“A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs,” security software vendor Intego reports. “A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:”
Quicktime Player is unable to play movie file.
Please click here to download new version of codec.
Intego reports, “After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open ‘Safe’ Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.”
“If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download,” Intego reports.
“This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue,” Intego reports.
Intego reports, “Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)”
Intego reports, “The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.”
“This Trojan horse also provides different versions of itself, perhaps according to the country in which the user is located to provide country-specific spoofing. Repeated downloads of the disk image show that there are several different versions,” Intego reports.
MacDailyNews Note: Of course, Intego says that “the best way” to protect against this exploit is to purchase and run Intego VirusBarrier X4 with up-to-date virus definitions, but we suggest that an even better way to protect against such trojans is to use your head and not download, authorize, and install software from porn sites.
[Thanks to MacDailyNews Reader “RadDoc” for the heads up.]
See, windows users, we can see porn too. By the way what the hell is a VODEI? file format? Nothing will play them.
This is identical to the same thing Intego warned of in 2004. A fake mp3 that when double clicked opens an application of the creators choice.
see this like from Wired 04/2004 http://www.wired.com/gadgets/mac/news/2004/04/63000
It certainly will not make me go spend $70.00 for their software. Just pay for your porn and you won’t have the problem~~~~~~
Hg,
My point is that Intego should have mentioned it, because they were certainly aware of the fact that dimmed entries in Leopard’s DNS table were -not- equivalent to an “indicator” of the presence of this, or any other, Trojan. But that’s how their alert made it sound.
The fact that they deliberately did NOT mention -any other- reasons for the appearance of dimmed DNS servers calls their motives into question.
Their alert is carefully phrased to ring substantial alarm bells. They specifically say that “the added DNS servers are dimmed, and cannot be removed manually.” The strong implication is that ANY dimmed DNS servers that show up in Leopard (and which, of course, cannot be removed manually) are a result of the Trojan.
There isn’t the slightest mention regarding something that has now become obvious: when Leopard has been installed, systems which are connected to routers are going to have dimmed DNS servers showing up in their Network preferences. There will probably be a fairly high % of OSX systems that fall into this category. Of those, an overwhelmingly high %, if not virtually all, will -not- have been infected by the Trojan referenced here. Why? It doesn’t spread. The only users affected would have been those that specifically visited the sites in question and who followed all of the social engineering steps required to become infected.
This is crying “wolf”, in a very public and alarmist way, for an exploit that will not spread, and which sounds as if it will have affected a very small number of users.
The only responsible way to have disclosed this issue would have been to describe it fully; and to also tell users, (as the Macworld article does) who have a reasonable amount of technical skill how to verify whether or not they have a problem, without having to shell out $80+ to Intego for the privilege.
I thought a Trojan Horse was the size larger than Magnum…..
I installed the codec and now my iMac is all stiff.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
I have had a problem this week with Word 2004 showing a macro virus. I had to buy Norton AV to get rid of it.
Hmmmm, So:
What does this trojan do anyway?????
I have had the ocassional site try and force me to down load an .exe file. It had the typical, “Download this file? (YES) ” single option and the window would not let me close it without selecting yes. Once it started, I would click stop from the downloader and its an exe file so it does not bother my mac anyway,———
But– Anyone know whats up with that? Would it have to be a virus or trojan file when it will not let you opt out, or is that just more stupid windows junk going on??
Just curious. (and glad it showed up on my home mac vs my work pc)
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
en
Dave, although they should have known, it’s possible that they were not “certainly aware of the fact that dimmed entries in Leopard’s DNS table were -not- equivalent to an “indicator” of the presence of this, or any other, Trojan.” MacWorld’s pretty savvy, too, but didn’t know that when the article was first written until brought to their attention. Like in the previous fiasco, it’s clear that Intego continues not being careful enough in how they word their announcements. It’s possible their European division are even responsible for their news releases and Europeans are sometimes known for slightly slanted releases (not that the U.S. isn’t). And, unlike last time, no one has (yet) come out and said this doesn’t exist or is no significant threat. The details seem to still be being shaken out. On the positive side, and assuming this is real, Intego still did its job by telling people that it’s out there.
There seems to be an undercurrent that Intego shouldn’t have said anything at all since it’s some sort of conflict of interest since they also sell security software. That position makes no sense to me. Again assuming this is legitimate, of everyone, I expect security companies to announce these sorts of things. After all, who else is watching for them? And, OK, so Intego’s PR people still don’t have their full act together. But I don’t think it calls for a blanket condemnation. If the malware is real, I think we should be grateful to know about it, even if the details didn’t make it out correctly.
I suspect we’ll hear from the other security companies in short order to confirm or deny all this.
Really… who visits porn sites anymore? Isn’t that what P2P was made for? Anything under 100 MB is a waste of time too. And if you download a video, and VLC, MPlayer, or QT cannot open it, find another video because there is something wrong with the one you just downloaded.
Truthifinder, no, this is not (yet) the same thing that happened in 2004. That was indeed poorly handled by Intego. Again, I feel this is more by not having several people at the company validate press releases like these to be sure they are very, very carefully worded with full details. In 2004, others came out pretty quickly to dispute the Intego release. That may yet happen today, but so far it has not. Until it does, it’s better to be safe and take the warning seriously. Because a person or a company made a past error in how something was worded, does not call for ignoring them the rest of their existence. You still look carefully at each announcement to see if a threat exists. So far, we assume it does. And porno sites are not the big issue. The existence of this malware means it can show up other places, too.
MacWorld is well aware of Intego’s past. But they appeared to take this seriously. I believe that is the safe, responsible thing to do regardless of Intego’s still not completely getting their announcement right.
Never, never check the Open ‘Safe’ Files After Downloading button in Safari’s General preferences
Exactly HOW does this trojan manage to gain root access, particularly if root has NOT been enabled (Apple factory default) and a user is running:
• in administrator user space
• in a non-administrator account space
Have seen no discussion about the particulars as to HOW root is commandeered.
Root Man Fat
@HG Wells-I did not call anyone stupid. I am stating that everyone who knows better needs to inform everyone else not to engage in dangerous behavior-regardless of their OS. I constantly remind my 60+ year old parents and nephews/nieces about this because I am their tech support.
Providing users with a security blanket called AV software is not the answer, considering AV software is reactive not proactive. New threats come out all the time, by the time AV software catches up it is to late-infection has already occurred.
Pull your head out of your ass and be proactive-inform everyone not to open email attachments or follow links, don’t download anything from untrusted sites, do not enter your admin password without knowing why.
PS HG, I am well over the ripe old age of 23-it is but a dim memory.
“AV software is reactive not proactive. New threats come out all the time, by the time AV software catches up it is to late-infection has already occurred.”
If you update daily, it reduces the window of attack for known viruses to 24hrs or less.
And clearly you haven’t looked at antivirus software for some years now. Products now look for suspicious behavior and can block virus like activity before an actual signature exists.
Not doing dumb things is always a good policy, but for the vast majority of computer users who don’t seem to be able to stop themselves from doing dumb things there’s antivirus software.
Since they have been told over and over their OS is invulnerable, Mac users are like a field of passive herbivores waiting to become dinner for the first predator walking by.