New Mac OS X DNS changer spreads through social engineering

New Mac OS X DNS changer spreads through social engineering

Summary: TrendMicro is reporting on a newly discovered 4th member of the OSX_JAHLAV malware family.The latest variant is once again relying on social engineering, this time spreading under a QuickTime Player update (QuickTimeUpdate.

SHARE:

TrendMicro is reporting on a newly discovered 4th member of the OSX_JAHLAV malware family.

The latest variant is once again relying on social engineering, this time spreading under a QuickTime Player update (QuickTimeUpdate.dmg) with a DNS changer component enabling the malware authors to redirect and monitor the traffic of the victim.

More info on OSX_JAHLAV.D:

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

Not only are cybercriminals beginning to acknowledge the "under-served" Mac OS X segment, but also, they're already borrowing tricks from the Microsoft Windows playbook such as OS-independent tactics like fake codecs and bogus video players. The irony? Both the Mac OS X and Windows malware are hosted on the same domains, with copies of each served on the basis on browser detection.

From fake ActiveX objects at adult sites like the "Macintosh Porn Tube", to bogus codecs and players, these tactics have been dominating the Windows threatscape for years, and will continue to do so, simply because they work. However, among the key advantages a cybercriminal coding/generating malware targeting Apple's Mac OS X has, is the overall perception of its invincibility to malware, a state of false feeling of security shared across a huge number of people.

Meanwhile, Apple Inc. is already offering security advice stating that "The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection."

Just like previous campaigns, the latest OSX_JAHLAV.D one issues an offensive message if it detects that security researchers are attempting to assess it. The gang is clearly motivated.

What do you think - is Mac OS X malware gaining momentum, or are they just scratching the surface?

Topics: Apple, Hardware, Malware, Networking, Operating Systems, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

159 comments
Log in or register to join the discussion
  • I cannot be

    everyone know that Macs are only being exploited in laboratories and only when users are asked to hand over their credentials!
    honeymonster
    • No, the apology has had to change with the recent iLife trojan botnet

      If a trojan is in a piece of pirated software or a piece of free software, then the user was obviously trying to get something for nothing and deserves to get infected. Therefore the malware doesn't count.

      There are still 0, zero, nada, zilch pieces of malware out there attacking OS X that "count"*.

      *and if one were to appear, the rules for what "counts" will simply change
      NonZealot
      • LOL

        You're funny.
        mrohwohlt@...
        • LOL, ditto

          ditto here
          deepee912
          • Dittio... HAHAHAHA

            Ditto that twice!
            electroman76
      • Heh heh. Thanks for quoting me, Zealot.

        It's nice to be quoted by people. It means you're being heard.

        I am rather intrigued with this one. Wonder if I'll ever see it myself?
        Vulpinemac
        • No problems vulpine :)

          I've always had a lot of admiration for the incredibly inventive Apple apologies that you guys are consistently able to come up with. Stating that everyone who gets hit with a trojan deserves it because they were trying to get something for nothing was yet another apology I could never have come up with myself.

          BTW, now that trojans don't count, viruses with a social engineering component don't count, and drive-bys don't count, it would be interesting to do a recount of Windows malware that counts! You'd better hope no more rule changes are required or Windows too will have 0, zero, nada, zilch malware affecting it either! :)
          NonZealot
          • King of the straw men.

            "I've always had a lot of admiration for the incredibly inventive Apple
            apologies that you guys are consistently able to come up with."

            And I have always admired how you almost always fail to make any
            substantive argument, no matter what the topic, and, more
            impressive, how you always leave the conversation when I post factual
            responses to the factually devoid drivel you post.

            Now, you DO know what a straw man argument is, right? You should,
            seeing as how that is about the only argument you seem capable of
            making. Notice that NO ONE from the mac side even posted before
            you jumped in with your refutations. But I'll be more than happy to
            take you on, again. (BTW, you may want to do a search over your past
            posts for all the times I have called you a coward for running away
            when I make substantive refutations of your BS, even though you
            continue to post on other parts of the thread. It makes for amusing
            reading.)

            "BTW, now that trojans don't count,"

            Who is saying trojans don't count. I have not seen anyone here claim
            that. What they HAVE said, and what you appear to be to technically
            inept to understand, is that trojans do not usually count as OS
            exploits, are NOT the same things as viruses, that as long as you have
            a general purpose computational device, trojans will be possible, and
            that as such, their existence is not a particular issue for OSX. More to
            the point, without privilege escalation, they can't do much of anything
            on OSX, and that BSD makes privilege escalation difficult (please,
            please bring up pwn2own here, please.) The same could not be said
            about any version of Windows prior to Vista, where privilege escalation
            was not only trivial, it was unnecessary. Vista made it harder, but not
            impossible, and such exploits existed in the wild before Vista RC was
            even out. But there is no need to bring up Windows. The point here is
            that despite your assertions that you own a mac, you know NOTHING
            about macs, let alone OSX security.

