New Mac OS X DNS Trojan spreads by social engineering


Recommended Posts

August 11th, 2009

New Mac OS X DNS changer spreads through social engineering

Posted by Dancho Danchev @ 1:50 pm

TrendMicro is reporting on a newly discovered 4th member of the OSX_JAHLAV malware family.

The latest variant is once again relying on social engineering, this time spreading under a QuickTime Player update (QuickTimeUpdate.dmg) with a DNS changer component enabling the malware authors to redirect and monitor the traffic of the victim.

More info on OSX_JAHLAV.D:

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

Not only are cybercriminals beginning to acknowledge the “under-served” Mac OS X segment, but also, they’re already borrowing tricks from the Microsoft Windows playbook such as OS-independent tactics like fake codecs and bogus video players. The irony? Both the Mac OS X and Windows malware are hosted on the same domains, with copies of each served on the basis on browser detection.

From fake ActiveX objects at adult sites like the “Macintosh Porn Tube”, to bogus codecs and players, these tactics have been dominating the Windows threatscape for years, and will continue to do so, simply because they work. However, among the key advantages a cybercriminal coding/generating malware targeting Apple’s Mac OS X has, is the overall perception of its invincibility to malware, a state of false feeling of security shared across a huge number of people.

Meanwhile, Apple Inc. is already offering security advice stating that “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.”

Just like previous campaigns, the latest OSX_JAHLAV.D one issues an offensive message if it detects that security researchers are attempting to assess it. The gang is clearly motivated.

What do you think - is Mac OS X malware gaining momentum, or are they just scratching the surface?

http://blogs.zdnet.com/security/?p=4024

so what Antivirus is best for Mac? You do need one to least to protect the Windows networks you connect to or share files with...cause you could be carrying the Trojan in a file but not be infected....

Also there's no self-replicating Virus that spreads from Mac to Mac yet....the Trojans are making an appearance using old windows exploiting techniques.

ClamXav or Virus Barrier X5 ?? which is the best...

Link to comment
Share on other sites

OMFG Apple lied to me! I watched their commercials and they said only PCs get viruses and trojans, so I bought a Mac. I will never buy another Apple product again!! Lying sons of bitches.

j/k about buying a Mac.

Link to comment
Share on other sites

It's only those who aren't Technically inclined who would allow unknown codec's or download mac patches from third party sites... people will still get infected....those who don't know what to watch out for. ;) yes most of us here are technically inclined and are curious to learn or else why would you be here....

Link to comment
Share on other sites

agree

It's only those who aren't Technically inclined who would allow unknown codec's or download mac patches from third party sites...
Link to comment
Share on other sites

OMFG Apple lied to me! I watched their commercials and they said only PCs get viruses and trojans, so I bought a Mac. I will never buy another Apple product again!! Lying sons of bitches.

j/k about buying a Mac.

Actually, that really is false advertising on Apple's part to say that Macs never get viruses, ever. I believe they had to stop airing certain ads in the UK due to some false claims made about the iPhone 3G.

Link to comment
Share on other sites

Actually, that really is false advertising on Apple's part to say that Macs never get viruses, ever. I believe they had to stop airing certain ads in the UK due to some false claims made about the iPhone 3G.

Fact is Macs don't get viruses on their own, you have to install them yourself.

Only when viruses start spreading autonomously through OS X does it become false advertising.

Link to comment
Share on other sites

Fact is Macs don't get viruses on their own, you have to install them yourself.

Only when viruses start spreading autonomously through OS X does it become false advertising.

You have to install viruses in Windows too.

Link to comment
Share on other sites

http://blogs.zdnet.com/security/?p=4024

so what Antivirus is best for Mac? You do need one to least to protect the Windows networks you connect to or share files with...cause you could be carrying the Trojan in a file but not be infected....

Also there's no self-replicating Virus that spreads from Mac to Mac yet....the Trojans are making an appearance using old windows exploiting techniques.

ClamXav or Virus Barrier X5 ?? which is the best...

So you're basically saying that Windows is at fault here? People who think they are immune to such attacks, viruses etc because they run OS X are only joking themselves. Most trojans, viruses, malware, spyware etc mostly infect Windows because the user has installed some crap which already has it, or uses a third party application which are exploitable outside of Microsofts control.

Guess what? The real problem is not Windows, the internet, the computer, the hardware, the operating systems and so on, it's the user.

