Return of the Mac...Trojan

Date: 06 November 2007 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8314 It indeed seems that no OS is truly safe from Trojan attacks, as malware producers turn their eyes to a less suspecting target – the Mac. The detection of the Mac DNS Trojan has proved that attackers will not discriminate based on operating system, and that all end users need to be cautious before accepting download requests from the web. Here is a brief rundown on how the Trojan works: - Disguising itself as a video codec, the user is prompted to install the Trojan under the belief that it is required to play the video. - When the download is launched, the application asks for the administrator’s password (bells should be ringing here). - Once the password is supplied, the Trojan changes the DNS settings of the victim’s computer, and also sets up a cron job to ensure that neither the DNS settings, nor the cron job are altered. - A Perl script then collects information about the infected computer, encodes it, and sends it to the C&C server. Now once the DNS settings are altered, the user is highly susceptible to a multitude of other threats, the most malicious of which could capture valuable information, such as username/password combinations or even banking details. A little common sense is the best prevention to attacks such as these. Before handing over the keys to the kingdom, you may want to think about who is asking for them. As this Trojan is mainly hidden in the depths of pornography sites, it’s pretty safe to assume that any download that results from these sites, most likely won’t be looking after your best interests. Bleedingthreats have created a snort signature which will detect if your system has been infected. It is available at: http://www.bleedingthreats.net/index.php/2007/11/01/sig-for-the-new-mac-trojan/ For more information about the Trojan, and details of removal techniques, please see: http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php Paul Fahey