Trojan spells new era for Apple Mac security

Trojan spells new era for Apple Mac security

Summary: A new piece of malware, specifically designed to exploit Apple's OS X, has been found by Mac security software firm Intego, but Symantec says the firm is prone to "hype".


A new piece of malware, specifically designed to exploit Apple's OS X, has been found by Mac security software firm Intego, but Symantec says the firm is prone to "hype".

Intego -- a Mac security software company -- issued an alert on Wednesday , warning Mac users of the OSX.RSPlug.A malware, which it describes as a Trojan horse.

The malware is being distributed via a porn site that promotes itself as offering free content. Mac users are being lured to it via links distributed to a number of Mac community message boards.

When visitors attempt to launch the video, they are advised that Quicktime cannot be used and to view the content they must download a new version of codec. For the Trojan to be installed, it requires the user to open up the .dmg (disk image) file, click the installer.pkg file, and enter the administrator's password, according to Intego.

If the user does install the Trojan, it changes a user's domain name system (DNS) settings and redirects them to phishing or a number of porn Web sites. DNS settings are used to look up the correspondence between domain names and IP addresses for Web sites.

Users on Mac OS X 10.4 operating system -- Tiger -- will be unable to see the changed DNS server in the operating system's graphical user interface (GUI). However, those using Mac OS X 10.5 -- Leopard -- are able to view the changed DNS through its Advanced Network preferences. The added DNS servers are dimmed in Leopard's GUI, reports Intego.

Intego claims the vulnerability is likely to exist in older versions of Apple's operating system because all versions of OS X have what Intego calls the "scutil command", which allows the DNS server to be altered.

"The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this ensures that, in such a case, the malicious DNS server remains the active server," said Intego on its blog.

For users that do fall for the scam, Intego claims its security software can remove the Trojan, however Macworld's Rob Griffith has also provided instructions for users to manually remove it.

Dawn of a new era or just vendor hype?

Symantec claims that Intego tends to "overhype things", however, Alex Eckelberry of security firm, SunBelt disagrees on his blog, citing its resident Mac guru as being "genuinely surprised" by the Trojan discovery.

"I've been using Macs since 1989. This is the first time I've seen something like this," Eckelberry wrote, quoting his colleague.

"I'm not trying to over hype. Mac users, hungry for porn, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the Touch and iPhone, running OS X," he added.

Simon Claussen, director of security vendor, PC Tools, agreed the Trojan is a significant milestone for Mac users.

The use of cron tabs -- a file that tells the operating system to run commands -- is rudimentary, but it's just a first attempt.

"It's the same thing that happened when Vista came out; people had to go through a few steps to get infected, but that was until people figured out a way to get around it."

"Really, the Mac is less about being a computer than it is about being an everyday device. That's why there's a huge potential for people to target that platform in general. Think how attractive it is to tap the iPhone market that is always on and owned by upper middle class," said Claussen.

"Anything that's targeted towards Macs is the beginning of Mac's becoming a targeted platform. Macs are not impossible to get around. There are probably less known exploits, but they are only less known because fewer people are focusing on the platform," he added.

Topics: Security, Apple, Hardware, Malware, Operating Systems

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Sure, A trojan is a trojan

    Sure, A trojan is a trojan, but how does this *exploit Mac OS X*?
    The user is required to be a daft fool to allow the trojan to do its thing, its hardly entering the operating system through the back door through exploits of the core system.
    Since when is a system exploit the user?