Trojan spells new era for Apple Mac security

A new piece of malware, specifically designed to exploit Apple's OS X, has been found by Mac security software firm Intego, but Symantec says the firm is prone to "hype".
Written by Tom Krazit, Contributor

A new piece of malware, specifically designed to exploit Apple's OS X, has been found by Mac security software firm Intego, but Symantec says the firm is prone to "hype".

Intego -- a Mac security software company -- issued an alert on Wednesday , warning Mac users of the OSX.RSPlug.A malware, which it describes as a Trojan horse.

The malware is being distributed via a porn site that promotes itself as offering free content. Mac users are being lured to it via links distributed to a number of Mac community message boards.

When visitors attempt to launch the video, they are advised that Quicktime cannot be used and to view the content they must download a new version of codec. For the Trojan to be installed, it requires the user to open up the .dmg (disk image) file, click the installer.pkg file, and enter the administrator's password, according to Intego.

If the user does install the Trojan, it changes a user's domain name system (DNS) settings and redirects them to phishing or a number of porn Web sites. DNS settings are used to look up the correspondence between domain names and IP addresses for Web sites.

Users on Mac OS X 10.4 operating system -- Tiger -- will be unable to see the changed DNS server in the operating system's graphical user interface (GUI). However, those using Mac OS X 10.5 -- Leopard -- are able to view the changed DNS through its Advanced Network preferences. The added DNS servers are dimmed in Leopard's GUI, reports Intego.

Intego claims the vulnerability is likely to exist in older versions of Apple's operating system because all versions of OS X have what Intego calls the "scutil command", which allows the DNS server to be altered.

"The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this ensures that, in such a case, the malicious DNS server remains the active server," said Intego on its blog.

For users that do fall for the scam, Intego claims its security software can remove the Trojan, however Macworld's Rob Griffith has also provided instructions for users to manually remove it.

Dawn of a new era or just vendor hype?

Symantec claims that Intego tends to "overhype things", however, Alex Eckelberry of security firm, SunBelt disagrees on his blog, citing its resident Mac guru as being "genuinely surprised" by the Trojan discovery.

"I've been using Macs since 1989. This is the first time I've seen something like this," Eckelberry wrote, quoting his colleague.

"I'm not trying to over hype. Mac users, hungry for porn, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the Touch and iPhone, running OS X," he added.

Simon Claussen, director of security vendor, PC Tools, agreed the Trojan is a significant milestone for Mac users.

The use of cron tabs -- a file that tells the operating system to run commands -- is rudimentary, but it's just a first attempt.

"It's the same thing that happened when Vista came out; people had to go through a few steps to get infected, but that was until people figured out a way to get around it."

"Really, the Mac is less about being a computer than it is about being an everyday device. That's why there's a huge potential for people to target that platform in general. Think how attractive it is to tap the iPhone market that is always on and owned by upper middle class," said Claussen.

"Anything that's targeted towards Macs is the beginning of Mac's becoming a targeted platform. Macs are not impossible to get around. There are probably less known exploits, but they are only less known because fewer people are focusing on the platform," he added.

Editorial standards