Mac Trojan prowls porn sites

Computerworld - A Trojan horse targeting Macs -- among the rarest of security events -- has been spotted on numerous pornographic Web sites, researchers said Wednesday.

First reported by Mac security software maker Intego in Austin and later confirmed by Sunbelt Software, McAfee Inc., and the SANS Institute's Internet Storm Center, "OSX.RSPlug.a" changes the Mac's DNS (Domain Name System) settings to redirect users to alternate or spoofed sites.

"The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows," said Bojan Zdrnja, an analyst at Internet Storm Center (ISC) in a warning posted early Thursday. The DNSChanger exploit is well-known to Windows Trojan watchers.

"The bad guys are taking Mac seriously now," Zdrnja added. "This is a professional attempt at attacking Mac systems, and they could have been much more damaging."

Alex Eckelberry, Sunbelt's CEO, echoed Zdrnja. "This is the first targeted, real attack on Mac users by a professional malware group," said Eckelberry in a posting to his blog.

When users click on a link to watch video on one of the malicious porn sites, a dialog box tells them QuickTime needs to install additional software. "Quicktime Player is unable to play movie file. Please click here to download new version of codec."

Depending on the browser's settings, the download may mount a disk image and launch an installer automatically. In Safari, for instance, the checked-by-default "Open 'safe' files after downloading" option will mount and launch. Firefox, however, does not have a comparable setting, and will not auto-mount the image or launch the installer. In every case, the user must enter an administrator password to install the masquerading Trojan.

After that, OSX.RSPlug.a silently changes the DNS server the Mac looks to for resolving addresses, and lets the attackers decide which legitimate page requests -- say, www.google.com -- to silently shunt to URLs of their choosing. Intego's advisory claims the redirects are to sites crammed with ads for more porn sites, or to phishing sites.

The DNS change will be invisible and difficult to verify for most users, because Mac OS X 10.4 doesn't show changed settings in Network Preferences. The new Leopard OS, however, will show modified settings as grayed. For more information on how to tell whether a machine has been hit by the Trojan, check out this story on MacWorld, a Computerworld sister site.

As of early Thursday, it was unclear how many porn sites hosted the bogus codec-cum-Trojan, although Intego claimed a "great deal" of bait spam had been seeded to Mac-specific forums to attract users to the sites. Eckelberry, meanwhile, said his company's researchers were able to find a sample of the Trojan in under three minutes using only a Google. Of the larger security vendors, only McAfee Inc., had posted an analysis of the Trojan by 2:00 a.m. Thursday, Eastern time.

While Macs have generally escaped the attention of attackers -- even security researchers who graded Leopard yesterday called Apple's small market share its secret security weapon -- that may be coming to a close, said Eckelberry. "I'm not trying to overhype. Mac users, hungry for porn, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the [iPod] touch and iPhone, running OS X."

And Mac owners aren't any different from people running Windows, said Zdrnja. Some will click and download and install until the cows come home. "Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything."

Read more about Security in Computerworld's Security Topic Center.