Phishing Trojan Targets OS X
Author: Dave Lewis
All good things must come to an end it would appear. A touch melodramatic but, you’ll get the point. There is a piece of malware making the rounds according to vnunet.com that targets Mac OS X. This particular beastie is a phishing trojan called OSX.RSPlug.A is masked to look like a video codec.
From vnunet.com:
Users attempting to install the codec receive a piece of malware classified as a ‘DNS Changer’. The software changes the way OS X will handle the DNS requests that are used to link numerical IP addresses to web URLs. The tool allows the attackers to redirect web traffic. Users attempting to visit Paypal, Ebay or certain banking sites for instance will be directed to a phishing website instead.
If confirmed, the trojan would be the first piece of truly malicious software to be targeted at OS X. Researchers have previously developed OS X attacks and exploits, but those were largely proof-of-concept attacks that lacked a malicious payload.
At this point it has not been confirmed by any of the major AV houses. The vendor that claimed the find, Intego, has not been available for comment.
UPDATE: Well damn. Just when I was starting to think that this was some company trying to drum up business, there is corroboration.
McAfee has confirmed the OSX.RSPlug.A trojan and reported that it is spreading through fake codec sites in addition to the porn website.
Tags: OS X Malware, Phishing Trojan, Malware, Trojan, OS X Trojan
“After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.
If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.”
That is taken directly from the “advisory”, this is nothing more than a company trying to push their product.
@Vitaliy
Thats it? Well, that’s pretty lame.
Thanks for the info.
Yeah, forgot to include the link
http://www.intego.com/news/ism0705.asp