Link to comment
Share on other sites

You have to install viruses in Windows too.

Some recent viruses spread through Windows on their own, does the name Conficker ring a bell?

So you're basically saying that Windows is at fault here?

No, you're just taking it way overboard.

He only said it uses techniques previously used in Windows such as "Social Engineering". The fault is with the user not the OS.

Link to comment
Share on other sites

Where the fault lies is irrelevant, this proves that viruses can target OSX, therefore making Apple's adverts lies. How the exploit gets on the computer is irrelevant.

Link to comment
Share on other sites

Windows vs Mac...wah wah wah...whinge whinge whinge...boohooo....fart. FFS.

http://blogs.zdnet.com/security/?p=4024

so what Antivirus is best for Mac? You do need one to least to protect the Windows networks you connect to or share files with...cause you could be carrying the Trojan in a file but not be infected....

Good question...hopefully someone knows that answer! Most of us don't bother with AV on a mac even when connected to a windows network!

Link to comment
Share on other sites

if by the Email program automatically activating it, or IE ActiveX automatically running it is "being installed by user" then yea i guess using windows counts as installing the viri, a person had to install windows at one time

You have to install viruses in Windows too.
Link to comment
Share on other sites

*Edit* i get it, yes a OSX machine carrying say a XLS document with an infected macro could infect the windows machines and be immune to said macro, while the windows machines running it will be infected, but i dont know of any AV that will detect Cross platform like that, a Server based AV that has client apps on each machine "should " be able to i think

*End edit *

if my understanding is correct, a OSX virus is not able to infect a windows machine and same otherwise, why they are named "win32blabla" or "win64blabla" or "blabla.osx"

the architecture is totally different, now an infection over a windows network could be coded to infect other osx machines over the same network, but the windows machines would theoretically be immune

http://blogs.zdnet.com/security/?p=4024

so what Antivirus is best for Mac? You do need one to least to protect the Windows networks you connect to or share files with...cause you could be carrying the Trojan in a file but not be infected....

Also there's no self-replicating Virus that spreads from Mac to Mac yet....the Trojans are making an appearance using old windows exploiting techniques.

ClamXav or Virus Barrier X5 ?? which is the best...

Link to comment
Share on other sites

if by the Email program automatically activating it, or IE ActiveX automatically running it is "being installed by user" then yea i guess using windows counts as installing the viri, a person had to install windows at one time

I've yet to come across any ActiveX prompt that automatically runs. From essentially WinXP SP2 onward, there will always be a prompt in IE that asks, "Click here to run this ActiveX prompt..."

Link to comment
Share on other sites

*Edit* nvm *Edit*

but either way, OSX users will get infected if they install it thinking its an update for quicktime, just like AntiVirus2006-9 and its clones infects windows users

alot of general users will click it just to get it off the screen not even reading it

I've yet to come across any ActiveX prompt that automatically runs. From essentially WinXP SP2 onward, there will always be a prompt in IE that asks, "Click here to run this ActiveX prompt..."
Link to comment
Share on other sites

At the end of the day....the important part of these type of attacks is to understand/analyze the mind of the malware/virus writer. They would not have written this if they didn't think it would be worth their while.

The kind of thing an Antivirus company would do once they get a copy to reverse engineer...sometimes they don't know the motives for a while...in the case of the conficker....it just sat there not doing anything except it was awaiting instructions with port open.

Questions like:

what are their intentions with this virus, trojan, malware? Monetary or Malicious Damage, creating a botnet, etc..

- Monetary meaning they want to steal your data and use or sell it on blackmarket.

- Malicous meaning damaging your computer or something larger like a botnet DDoS attack.

This one is a DNS changer which in the article says could be used to redirect your browsing so they monitor your traffic or setup phishing sites to collect your data.

obviously he/she is counting and we all know it is possible that non-knowledgeable people will install it.

Link to comment
Share on other sites

Windows vs Mac...wah wah wah...whinge whinge whinge...boohooo....fart. FFS.

Good question...hopefully someone knows that answer! Most of us don't bother with AV on a mac even when connected to a windows network!

this is craizy virus for mac where it not linux boys linux..................

Link to comment
Share on other sites

Where the fault lies is irrelevant, this proves that viruses can target OSX, therefore making Apple's adverts lies. How the exploit gets on the computer is irrelevant.

It's not an exploit if you have to run it yourself and allow it to run with full privileges. The fault is with the user.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.