            "viruses with a social engineering component don't count,"

            This alone shows you don't know what you are talking about. Viruses
            don't need a social engineering component. That is part of what
            distinguishes them as viruses. And social engineering exploits don't
            particularly upset people in the OSX world, because, again, they are
            possible in any general purpose device. So it is not a shocker, and is
            defeated by simple social inverse engineering, i.e. don't use admin
            accounts, and don't give unknown apps your password.
            Drivebys would count, if there were any in the wild, which there aren't.

            "You'd better hope no more rule changes are required or Windows too
            will have 0, zero, nada, zilch malware affecting it either!"

            Now, king of putting words in people's mouths, I dare you to show any
            place where I have "changed my definition." In fact, most mac people
            posting here have been very consistent, and have not changed a
            thing. Different people post different responses, and you are so
            obsessed with your ZEALOTRY that you attribute every pro mac
            comment to a single, mythical mac user.
            Some people are unconcerned about particular reports of mac
            malware because they don't download stuff off torrent sites, others
            because they don't employ tactics that leave them vulnerable to social
            engineering exploits. Others don't care because they run AV. But they
            are not necessarily the same people.
            For the record, I have never claimed trojans don't count as malware,
            and in fact, they disprove your silly market share argument. I am just
            not concerned with them. I DO claim that there are no OSX viruses,
            because there aren't; but I also don't make a big deal about it, nor am
            I complacent about it. Nor have I, or any of the hundreds of mac users
            I know, EVER had any OSX malware. I know for a fact that you can not
            say the same about Windows, as I have read your posts. You just
            blame it on stupid users. I'll leave the rest unsaid.
            SpiritusInMachina
          • Projection?

            While I don't agree with NZ very much, everything you listed is what YOU do.

            You fail to provide factual information, and have no answers when facts are presented.

            Do the *nix communities a favor and switch sides. You'd get more convertees that way.
            ShadowGIATL
          • Put up or...

            "While I don't agree with NZ very much, everything you listed is what
            YOU do."

            Oh really? Everything?
            Leaving alone the fact that that doesn't even make any sense, I
            challenge you to provide a SINGLE instance where what you claim is
            so. Good luck with that.

            But what do you mean, "what I do?" I didn't list things NZ did, so that
            makes no sense. Or do you mean this:

            "Different people post different responses, and you are so
            obsessed with your ZEALOTRY that you attribute every pro mac
            comment to a single, mythical mac user."

            Again, I challenge you to post a SINGLE instance of me doing this.

            In fact, it appears you are doing the exact same thing yourself,
            lumping my posts together with others and just attributing them to
            the opponent of the moment.

            "You fail to provide factual information, and have no answers when
            facts are presented."

            I consistently provide factual data, and even cites where necessary.
            Usually, however, my arguments are logical refutations, and as such,
            no cites are necessary, unless the premises are disputed, in which
            case I readily provide sources.

            As for failing to provide answers, you've got to be kidding. I have
            taken the rap here for being a tad bit verbose, arguing every minute
            point, so to claim that I don't answer when facts are presented is just
            ridiculous.If anything, my fault is that I fail to not have answers when
            "facts" are presented, often in the form of disputing the supposed
            facts with counterexamples.

            "Do the *nix communities a favor and switch sides. You'd get more
            convertees that way."

            Huh? Switch side to what?
            SpiritusInMachina
          • @DeusExMachina

            Your above post is proof enough.

            Just because you think you're right... doesn't make it so.

            You claim that others are spouting off nonsense, by doing the same.

            But hey, you're entitled to free speech. Go ahead and waste your time if you wish.
            ShadowGIATL
    • Just copy these rehashed comments

      and post them again when ever Mac and Malware
      are written about or instead listen to these mp3's
      for something slightly more interesting and to the point

      http://campaign.constantcontact.com/render?v=001e
      DD-TjGUnnCfo-vzO4Ebar4s_QJOVt7Mh0oYlJ_RSz
      6iGgMYb1j_gm4EA8ZseGRflwMxQc2mOrdAR1JaKly
      VVlcZTWoxGUK2O07G8G6bHYE%3D
      gkrwc
  • Its just a matter of time

    As Apple computers become more popular or as malware authors seek out new territory the number of exploits will grow. The whole "its a mac, it doesn't have viruses" nonsense will not help users and will hurt Apple's image. As a new macbook pro owner I am pretty disappointed in the security apps available. No real firewall is available unless you want to dig in to the commandline. There is one dominant outbound connection blocker that allows traffic to be passed without the user's knowledge and costs $30 (little snitch). The AV apps are pretty scarce too. My university has a recent version of McAfee which is as useless as McAfee's support forums. ClamAV is what I use currently. Its okay but the background service fails to load at startup and I haven't had time to trouble shoot that. That old "it just works" mac adage is flawed to the core. I still prefer OSX to Windows though. I am hopeful that is just a small valley and not the top of a steep slope in product quality/security.
    snafu_77
    • Well, good luck

      with your new machine. All operating systems have quirks, although some more than others. Today the most vulnerable part of any PC or Mac is located 16 inches from the screen. The vast majority of malware infections are not caused by vulnerabilities in the OS or software, buth rather by gullible users.

