DNS-changing trojan hits Apple Macs

Det Caraig, technical communications spokesperson at Trend Micro, claimed that this is the latest variant of OSX_JAHLAV.C, which was identified in June. It is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg, and as with earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address 91.214.45.73.

Once infected, a victim's web traffic can then be diverted to the website of the attacker's choosing.

Caraig said: “The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user's activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.”

Trend Micro advanced threats researcher Feike Hacquebord claimed that the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the back-end to another IP address without the need to change code or scripts.

The company warned Mac users to be wary of prompts to download software updates that do not come from Apple's legitimate website.

Writing on the ZDNet blog, independent security consultant and cyber threats analyst Dancho Danchev said: “Not only are cybercriminals beginning to acknowledge the ‘under-served' Mac OS X segment, but also, they're already borrowing tricks from the Microsoft Windows playbook such as OS-independent tactics like fake codecs and bogus video players.

“The irony? Both the Mac OS X and Windows malware are hosted on the same domains, with copies of each served on the basis on browser detection.”


See original article on scmagazineus.com