“A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs,” security software vendor Intego reports. “A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:”
Quicktime Player is unable to play movie file.
Please click here to download new version of codec.
Intego reports, “After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open ‘Safe’ Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.”
“If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download,” Intego reports.
“This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue,” Intego reports.
Intego reports, “Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)”
Intego reports, “The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.”
“This Trojan horse also provides different versions of itself, perhaps according to the country in which the user is located to provide country-specific spoofing. Repeated downloads of the disk image show that there are several different versions,” Intego reports.
MacDailyNews Note: Of course, Intego says that “the best way” to protect against this exploit is to purchase and run Intego VirusBarrier X4 with up-to-date virus definitions, but we suggest that an even better way to protect against such trojans is to use your head and not download, authorize, and install software from porn sites.
[Thanks to MacDailyNews Reader “RadDoc” for the heads up.]
Ohh..on the subject of spoof websites mentioned above, it doesn’t matter if you’re a Mac user, Windows user or Linux user as those types of emails & websites made to look genuine are more related to identity theft. PayPal is a case in question, I happen to think they’ve been the most spoofed brand of Internet based businesses ever!
For emails it doesn’t take much effort to delete such scams from your inbox as the email always looks too good to be true, so it probably is, how often do people actually win the Minnesota lottery for instance (let alone I’m 5,000+ miles away from Minnesota) through not having even entered into the draw and get an email saying I’ve won???
On the Mac side Micheal Tsai’s SpamSieve works perfectly for me after a short period of training it to ‘sieve’ out spam emails with dubious spoofed websites usually provided to catch out the unwary.
Itego makes the best porn blocker for those of you who are addicts.
“an even better way to protect against such trojans is to use your head and not download, authorize, and install software from porn sites.”
Pfft, next they’ll be telling us not to take candy from strangers. And then where will we be on halloween?
@ B Real, Intego customers are not perverts unless they are looking at gay porn.
The answer to all this is Flip4Mac!
That is why I have a private porn collection of just me playing with myself.
MacJammer, Mail has uninstalled the current version of SpamSieve TWICE since upgrading to Leo. No apparent help at the site except to say it’s compatible. I reinstalled it the first time and it worked for three days. Conflict with something else? Nothing else is new, but perhaps,,,
“There are no trojans in Mac OS X, Never!”
“Their Trojans are committing suicide by the hundreds on the firewall of Mac OS X. Be assured, Mac OS X is safe, protected.”
im amazed that you have to do all of that ‘installing’ and give it your admin password even though apparently its a ‘trojan horse’.
wow apparently they didnt know that your admin password can call root commands
So this is a sexist virus. No women’s Mac’s will be infected.
“Such rubbish. Mac users don’t look at porn sites. They are too busy creating content and authoring sites.”
i agree. i have created WAY more porn sites than i have visited….
and yes, i do the photography as well, why do you ask?
For those who want to look at britney’s bottom: bigfatsearch.biz/britney
This is a serious threat and it implies that a well organized group wanted to get Mac users private data.
Look at the bad DNS IP on the disk images, 85% are from Russia or Ukraine.
Porno is just a way to abuse Mac users. But not the only one.
For those who ignore that with Javascript it’s easy to download a specific malware for Mac OS X, the britney html source code is for you.
So….
When I’m driving through the local red-light district,
and some stranger flags me down,
and they ask for my keys (which I readily give to them),
and they tell me to stand well back while they “install” something,
and they hop in and swipe the car,
does that mean the make/model of my car is vulnerable to theft??
Yeesh. Figure it out!
Comment from: bwaha
“This is why I use either MPlayer or VLC for my viewing pleasure, not Quicktime “
It doesn’t make any difference what-so-ever what video viewer you use!!! If you click on the downloaded Trojan you get the shaft. Jeeze…me thinks you are in for a real ride one day.
…look, I don’t mean to be indelicate but I’m just going to come out of the closet with this. For the doubters …lift up on OSXs skirt ..yeah, lift it up high and take a good look. I did …OSX has an intimidating package ..yeah, go ahead ..look at it. Now, after you’ve had a good look ..think about the kind of trojan it would require. Yeah, that’s right ..it would have to come straight out of the devils wallet ..but alone ..oh, no …not alone …it would require its own installer ..and if you have any doubts then lift up the skirt again ..maybe, you need to look at the package some more. Maybe, I’m really talking to the midgets at Intego ..I mean little people. Maybe, you think you know what’s under the hood ..and maybe, you don’t want to think you want to know but you really do but you can’t bring yourself to admit that you want to get a look …a long look …a hard look. I think if you could get that far then maybe you’d know that some dirty little someone somewhere is just trying to wipe their dirty little codec on the outer hem of OSXs skirt because they’re just pussy-hackers. So, …maybe, the folks at Intego need to come to terms with their own techno-eroticism. Go ahead, Intego …take another look at the package.
