By Jennifer LeClaire
November 1, 2007 8:34AM
Original Article here
The OSX/RSPlug.a Trojan is on a very short list of malware that's been specifically designed to target Mac OS X, according to Graham Cluley, senior technology consultant for Sophos. The motive of this particular Trojan could be for the purposes of phishing, identity theft, or simply to drive traffic to alternative Web sites, he said.
So much for Mac users avoiding bugs, worms, and other security Relevant Products/Services nuisances. A Trojan targeting Macs is on the loose, and it's hanging out on porn sites, according to security researchers.
The incident was first reported by Intego, a Mac security software Relevant Products/Services vendor. Sunbelt Software, the SANS Institute's Internet Storm Center (ISC), Sophos, and McAfee have confirmed the Trojan. Dubbed "OSX.RSPlug.a," the Trojan changes the Mac's Domain Name System (DNS) settings to redirect unsuspecting users to different sites.
"The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows," said ISC analyst Bojan Zdrnja in a warning the center posted on Thursday. "The bad guys are taking Mac seriously now. This is a professional attempt at attacking Mac systems, and they could have been much more damaging."
Porn Opens the Door
The family of malware Relevant Products/Services that is targeting Macs is called "Puper." It's been plaguing Windows users since 2005. One of the most notable cases of Puper attacks was exploits on infected MySpace pages.
In the Mac attack, people who are searching for porn on the Internet may find it. But they may also find a nasty payload when they encounter a popup window instructing them that QuickTime needs to install new software so they can view the videos. If the user tries to install the codec, a script then creates a scheduled task to change the Mac's DNS to point to a malicious server.
"In effect, instead of getting valid entries for Web sites like you would expect, you're now getting whatever this malicious site decides to point you to. That could be a phishing Relevant Products/Services site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you," Allysa Myers, part of the computer search research team at McAfee Avert Labs, wrote on the company's blog.
More at the link