The trojan, a DNS changer that can be used to hijack search results and divert traffic to the hacker's website of choosing, has been spotted on numerous pornography sites, according to Intego. Attackers have attempted to navigate users to the malicious sites through comment spam posted to Mac forums. The trojan masks itself as a QuickTime plug-in.
Security experts said the discovery is proof that cybercriminals are beginning to consider the Mac a financially viable vector for attack. Alex Eckelberry, president of Sunbelt Software, said hackers likely were spurred on by the release of the iPhone and iPod Touch, which generated millions of new Mac OS X users.
"The economic motivation for the Mac has reached the tipping point," he told SCMagazineUS.com today. "The Mac is emerging as a more widespread platform in general. I think Mac users need to get off their complacency about Macs being safe."
According to Intego, the trojan masks itself as a link to download a new version of codec, which claims to allow victims to view porn movies. If users try to download the codec, a page loads and if the they checked "Open safe files after downloading" in Safari's general preferences setting, the "install" function will launch and the trojan can be downloaded.
Once running, the trojan will change Mac's DNS server settings to allow attackers to hijack web requests and attempt to lead users to phishing sites for popular destinations such as eBay and PayPal, according to Intego.
None of 31 anti-virus engines analyzed by Virustotal detected the malware, Eckelberry said on his blog.
He told SCMagazineUS.com that similar threats are on the horizon.
"It is the start of something," Eckelberry said.
Last year a proof-of-concept virus appeared that spreads via the iChat instant messaging system.
An Apple spokeswoman did not return a call for comment.
See original article on SC Magazine US
Trojan targets Mac users
By Dan Kaplan on Nov 2, 2007 9:41AM