Trend Micro finds a malware campaign that ropes in victims by offering free copies of Mac OS X 10.6, aka Snow Leopard. What users really get is a DNS-changer Trojan.
plans to release Mac OS X 10.6, aka Snow
Leopard, on Aug. 28, and cyber-criminals have taken notice.
A number of rogue sites have popped up offering
free copies of the latest version of Apple's operating system. Researchers at
are reporting that accessing these malicious sites lands users with
a DNS (Domain Name System)-changer Trojan detected as OSX.JAHLAV.K.
"Once executed, OSX_JAHLAV.K decrypts codes,
which include a script that downloads other malicious scripts," blogged
Trend Micro researcher Bernadette Irinco.
"The said script then alters
the DNS configuration and includes two additional IP addresses in its DNS
server. Users are thus possibly redirected to phishing sites and other
fraudulent sites. In fact, some of these bogus sites are reportedly hosting
FAKEAV (rogue anti-virus) variants and components."
This is far from the first time attackers have sought to exploit interest in
popular software upgrades. Similar tactics were used to take
advantage of interest in Microsoft Windows 7
earlier in 2009. By infecting
pirated copies of the operating system with a Trojan, attackers sought to build
a botnet of compromised computers.
According to security company Damballa, more than 27,000 copies of the
malicious Windows 7 Release Candidate had been installed on computers before the
company took down the botnet's command and control May 10.
In the case of the Mac Trojan, the malware is a MAC
OS X mountable .DMG (Disk Image file). The script creates a cron job that
enables the malware to execute every 5 minutes. It also features a chain of
other encrypted codes, including the Perl script that attempts to download and
execute another malicious script. Once installation is finished, files are
added into the system.
Apple has sought to enhance malware protection in Snow Leopard,
adding a new
warning if malware is detected in files downloaded via Safari, iChat and a
handful of other applications.
Trend Micro advises users to only get the Snow Leopard update directly from
the Apple Website.