ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Mac Attack: Porn video lures dropping DNS-changer Trojan

By | November 1, 2007, 8:05am PDT

Summary: Well-organized identity thieves are using porn video lures to deliver malware to Mac OS X users, confirming fears among security researchers that it’s only a matter of time before Apple’s fast-growing platform becomes a big malware target.

Organized identity thieves are using porn video lures to deliver malware to Mac OS X users, confirming fears among security researchers that it’s only a matter of time before Apple’s fast-growing platform becomes a big malware target.

The ongoing attack, first spotted by Intego, includes spammed links to Mac forums that point to free adult-themed videos. Clicking on the one of the videos pops up Web page that looks like this:

Porn videos deliver malware to Mac OS X

The site uses that pop-up to get users to download a disk image (.dmg) file disguised as a codec that’s required for viewing the video. If the Mac machine’s browser is set to to open “Safe” files after downloading, the .dmg gets mounted and the Installer is launched.

The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine.

According to anti-virus vendors, the Trojan is programmed to change the Mac’s DNS server, a trick used by phishers to load fake Web pages and hijack valuable user data.

Offensive Computing provides a walk-through of the risk scenario:

This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.

MacWorld provides step-by-step removal instructionsTechmeme discussion.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Web, Apple Macintosh, DNS Server, Trojan Horse, Server, Video, Web Page, Attack, Dmg, Corporate Communications, Desktops, Domain Names, Channel Management, Spyware, Adware & Malware, Phishing, Viruses And Worms, Security, Marketing, Hardware, Internet, Spam And Phishing, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

177
Comments
Add Your Opinion

Join the conversation!

Just In

Nope.
AzuMao 4th Jan 2010
It's safe to view.

Just don't download and install shady programs
that it says you need. Only get
flash/quicktime/etc from their official websites.
"Problem" solved.
View in thread
0 Votes
+ -
Lets see...
Jim888 1st Nov 2007
So if I view porn with Windows no one will attack me.... riigghhtt.

Or if I view porn on a Mac and accept codecs to see "more" I will be attacked.

Sounds like a real problem....IF you view porn and IF you accept changes to your system to see "more".

0 Votes
+ -
*eye roll*
sv650touring@... 1st Nov 2007
don't forget: "The target must click through a series of screens to become infected..."

That is what is so nice about Windows. Spyware gets installed without all the hassle of user interaction[/1].

Nothing to see here except the usual misleading headline "we finally found a real live Mac virus!" FUD

Move along...
0 Votes
+ -
Bzzzt, wrong
No_Ax_to_Grind 1st Nov 2007
Its obvious you have not used Vista.
0 Votes
+ -
Besides that...
thx-1138_@... 1st Nov 2007
...i get the feeling the Mac may fear alot worse than its users might think against concerted crack attempts.

I say it's just a matter of time before the cracking community find it within themselves to *try out* Apple.

I am genuinely curious as to whether Macs can hold up against genuine threats on the scale that MS OS's face.

I don't like their chances in the long run.
0 Votes
+ -
Especially since...
bigsibling 2nd Nov 2007
the Mac community has been so used to not having to worry about malware and virii. The average Joe user has been conditioned to believe their OS is impenetrable.
0 Votes
+ -
I tend to agree
notsofast 2nd Nov 2007
I'm sure virtually everyone reading this (mac and windows users alike) look at this attack and think, WTH would fall for this attack?

But those who don't go around reading Mac forums just might. If you look back to 6 or 7 years ago, a lot of malware got through via social engineering that wasn't that different from this attack.

Once you get away from tech savvy users, you see people who manage to get all kinds of cr*p on their computers. I had a friend who managed to get adware on his PC that adaware rated an 8 or 9. Until then, I'd never seen anything higher than a 3 (and still haven't on my machine). He dozens of viruses (I've never had one).

