Porn Trojan may mark new era for Mac security

A new piece of malware, specifically designed to exploit Apple's OS X, has been found by Mac security software firm Intego, but Symantec has said the firm is prone to "hype".

Intego issued an alert on Wednesday, warning Mac users of the OSX.RSPlug.A malware, which it describes as a Trojan horse.

The malware is being distributed via a porn site that promotes itself as offering free content. Mac users are being lured to it via links distributed to a number of Mac community message boards.

When visitors attempt to launch the video, they are advised that QuickTime cannot be used and, to view the content, they must download a new version of codec. For the Trojan to be installed, it requires the user to open up the .dmg (disk image) file, click the installer.pkg file, and enter the administrator's password, according to Intego.

If the user does install the Trojan, it changes the user's domain name system (DNS) settings and redirects them to phishing or a number of porn websites. DNS settings are used to look up the correspondence between domain names and IP addresses for websites.

Users of the Mac OS X 10.4 operating system — Tiger — will be unable to see the changed DNS server in the operating system's graphical user interface (GUI). However, those using Mac OS X 10.5 — Leopard — are able to view the changed DNS through its advanced network preferences. The added DNS servers are dimmed in Leopard's GUI, reports Intego.

Intego claims the vulnerability is likely to exist in older versions of Apple's operating system because all versions of OS X have what Intego calls the "scutil command", which allows the DNS server to be altered.

"The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this ensures that, in such a case, the malicious DNS server remains the active server," said Intego on its blog.

For users that do fall for the scam, Intego claims its security software can remove the Trojan. However, Macworld's Rob Griffith has also provided instructions for users on how to manually remove it.

New era or just vendor hype?
Symantec claimed that Intego tends to "overhype things", but Alex Eckelberry, of security firm Sunbelt, disagreed on his blog, citing the firm's resident Mac guru as being "genuinely surprised" by the Trojan discovery.

"I've been using Macs since 1989. This is the first time I've seen something like this," Eckelberry wrote, quoting his colleague.

"I'm not trying to over-hype. Mac users hungry for pr0n really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the Touch and iPhone, running OS X," Eckelberry added.

Simon Clausen, director of security vendor PC Tools, agreed the Trojan is a significant milestone for Mac users.

The use of cron tabs — a file that tells the operating system to run commands — is rudimentary, but it's just a first attempt.

"It's the same thing that happened when Vista came out; people had to go through a few steps to get infected, but that was until people figured out a way to get around it. Really, the Mac is less about being a computer than it is about being an everyday device. That's why there's a huge potential for people to target that platform in general. Think how attractive it is to tap the iPhone market that is always on and owned by upper middle-class [users]," said Clausen.

"Anything that's targeted towards Macs is the beginning of Macs becoming a targeted platform. Macs are not impossible to get around. There are probably less known exploits, but they are only less known because fewer people are focusing on the platform," Clausen added.