.Kompressor Posted August 13, 2009 Share Posted August 13, 2009 August 11th, 2009New Mac OS X DNS changer spreads through social engineering Posted by Dancho Danchev @ 1:50 pm TrendMicro is reporting on a newly discovered 4th member of the OSX_JAHLAV malware family. The latest variant is once again relying on social engineering, this time spreading under a QuickTime Player update (QuickTimeUpdate.dmg) with a DNS changer component enabling the malware authors to redirect and monitor the traffic of the victim. More info on OSX_JAHLAV.D: The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from. Not only are cybercriminals beginning to acknowledge the “under-served” Mac OS X segment, but also, they’re already borrowing tricks from the Microsoft Windows playbook such as OS-independent tactics like fake codecs and bogus video players. The irony? Both the Mac OS X and Windows malware are hosted on the same domains, with copies of each served on the basis on browser detection. From fake ActiveX objects at adult sites like the “Macintosh Porn Tube”, to bogus codecs and players, these tactics have been dominating the Windows threatscape for years, and will continue to do so, simply because they work. However, among the key advantages a cybercriminal coding/generating malware targeting Apple’s Mac OS X has, is the overall perception of its invincibility to malware, a state of false feeling of security shared across a huge number of people. Meanwhile, Apple Inc. is already offering security advice stating that “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.” Just like previous campaigns, the latest OSX_JAHLAV.D one issues an offensive message if it detects that security researchers are attempting to assess it. The gang is clearly motivated. What do you think - is Mac OS X malware gaining momentum, or are they just scratching the surface? http://blogs.zdnet.com/security/?p=4024 so what Antivirus is best for Mac? You do need one to least to protect the Windows networks you connect to or share files with...cause you could be carrying the Trojan in a file but not be infected.... Also there's no self-replicating Virus that spreads from Mac to Mac yet....the Trojans are making an appearance using old windows exploiting techniques. ClamXav or Virus Barrier X5 ?? which is the best... Link to comment Share on other sites More sharing options...
sn00pie Posted August 13, 2009 Share Posted August 13, 2009 So the odds of getting these trojans are low unless your surfing porn websites? I think I'm missing the point here. Link to comment Share on other sites More sharing options...
spy beef Posted August 13, 2009 Share Posted August 13, 2009 OMFG Apple lied to me! I watched their commercials and they said only PCs get viruses and trojans, so I bought a Mac. I will never buy another Apple product again!! Lying sons of bitches. j/k about buying a Mac. Link to comment Share on other sites More sharing options...
.Kompressor Posted August 13, 2009 Author Share Posted August 13, 2009 It's only those who aren't Technically inclined who would allow unknown codec's or download mac patches from third party sites... people will still get infected....those who don't know what to watch out for. ;) yes most of us here are technically inclined and are curious to learn or else why would you be here.... Link to comment Share on other sites More sharing options...
Hell-In-A-Handbasket Posted August 13, 2009 Share Posted August 13, 2009 agree It's only those who aren't Technically inclined who would allow unknown codec's or download mac patches from third party sites... Link to comment Share on other sites More sharing options...
perochan Posted August 13, 2009 Share Posted August 13, 2009 yep. i only update from software updates. Link to comment Share on other sites More sharing options...
NeoTrunks Posted August 13, 2009 Share Posted August 13, 2009 Should be safe as long as you don't enter your password for this "update". Unfortunately people will do it. Link to comment Share on other sites More sharing options...
Quillz Posted August 13, 2009 Share Posted August 13, 2009 OMFG Apple lied to me! I watched their commercials and they said only PCs get viruses and trojans, so I bought a Mac. I will never buy another Apple product again!! Lying sons of bitches.j/k about buying a Mac. Actually, that really is false advertising on Apple's part to say that Macs never get viruses, ever. I believe they had to stop airing certain ads in the UK due to some false claims made about the iPhone 3G. Link to comment Share on other sites More sharing options...