I asked, "do you download every attachment that comes from strangers"? He didn't answer.
0 Votes
+ -
It IS in all practical meaning secure
Mikael_z 5th Nov 2007
Remember, in the example above the user has to hold its virtual hand all the way for
it to work, i.e by entering an admin username and password.

No different than installing the usual software and very different from how software,
malicious or not, can install itself completely automatically in Windows.

So yes, no spots on Mac OS X's reputation, it's still secure.
0 Votes
+ -
Bzzzt, wrong
aussieblnd@... 1st Nov 2007
" It's obvious you have not used Vista. "

I'm using Vista so what's your point? I have a mac and Linux systems also and no problem from either. It's not the system it the user!
0 Votes
+ -
Beating around bushes...much?
santuccie 2nd Nov 2007
In one post, you demand proof that this Mac exploit actually exists, and that people are actually getting their computers infected by it. Now you say it's about the user, not the platform. Do you know anything about security and hacking, or do you just have a habit of trolling in waters as murky as the Hudson itself, without a clue where you're going or what you're talking about? If you know something about security and its implementation, please, share it. Otherwise, be aware that anyone who listens to you only gets dumber as a result.
0 Votes
+ -
RE: Bzzzt, wrong
gnugen 3rd Nov 2007
...and why would any Mac user want to try Vista? That's like saying "It's obvious you have not driven a Yugo" I am sure it is a great experience, but why?
0 Votes
+ -
Nope.
AzuMao 28th Sep 2009
UAC doesn't stop viruses from messing with the
user's files, just the kernel. Meaning all your
saved passwords, all your
browsing/emailing/instant messaging activity, is
still exposed to viruses. It's obvious you use
Vista without even understanding how it works.
0 Votes
+ -
But there is a truth here...
pfvolpe@... 3rd Nov 2007
...and that truth is that there is nothing inherrently safe about a Mac or any other system -- the only thing that has protected Macs thus far is small market share. The issue of clicking through is speciffic to this attack -- eventually, more sophisticated attacks will be mounted, new holes found. It's a matter of time and attention. As Macs gain market share, the attention will come.
0 Votes
+ -
Two years later...
vulpine@... 25th Sep 2009
... and we only just now find out that there's a 'bounty' on
infecting Macs. Why?

Could it be because Macs really are harder to break into?

I don't doubt that eventually something will work; but after two
years of attempts no more successful than this one, you have
to wonder. The only successful trojans so far into a OS X have
involved pirated and hacked versions of legitimate applications;
the victims being people who want something for nothing.
0 Votes
+ -
its that arrogance that will unleash a firestorm against macs
pcguy777 5th Nov 2007
in the near future, and with their large increase in sales,


just a prediction...

and just a matter of time
0 Votes
+ -
ITS kind of like those who though the TITANIC was unsinkable
pcguy777 5th Nov 2007
seriously.
0 Votes
+ -
Never will happen.
powershaker Updated - 25th Sep 2009
I don't care how popular the Mac becomes. Unix/FreeBSD OSes are just
not as susceptible to viruses as Windows. I've had Virus Barrier X5 for
over two years on my Mac, and guess what? I haven't gotten infected by
simply surfing the net or installing software. It just doesn't happen on a
Mac. Saying that Macs will eventually become infected with viruses is like
saying Linux will. Unix based OSes just aren't as prone to viruses as the
Windows OS. If you want to escape viruses, buy a Mac or a Linux box.
Infection just doesn't happen. I'm proof, too.
0 Votes
+ -
Let's not see!
aussieblnd@... 1st Nov 2007
So the moral of the story is? Fishing for porn will give you a disease! Then your entire entourage will find out you have VD (Video Disease).
Just say no to porn! Or go rent it somewhere!
0 Votes
+ -
for those that are saying if you don't look at porn no worries but what
SO.CAL Guy 2nd Nov 2007
for those that are saying if you don't look at porn no worries but what happens when they put this out for say a movie trailer.

no porn just a movie preview.