      Thankfully you don't appear to belong to that category, judging from what you wrote.

      Let's just hope more OSX users start using some common sense instead of acting on information they received from Apple ads.
      honeymonster
    • A Checkbox Supreme

      I haven't checked, so this is speculative, but it is my impression that
      the downloads section of apple.com have a lot of free gui wrappers
      around command-line configuration apps. I do recall firewall
      applications available there a few years back.

      Configuring a firewall is a matter of changing a plain text
      configuration file, so any editor would work, as long as it is saved
      back in plain text. Remember to work with a copy and rename, do not
      replace, the one that came with install. The arcana of the
      configuration and the research as to what in-to-out network traffic
      should be allowed seems a lot more time-consuming then the
      command line work, but mileage does vary. (I've done a couple for
      FreeBSD and it is no fun.)

      The Mom and Pop way to firewalling references the "Sharing" settings
      in System Preferences. The general consumer will spend more time
      pondering what Remote Login (ssh) means than how to enable it. I
      found the technique for opening the firewall to inbound traffic for
      tomcat (port 8080) was as easy as I would hope. You seem to be
      concerned with connections out, so I don't know how useful that was
      for you.

      Today's fun adventure for me was configuring a Linux Desktop/Server
      running Kubuntu Jackalope for a static ip. I mean, trying. Apparently
      you can't get there from here with KDE's network-manager. While
      Google gave me some friendly advice, it wasn't particularly effective.
      So, back to DHCP for that guy. Meanwhile, it's pretty easy on OS X.

      "Just works" about the Mac says to me that, on the whole, there's a
      better ratio of "that was simple" tasks to "that should have been a lot
      easier" tasks for the ordinary person's needs. Coming back to firewalls
      - a poster boy for unintended consequences - it is hard to imagine
      something robust and bullet-proof and customized could be done
      with a couple of check boxes and an okay.



      DannyO_0x98
      • In my recent browsing

        of apple.com and google searching I have found a few wrappers. The best looking one seems to be not actively being updated. I have no problem with configuring iptables or ipfw in the mac's case. I just would have thought there would be more robust apps out there for a prominent operating system. Out of the box Ubuntu offers much more at the drop of an apt-get.

        I agree that the "it just works" is referring to much more than the limited scope of security apps I personally prefer but as rootkits, malware and viruses become more prevalent and those simple tasks get sidetracked....then it works not so much. I guess that is part of my point too that a few checkboxes and an okay doesnt make a secure system- not in this case at least. And unfortunately many ill-informed users believe they are running openbsd locked down with a apple lit up on the screen.

        On Jackalope- try Ubuntu Forums if you haven't already. There are often bugs in the network mgmnt apps. Wifi pissed me off to no end. I was forced to write custom scripts and reconfigure kernels to get support for my wireless device and higher security protocols - wpa2 etc. Its free software but that does not take into account the price you may have to pay in time configuring and troubleshooting.

        Also don't get me wrong, I don't feel exposed on this OSX box, although I am to a certain degree, as we all are on 99.9% of internet connected devices.
        snafu_77
    • All your security needs in one package

      Obviously you are not looking very hard for security products. The one
      that stands out and has done so for a long time is the Intego product
      line. You can purchase firewall, anti virus, anti spyware, anti malware and
      a whole bundle of other goodies if you are interested. This has been out
      for years (ever since Ive been using a mac at least (6 years or so)
      shanee25
      • Thanks!

        Hadn't heard of their products at all. I've probably spent a few hours researching apple's forums and other apple user forums and they werent mentioned in any threads I've read through. Net Barrier is all I need, if it proves worthwhile.

        On another note - Personal Backup X5 looks like a great solution to my NAS backup issues. I don't care for the Time Machine - SMB workarounds.

        Excellent info!
        snafu_77
    • Every Mac malware...

      out on the Internet until today and including this, has needed user
      interaction. No Mac has ever been infected at any time anywhere by
      simply surfing to a website and contracting a self spreading virus or other
      bad program. Macs are still safer, although not maybe more secure, but
      increasingly both on Windows and on Macs, attacks have concentrated on
      the computer's user rather than on the computer itself.
      arminw
      • Basic economics - Investment vs profit

        Malware that can infect a computer without a users interaction takes a lot more effort to write than malware that convinces a user to open the door for them. Which is why it's still so focused on Windows, which is the one OS with enough of a market presence to warrent investing that much time and effort.
        brendan@...