Ricardo Gil Posted August 14, 2009 Share Posted August 14, 2009 Actually, that really is false advertising on Apple's part to say that Macs never get viruses, ever. I believe they had to stop airing certain ads in the UK due to some false claims made about the iPhone 3G. Fact is Macs don't get viruses on their own, you have to install them yourself. Only when viruses start spreading autonomously through OS X does it become false advertising. Link to comment Share on other sites More sharing options...
Reacon Posted August 14, 2009 Share Posted August 14, 2009 Fact is Macs don't get viruses on their own, you have to install them yourself. Only when viruses start spreading autonomously through OS X does it become false advertising. You have to install viruses in Windows too. Link to comment Share on other sites More sharing options...
ToneKnee Posted August 14, 2009 Share Posted August 14, 2009 http://blogs.zdnet.com/security/?p=4024so what Antivirus is best for Mac? You do need one to least to protect the Windows networks you connect to or share files with...cause you could be carrying the Trojan in a file but not be infected.... Also there's no self-replicating Virus that spreads from Mac to Mac yet....the Trojans are making an appearance using old windows exploiting techniques. ClamXav or Virus Barrier X5 ?? which is the best... So you're basically saying that Windows is at fault here? People who think they are immune to such attacks, viruses etc because they run OS X are only joking themselves. Most trojans, viruses, malware, spyware etc mostly infect Windows because the user has installed some crap which already has it, or uses a third party application which are exploitable outside of Microsofts control. Guess what? The real problem is not Windows, the internet, the computer, the hardware, the operating systems and so on, it's the user. Link to comment Share on other sites More sharing options...
Kyang Posted August 14, 2009 Share Posted August 14, 2009 Same argument applies to Windows, OSX, and any other OS really. Use common sense, stay up-to-date, and you'll be able to avoid a lot of the problems. :) . Link to comment Share on other sites More sharing options...
Ricardo Gil Posted August 14, 2009 Share Posted August 14, 2009 You have to install viruses in Windows too. Some recent viruses spread through Windows on their own, does the name Conficker ring a bell? So you're basically saying that Windows is at fault here? No, you're just taking it way overboard. He only said it uses techniques previously used in Windows such as "Social Engineering". The fault is with the user not the OS. Link to comment Share on other sites More sharing options...
Subject Delta Posted August 14, 2009 Share Posted August 14, 2009 Where the fault lies is irrelevant, this proves that viruses can target OSX, therefore making Apple's adverts lies. How the exploit gets on the computer is irrelevant. Link to comment Share on other sites More sharing options...
Steeley Posted August 14, 2009 Share Posted August 14, 2009 Windows vs Mac...wah wah wah...whinge whinge whinge...boohooo....fart. FFS. http://blogs.zdnet.com/security/?p=4024so what Antivirus is best for Mac? You do need one to least to protect the Windows networks you connect to or share files with...cause you could be carrying the Trojan in a file but not be infected.... Good question...hopefully someone knows that answer! Most of us don't bother with AV on a mac even when connected to a windows network! Link to comment Share on other sites More sharing options...
Hell-In-A-Handbasket Posted August 14, 2009 Share Posted August 14, 2009 if by the Email program automatically activating it, or IE ActiveX automatically running it is "being installed by user" then yea i guess using windows counts as installing the viri, a person had to install windows at one time You have to install viruses in Windows too. Link to comment Share on other sites More sharing options...