and being that most mac users don't run anti virus software and most are not geeks like us who live on zdnet.

they will be pwned. say what you want but as the mac platform gets a larger user base it will get more attacks. you can put your head in the sand and say it's not true and believe the FUD apple tells you or open your eyes and see it's just a matter of time before macs osx starts getting whacked. and keep your data safe.
0 Votes
+ -
It's not just porn....
Uncle Buck 2nd Nov 2007
Any video posted on a Social Networking site is potentially dangerous to view. I run an Internet Cafe and the past couple of months have had several machines get hit from customers installing video codecs. We have a strict no porn or get tossed out of the Cafe rule.

It doesn't matter, if the user wants to view the file they will go "Click, Click, Click..." When I think about it, careless Windows users are switching to Mac thinking that will make them safe; thus making Mac a prime target as the user base grows. I have serviced these users machines before they bought their Mac and have told them to not go "Click, Click, Click..." and it is not always OK to click OK. Most malware is brought on by the user; to fix a malware problem you need to fix your internet habits first.

Uncle Buck :?)
0 Votes
+ -
Nope.
AzuMao 4th Jan 2010
It's safe to view.

Just don't download and install shady programs
that it says you need. Only get
flash/quicktime/etc from their official websites.
"Problem" solved.
0 Votes
+ -
I love my free porn, just...
Hrothgar - PCLinuxOS User 9th Nov 2007
surf it using a live Linux CD. You can't meaningfully infect a read only system. Just don't check your bank balance before you reboot.
0 Votes
+ -
Lets see...SOME PROOF!
aussieblnd@... 1st Nov 2007
Soo who got infected? How many? Where is the Proof? Let's have some stats!
Other wise is just so much speculation! Could happen, may happen, might happen but has it!!!!
0 Votes
+ -
What's your point?
santuccie 2nd Nov 2007
Why must you jump to defense when a news article says there's an exploit for Mac OS? Is Mac OS a religion to you? Is Steve Jobs your deity? Rather than scoffing and clinging to days gone by (before all the PoC samples, and Dino Dai Zovi, and the NVD, and the Month of Apple Bugs project, etc.), you might do well to start defending your computer by installing some free security software. You'd get more done that way than to sit and defend your religion by trolling. "Better safe than sorry." Start here: http://www.itsecurity.com/features/103-free-security-apps-041607/
0 Votes
+ -
Oh man!
People 1st Nov 2007
I hate criminals.
0 Votes
+ -
me too
johnson12 1st Nov 2007
but I hate stupid people as well.
0 Votes
+ -
I hate OSX
NonZealot 1st Nov 2007
Why won't OSX protect me from this? I thought OSX was secure? Hmm, I guess I've been lied to!
0 Votes
+ -
PS Funny double standard with Mac zealots
NonZealot 1st Nov 2007
Funny how when malware targets Windows, it is all m1cR0$ux'$ fault but when that exact same malware targets OSX, it is all the criminal's fault!

snicker, smirk happy
0 Votes
+ -
No double standards, just ignorance...
olePigeon 1st Nov 2007
No double standards, just ignorance. You can't get "infected" by this "trojan" simply by visiting a website with malformed IFRAME tag like in Windows.

This "trojan" is going nowhere because it doesn't self propagate and can't be installed without 100% user intervention.

As I said before, this is like giving the keys to your car to a thief, then complaining to the car company that they aren't doing enough to protect your car from theft.
0 Votes
+ -
OSX is immune to drive by exploits?
NonZealot 1st Nov 2007
You can't get "infected" by this "trojan" simply by visiting a website with malformed IFRAME tag like in Windows.

Say it ain't so!!!

Drive by exploit

QuickTime users visiting maliciously crafted websites could fall victim to arbitrary code execution.
...
The security update is available for QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8

Shock, horror, turns out OSX is vulnerable to drive by exploits!

What, you want more? Okay:
Drive by exploit
The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users.

