The incident was first reported by Intego, a Mac security software vendor. Sunbelt Software, the SANS Institute’s Internet Storm Center (ISC), Sophos, and McAfee have confirmed the Trojan. Dubbed “OSX.RSPlug.a,” the Trojan changes the Mac’s Domain Name System (DNS) settings to redirect unsuspecting users to different sites.
“The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows,” said ISC analyst Bojan Zdrnja in a warning the center posted on Thursday. “The bad guys are taking Mac seriously now. This is a professional attempt at attacking Mac systems, and they could have been much more damaging.”
Porn Opens the Door
The family of malware that is targeting Macs is called “Puper.” It’s been plaguing Windows users since 2005. One of the most notable cases of Puper attacks was exploits on infected MySpace pages.
In the Mac attack, people who are searching for porn on the Internet may find it. But they may also find a nasty payload when they encounter a popup window instructing them that QuickTime needs to install new software so they can view the videos. If the user tries to install the codec, a script then creates a scheduled task to change the Mac’s DNS to point to a malicious server.
“In effect, instead of getting valid entries for Web sites like you would expect, you’re now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you,” Allysa Myers, part of the computer search research team at McAfee Avert Labs, wrote on the company’s blog.
Mac Malware Short List
The OSX/RSPlug.a Trojan is on a very short list of malware that’s been specifically designed to target Mac OS X, according to Graham Cluley, senior technology consultant for Sophos. The motive of this particular Trojan could be for the purposes of phishing, identity theft, or simply to drive traffic to alternative Web sites, he said.
The good news is the Trojan doesn’t exploit a vulnerability in Leopard, Tiger, or any Apple code. This Trojan exploit depends on a user to take actions to open the door to the nasty payload.
“This is not a red alert, but it is a wake-up call to Mac users that they can be vulnerable to the same kind of social engineering tricks as their Windows cousins,” Cluley said. “The truth is that there is very little Macintosh malware compared to Windows, but clearly criminal hacker gangs are no longer shy of targeting the platform.”
Keeping It in Perspective
In February 2006, in the wake of the discovery of the first Mac OS X worm, Sophos released research that showed 79 percent of computer users believed Macs would be targeted more in the future. However, over half of those polled said they did not believe the problem would be as great as for Windows. Still, Sophos experts are urging Macintosh users to keep the threat in perspective.
Cluley said the latest version of Mac malware is making headlines because it is so rare. A Trojan like this for Windows would be unlikely to generate as many column inches because such Trojans are encountered every day. Nevertheless, he said, it obviously makes sense for Mac users to ensure that they are protected.
“People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues,” McAfee Avert Labs’ Myers wrote. “This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows.”