Hell-In-A-Handbasket Posted August 14, 2009 Share Posted August 14, 2009 *Edit* i get it, yes a OSX machine carrying say a XLS document with an infected macro could infect the windows machines and be immune to said macro, while the windows machines running it will be infected, but i dont know of any AV that will detect Cross platform like that, a Server based AV that has client apps on each machine "should " be able to i think *End edit * if my understanding is correct, a OSX virus is not able to infect a windows machine and same otherwise, why they are named "win32blabla" or "win64blabla" or "blabla.osx" the architecture is totally different, now an infection over a windows network could be coded to infect other osx machines over the same network, but the windows machines would theoretically be immune http://blogs.zdnet.com/security/?p=4024so what Antivirus is best for Mac? You do need one to least to protect the Windows networks you connect to or share files with...cause you could be carrying the Trojan in a file but not be infected.... Also there's no self-replicating Virus that spreads from Mac to Mac yet....the Trojans are making an appearance using old windows exploiting techniques. ClamXav or Virus Barrier X5 ?? which is the best... Link to comment Share on other sites More sharing options...
Quillz Posted August 14, 2009 Share Posted August 14, 2009 if by the Email program automatically activating it, or IE ActiveX automatically running it is "being installed by user" then yea i guess using windows counts as installing the viri, a person had to install windows at one time I've yet to come across any ActiveX prompt that automatically runs. From essentially WinXP SP2 onward, there will always be a prompt in IE that asks, "Click here to run this ActiveX prompt..." Link to comment Share on other sites More sharing options...
Hell-In-A-Handbasket Posted August 14, 2009 Share Posted August 14, 2009 *Edit* nvm *Edit* but either way, OSX users will get infected if they install it thinking its an update for quicktime, just like AntiVirus2006-9 and its clones infects windows users alot of general users will click it just to get it off the screen not even reading it I've yet to come across any ActiveX prompt that automatically runs. From essentially WinXP SP2 onward, there will always be a prompt in IE that asks, "Click here to run this ActiveX prompt..." Link to comment Share on other sites More sharing options...
PyX Posted August 14, 2009 Share Posted August 14, 2009 I'm pretty positive I downloaded a security update yesterday that fixed something related to DNS... Link to comment Share on other sites More sharing options...
.Kompressor Posted August 14, 2009 Author Share Posted August 14, 2009 At the end of the day....the important part of these type of attacks is to understand/analyze the mind of the malware/virus writer. They would not have written this if they didn't think it would be worth their while. The kind of thing an Antivirus company would do once they get a copy to reverse engineer...sometimes they don't know the motives for a while...in the case of the conficker....it just sat there not doing anything except it was awaiting instructions with port open. Questions like: what are their intentions with this virus, trojan, malware? Monetary or Malicious Damage, creating a botnet, etc.. - Monetary meaning they want to steal your data and use or sell it on blackmarket. - Malicous meaning damaging your computer or something larger like a botnet DDoS attack. This one is a DNS changer which in the article says could be used to redirect your browsing so they monitor your traffic or setup phishing sites to collect your data. obviously he/she is counting and we all know it is possible that non-knowledgeable people will install it. Link to comment Share on other sites More sharing options...
godzila Posted August 14, 2009 Share Posted August 14, 2009 Windows vs Mac...wah wah wah...whinge whinge whinge...boohooo....fart. FFS.Good question...hopefully someone knows that answer! Most of us don't bother with AV on a mac even when connected to a windows network! this is craizy virus for mac where it not linux boys linux.................. Link to comment Share on other sites More sharing options...
.Kompressor Posted August 14, 2009 Author Share Posted August 14, 2009 I'm pretty positive I downloaded a security update yesterday that fixed something related to DNS... yep Apple fixed the exploit I believe yesterday...I installed it also. http://forums.macrumors.com/showthread.php?t=764405 Link to comment Share on other sites More sharing options...
Growled Member Posted August 14, 2009 Member Share Posted August 14, 2009 As Apple gets more popular I see more and more of this happening. Link to comment Share on other sites More sharing options...
Ricardo Gil Posted August 14, 2009 Share Posted August 14, 2009 Where the fault lies is irrelevant, this proves that viruses can target OSX, therefore making Apple's adverts lies. How the exploit gets on the computer is irrelevant. It's not an exploit if you have to run it yourself and allow it to run with full privileges. The fault is with the user. Link to comment Share on other sites More sharing options...
Recommended Posts