Hmm, seems that OSX is most certainly not immune to drive by exploits. Oh, but I'm sure it was really difficult to come up with these exploits, right? Hehe, not so hard after all:
Dai Zovi found the Safari vulnerability and wrote the exploit overnight in about 9 hours

snicker, smirk happy
0 Votes
+ -
Wrong, wrong, and wrong again...
olePigeon 1st Nov 2007
Wrong, wrong, and wrong again. First of all, I never said it was immune, so stop putting words in my mouth. Secondly, the computer does not become infected simply by visiting the website unlike Windows. The user has to download the disk image, open it, then execute the application, enter their username & password, and install it.
0 Votes
+ -
Vista doesn't become infected merely by visting a web site either.
ye 1st Nov 2007
I assume you have a point?
0 Votes
+ -
Then why bring up drive bys in Windows?
NonZealot 1st Nov 2007
First of all, I never said it was immune, so stop putting words in my mouth.

Okay, so you admit that OSX can be infected by drive bys, just like Windows.

Secondly, the computer does not become infected simply by visiting the website unlike Windows.

Okay, so now you say that OSX can't be infected by drive bys, unlike Windows.

Huh? What?

The user has to download the disk image, open it, then execute the application, enter their username & password, and install it.

I could understand if you were only talking about this particular exploit specifically but if so, why bring up the fact that Windows can be infected through drive by attacks? Quite frankly, if we are truly restricting ourselves to just talking about this exploit, Windows is immune. After all, Windows doesn't know what to do with a .dmg file.

I also understand that you didn't say the words "OSX is immune to drive bys" but if that wasn't the argument you were trying to make, why say that Windows can be infected through drive bys? It would be like me saying:
I prefer Windows to OSX because Windows doesn't randomly delete my files.

Now, I technically never said that OSX randomly deleted files but there is no reason for me to write something like that unless I was trying to suggest it, right?
0 Votes
+ -
This is no different then 98% of the ....
ShadeTree 8th Nov 2007
... successfull exploits for Windows hence the double standard. You would be making an entirely different arguement had this been a Windows exploit.
0 Votes
+ -
All OS's are vulnerable to exploits... its a fact
bonchi74@... 13th Nov 2007
but that doesn't mean that i will waste the same amount of time in downtime using OS X because of it.

if OS X is such garbage, try opening 40 browser windows. Try it in OS X and Vista. I am 32 years old... been a MS advocate for too much time (DOS 3.12). This year i finally accepted that Windows wastes my time too much and did the right thing: bought a mac.
In my office, windows is the standard... i am still going to buy an apple machine regardless.
0 Votes
+ -
What does that prove?
NonZealot 13th Nov 2007
if OS X is such garbage, try opening 40 browser windows.

This is something you do on a regular basis then? Well, I guess if OS X has to be good at something, it might as well be opening up 40 browser windows!!!

snicker, smirk happy
0 Votes
+ -
So you were an MS advocate when you were 7?
*Gman* 28th Sep 2009
Not sure which "DOS" you mean, but MS-DOS 3.1 was released in 1984, when you were 7 years old (assuming we are talking Earth years). That seems pretty young to be an "advocate" of a software company.

This year you accepted that Windows wastes your time. It took you 25 years to come to that conclusion?

I am confused. You "did the right thing: bought a mac." or you are "still going to buy an apple machine regarless." ?

How is that working out for you? (as if I really care what you use)
0 Votes
+ -
Gee I didnt know you were an OSX user ???
mrOSX 1st Nov 2007
NT
0 Votes
+ -
he is not
sfazly 1st Nov 2007
he's just want to fit in and pretend that he owned mac... what a pity
0 Votes
+ -
This isn't a trojan, and has nothing to do with the security of the OS..
olePigeon 1st Nov 2007
This isn't a trojan, and has nothing to do with the security of the OS. It also isn't a virus, or a worm, or anything of that nature because it doesn't self propagate. The user has to download the file, then run it, then enter administrative/root login & password.