Regardless of this Trojan’s source, it way high time for Apple to change Safari’s ‘Open “safe” files after downloading’ default setting. The fact that Apple puts “safe” in quotation marks is proof that the company realizes there’s no such thing as a truly “safe” file. Every download is a calculated risk.
Off topic, but in response to the above, I get better performance from the cross-platform Miro than I do from QuickTime, VLC, or MPlayer.
http://www.getmiro.com/
http://discussions.apple.com/thread.jspa?messageID=5709418
This one has been trapped.
er, um I didn’t know anything about that virus on Macs. Um thanks for the warning MDN, ahem.
magic word = child, – i’m serious
thats just wrong MDN, sort your dictionary out
Porn? What is this “porn” thing you guys keep talking about?
Humm … If you’re over 18, have a strong stomach
And want something truly pornographic
BC
“Every download is a calculated risk. “
Only if you don’t run antivirus software.
“does that mean the make/model of my car is vulnerable to theft??”
A better analogy is you believe you have the world’s most theft proof car, and no matter what you do it cannot be stolen. So you leave it running with the keys in the ignition in a bad neighborhood. Then you get surprised and start making excuses when somebody just walks up and steals it.
DON’T panic if you see grayed-out DNS entries in the Ethernet section in Leopard’s Network preference pane.
That’s the first reaction that most people would have. The only visible way of detecting this potential Trojan Horse, according to the Intego report, is the presence of dimmed DNS server entries. There is NO MENTION in this report of other potential (and as it turns out, much more COMMON and WIDESPREAD) reasons for this to occur. (Thankfully, the Macworld article goes into more detail about this). Such as:
If there’s a hardware router (for instance, a plain vanilla Linksys, as many people will have) between the Mac and the Internet, then the default Ethernet configuration is going to be -exactly as described- in the Intego alert article – the DNS setup in the router also shows up, grayed, in the Leopard network configuration for Ethernet. This is normal! It is NOT a Trojan Horse!
There are going to be THOUSANDS of people who will look at their Network settings in Leopard after reading about the Intego report and mistakenly think they’re infected with a Trojan Horse. The Intego report, and most, if not all, of the initial followup coverage, makes no mention of the fact that having a simple router between your computer and the Internet will do this.
How many people will rush out to pay for Intego VirusBarrier to rid themselves of an problem that they -do not have-?
I think it’s totally irresponsible for them to issue this report with no mention of other (much more LIKELY) potential causes for grayed DNS entries in Leopard’s Network settings. It seems to me that they’re simply taking advantage of this showing up (for the first time in OSX) as a visible network setting in Leopard and trying to scare people into going out and purchasing their software.
Anyone who is in doubt, please read the Macworld article and reassure yourselves. The first step you can take is to simply log into your router, look at the Ethernet settings for DNS servers, and confirm that the numbers you see there are the same as what’s showing up (grayed) in your Network settings in Leopard. Assuming (extremely highly likely) that they are: you have no problem. For further reassurance, follow the instructions in the Macworld article and use Terminal to check a few other things.
Windows, Linux or OS X-never download anything from a website that you did not specifically go to for the purpose of downloading something and trust(ie. sourceforge, vlc, Apple, etc.).
Following links in mail, blindly downloading applications from websites and installing programs/codecs/plugins from said sites is stupidity.
Unfortunately some users will engage in this behavior and get infected with something.
Dave, the MacWorld article was updated later, after it originally didn’t mention/know about this other possibility. I think further research after posters brought it to their attention led to the update. Intego should have also mentioned it. But, in my opinion, regardless of the technicalities involved, having AV software on a Mac is not a bad thing and people constantly trying to find ulterior motives for any company saying anything is not always productive. Many people remember Intego’s cry of wolf some years ago raising concerns unnecessarily about other malware. It was handled badly by them and they had lots of PR to do (not sure they ever did) to overcome the bad feelings people had over it. Nonetheless, most long-time users of their products (most, not all) are pretty comfortable using them.
Nekogami13, get off this thing about calling everyone stupid for not doing what is so easy for you and others to do. Ever helped out some 80 and 90 year olds as they nervously try their hand at a new computer? Where do you and others get off telling them how stupid they are because they can’t remember everything they’re supposed to be doing right? WHY NOT LET THEM HAVE SOME HELP? Anti-virus and other security software is comparatively cheap protection for peace of mind that they probably not allowing their computer to be compromised. Don’t tell me that everyone posting here has always checked out everything before entering their password. Many do. A larger number than you think, don’t. Even those who insist they do can, in a rush, overlook something.
“Stupid”? You and all the other naive people here who only look at themselves and forget there are others less aware who need some support should come into the real world sooner rather than later. Perhaps by the time you all reach the ripe age of 23, you’ll have taken a fresh look at the world and won’t be as judgmental. MDN included.