacDailyNews Note: Of course, Intego says that “the best way” to protect against this exploit is to purchase and run Intego VirusBarrier X4 with up-to-date virus definitions, but we suggest that an even better way to protect against such trojans is to use your head and not download, authorize, and install software from porn sites.
[Thanks to MacDailyNews Reader “RadDoc” for the heads up.]
Symantec are feeling snappier now…
“Sadly this will effct an abnormal amount of Mac users since most at between the ages of 18 and 35 and are male.”
But wait! I thought all Mac users were gay! Why would they be interested in heterosexual pornography?
MDN which head were you talking about?
Such rubbish. Mac users don’t look at porn sites. They are too busy creating content and authoring sites.
Installing “a codec” from a porn site is one of the dumbest things you can do. Macs have locks on the doors, but if the user is a moron…
I bet there will people who will install this, and if they learn not to trust everything and everyone – good for them, if not – …well, nature eliminates weak and dumb.
from Hg Wells: “MDN, I would say that the best way to protect against this IS to install Intego’s VirusBarrier. There are many computer users who don’t understand when to enter their password since they are asked so much for it.”
In my experience, I am VERY rarely prompted for my administrator password, and I darn sure click “cancel” if I’m not explicitly authorizing an install. If your Mac is imitating Vista and nagging you every few minutes for your administrator password, you already have a problem.
Oh, and I didn’t realize the venerable Mr. Wells was shilling for Intego. Royalties from his books must have dried up.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
MDN magic word: “few” – as in, there are so few deceased authors you can trust these days.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
Who said it was hetero?
MW= “bed” (do they do that on purpose?)
A trojan for Macs? AAAAAH! We have to save ourselves! EVERYBODY RUN!!! SWITCH TO VISTA!!! S-W-I-T-C-H T-O V-I-S-T-A-A-A-A!!!!
“If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges“
WRONG! It will only give the Trojan ADMINISTRATOR privileges. Unless you know how to use the command line you can’t get root privileges.
Gosh, porn sites… hmmm, never go there.
Seriously, anyone who downloads from such sources deserves a good kicking (with leather and high heels of course).
Ahem, I’m not sure the emoticons work, so try this — :-O
Methinks HG Wells works for Intego.
There they go. Safe porn surfing was the number one reason to switch to a Mac.
Watch the Mac market share disintegrate now.
Buy Dell shares ASAP.
Wow. A non-theoretical trojan. But it still requires the user to do things as opposed to the automatic stuff that happens with Windows. Nonetheless, one should surf carefully.
@Peter
You beat me to it…mac users are safe since the malicious site it for heterosexuals..and we all know mac users are gay…
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
@Peter and BalLmeR
They never specified the type of porn sites.
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
@Pron
So now looking at porn you can catch something, and if you have sex you can catch something. Now that is a delimia.
No, H.P. Lovecraft, Hg Wells does not work for Intego. If you check other forums where Intego has been discussed in recent months, you’ll see similar takes. So, would it be your preference to have nothing extra installed on the Mac (saving money)? Or do you have another security company whose software you prefer?
Well the least they could do is list the names and URLs of the websites in question. Not that I want to go there, or anything, but to be sure I could avoid them. Yeah, that’s it, avoid them!!!!
Magic word “shown”, as in “what would we have been shown if we had gone to one of these sites?”
This is why I use either MPlayer or VLC for my viewing pleasure, not Quicktime
” width=”19″ height=”19″ alt=”tongue wink” style=”border:0;” />
Hey Fatty, apparently hell is freezing over ’cause on TWIT this week Dvorak actually is advising people to choose Mac. He’s also saying he thinks Ballmer/MicroSoftie is nuts trying to compete with Google selling ads. Microsoft is losing focus and it shows.
I checked the link above for the MacWorld article by Rob Griffiths. Remember that Rob was one of the writers who exposed the Leap A/Oompa-loompa Trojan as a wimpy badly-written piece of code.
His tone this time around is A LOT different:
“This is really bad. Really. And even though it’s targeted at porn surfers today, the malware could easily be associated with anything else… Because this thing may spread to other such sites, we spent some time investigating the trojan—no, not its source sites!—to determine the best way to tell if you’ve been infected, as well as how to remove the software if you do find it on your machine.”
You might wish to bookmark this article just in case. Also, let’s hope ClamXav is updated soon as well to ID this nastyware.
Although the<u>OSX.RSPlug.A Trojan Horse</u> is not a virus, <u>it is serious</u>!!
Laughing at this Trojan is not the appropriate response this time around.
MDN MW = united
So let’s be united as Mac users in helping us protect one another from real security threats.
what’s to stop some other scammers/assholes to implement this in a more legitimate site – say, a spoof of apple’s quicktime page?
one could argue that nobody should visit porn sites and do a download – that’s common sense, which, sorry to say guys, even some mac users don’t have. but if you click a link and it looks like apple’s site and says it’s installing a quicktime updater, someone who might not know that macs don’t usually update like that wouldn’t think twice about clicking.
this is a serious issue and hopefully apple will patch it up soon. we can all still take joy in knowing that our platform has far less malicious software on it than windows. =)
oh, macsmiley just basically said what i just did. heh
Hmm..being a creative Mac user I suppose I’d either be the porn star gettin’ some pom pom in and being paid lots of $$$, then again be a porn video director – as if direction is required??
On a serious note I’d like to hear more about this Trojan affecting Macs and from an independant source. Not to say anything is wrong with Intego, after all most anti-virus software developers have been saying this for years.
They would wouldn’t they, its their business to scare computer users into buying ‘extra protection’ against infectious diseases?
It is up to each of us if we want to take heed, luckily for us Macheads we don’t have to – pity the poor Windows user who has to take heed or get infected and die.
Damn, now I’ll have to get a linux box to view porn. Damn.
What is the sound of one hand typing on a mac?