This is like giving someone the keys to your car and claiming the car isn't secured against theft.

The OS can't protect against stupid people.
0 Votes
+ -
How isn't it a trojan?
JoshNorton 1st Nov 2007
I thought the definition of a trojan was a program or file whose description says it does one thing but whose actual function is something else (usually malicious).

It seems that this fits that to a tee.
0 Votes
+ -
I think he's thinking worm.
People 1st Nov 2007
But it's a trojan, just to concur.
0 Votes
+ -
Humm,,,
Mectron 1st Nov 2007
>>The OS can't protect against stupid people.

Then Apple is doomed
0 Votes
+ -
LOL
tikigawd 2nd Nov 2007
hahaha, that was good
0 Votes
+ -
Don't you ahve anything better to do with your life?
Rude Union 1st Nov 2007
Zealot dude, don't you have anything better to do with your life then attack non-Windows articles? I know this comment from you is pretty subtle considering your typical annoying comments. Is this your new form of mind control now? Try and seem like a Mac user or Linux user who is shocked and now more open to supporting Windows? Do you really think anyone wants to hear your nonsensical and negative blathering day in and day out? How about giving it a rest? Or even better, have a productive opinion for once. Otherwise let people who really have an opinion say something constructive in these comments.
I know you're sad that Windows isn't perfect and it makes you feel better attacking the Mac OS or Linux or whatever, well get over yourself and move on. In the end it's just sad to listen to the same tired comments over and over again from the same people.
0 Votes
+ -
@Rude Union Where is YOUR productive opinion?
*Gman* 28th Sep 2009
0 Votes
+ -
Yes, I suppose I'm feeding the troll - but it beats actually working...
JoshNorton 1st Nov 2007
Son, if you need that much protection from a trojan that needs user interaction, you need more help in your life than an OS can provide.


(Yes, I suppose I'm feeding the troll - but it beats actually working on the job...)
0 Votes
+ -
They tried their best already
kevinet 1st Nov 2007
In fact, any operating system should have chance to have Virus, Spyware, and Holes.

Generally, MacOS has better arhitecture and more secure than WINs.
(Is that anyone have installed anti-virus in your mac? But you cannot without it on WINs!)

I trust they will have solutions soon.
0 Votes
+ -
Thats it. my Nephew and his Band Mates are Done!
bka1959 1st Nov 2007
The have never met a Porn Site they didn't like! Thats the reason I recommended they get Mac's. I got tired of having to clean up their PC's when they got loaded up with Trojans and turned into Spam Bots. They refused to follow even the simplest security measures. That and Garage Band. Oh well, at least I can refer them to the Genus Bar.
0 Votes
+ -
Possible Solution
Jkirk3279 1st Nov 2007
First I recommend setting up your nephew's Mac so he has a client account.

Limit his power to install anything, save the admin power for your own account.

Second make sure "Open Safe Files" is switched off in Safari. It's in Safari
Preferences under "General".

That way the .dmg file won't auto-launch.

That's what I did with MY nephew's Mac.
0 Votes
+ -
I'm glad your Nephew allows you to take over his Mac
bka1959 1st Nov 2007
How old is he 10? Mine is 24 travels the country for work and His Band and he would never let me put him on his Mac Book Pro as just a client user account. He would consider that a insult if I even tried and so would all his band mates. After spending 9 years fixing his mess ups and cleaning off the Trojans (I built him his 1st PC when he was 13) I gave up! Him and his roommates and Band members used to laugh when I told him his PC was a Spam Bot and how many Trojans he had on it. I find that indicative of young people of his generation. You know, the Jackass Syndrome. Thats why I recommended he and his Band Mates get Mac Book Pros about a year ago because He/They refused to follow any and I mean any simple security precautions! I was hoping that that would protect at least for a little while. Now it's between them and The Genius Bar.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix