Technology news and Jobs 
Information Technology News Mac malware bends browsers to suspect sites
Information Technology News Mac malware bends browsers to suspect sites | Mac malware bends browsers to suspect sites |
|
| by Stephen Withers | |
| Thursday, 01 November 2007 | |
  
Featured Whitepaper
5 Best Practices for Smartphone Support
When they follow the links in the messages, they are told that QuickTime cannot play the movie file and are presented with a link to what is claimed to be a new codec. If the code is downloaded and installed, it asks for an administrator password and then changes the Mac's DNS settings to point to a server presumably operated by the miscreants behind the Trojan. A DNS server should return the IP address corresponding to a domain name, but these rogue servers return incorrect information so that attempts to visit certain financial institutions including PayPal are diverted to phishing sites, allowing accounts to be hijacked. Other DNS requests may return false results that lead to ads for other porn sites. Traditional phishing involves sending emails that appear to be from the institution concerned, and induce the recipient to click on a (bogus) link to "verify the transaction" or some such official-sounding action. That's why banks normally tell their customers to always type their URL directly into a browser. The sneaky part of OSX.RSPlug.A is that it doesn't matter where the URL comes from, the dodgy DNS server will take care of the redirection. It seems the initial attack only diverts URLs that people are likely to access via web browsers, but it could be used to redirect traffic originating with other applications. For example, the URL used by program's automatic updating feature could be hijacked to deliver other malware. The Trojan also installs a crontab job (a mechanism for repeatedly executing a task at specified intervals) that makes sure the bogus DNS setting is still active. According to Intego, OSX.RSPlug.A is known to work with Mac OS X 10.5 and 10.4; older versions are also likely to be vulnerable. Worryingly, there is no obvious sign of the added DNS server in 10.4. While it does show up in 10.5, it cannot be removed in the usual way. In any case, it is also necessary to remove the crontab job. An up to date copy of Intego's Virus Barrier X4 will detect and remove the Trojan, but as of this writing Sophos and Symantec do not appear to offer protection against it. If you think you have already been tricked into installing this piece of malware, Macworld offers instructions for removing OSX.RSPlug.A. The social engineering side of this attack is quite clever. Using porn as the bait is already known to be a successful strategy. Masquerading as a QuickTime codec serves a dual purpose: having to install or update a codec is not unheard of, and the fact that it arrives as an installer would raise few suspicions. Furthermore, an admin password is needed to install codecs that are to be available to all users. So be careful, even if you're not into porn - the next wave could easily involve some other kind of video, whether that's billed as a politician or celebrity doing something stupid, an hilarious new TV ad, or maybe an amusing event caught on security video. Think twice about where the required software came from before you install it. |
Tags
| < Next story in category | Previous story in the category > |
|---|
