Mac's First Trojan Begins to Breed

 
 
By Lisa Vaas  |  Posted 2007-11-07 Print this article Print
 
 
 
 
 
 
 

The gang behind a Mac Trojan has been churning out slightly modified versions to evade malware detection.

The Mac's first Trojan won't be its last: Security researchers at F-Secure have found that the gang behind the malware has been churning out slightly modified versions to evade anti-malware detection. That's nothing new—the fake codec the Trojan is masquerading as is a variant of Trojan.DNSChanger, malware that's been plaguing Windows users for some time. "This operation keeps modifying their … Trojans constantly: they have been doing this for their Windows malware for a long time; now they are also doing it for Mac," F-Secure's Mikko Hyppönen told eWEEK. F-Secure noted the new variants in a Nov. 7 posting.
It's not a challenge to antivirus companies, which can build detection so that these slight modifications don't matter much, he said.
There are typically multiple sites that distribute the DNS Changer Trojan. At any given time, there might be thousands of variants active. Adam Thomas, a Sunbelt security researcher, told eWEEK that as of five days ago, one site—procodec.net—was serving up 1,090 slightly different installers, each one built for a different "affiliate" site. The DNS Changer Trojan was being served on porn sites, purportedly as a codec that would enable visitors to view porno videos. Various porn sites would each get one installer, which the gang would then use for tracking purposes. The codecs are modified throughout the day to evade detection. "Welcome Mac anti-malware companies to our world," Hyppönen said. Many Mac enthusiasts have been skeptical about this Trojan, dismissing the hype as overreaction. Their arguments boil down to three tenets: There are far fewer threats to the Mac operating system than for Windows, users are at risk only if they surf porn, and a user must go to great length to get infected—i.e., download the fake codec, open it, run the installer, and enter in an administrative password. Craig Schmugar of McAfee Avert Labs rebutted these arguments noting that it only takes one threat to get infected, dozens of domains have been found that serve the malware and yet have nothing explicitly to do with porn, and a click-to-install requirement didn't keep Bagle from becoming one of the most successful pieces of Windows malware ever. "Many variants came as a password-protected ZIP archive attached to an e-mail message. The password was sent as an image attached to the message. Before getting infected, a user would have to open the suspicious e-mail message, open the suspicious ZIP attachment, manually enter the password provided in the other email attachment, and then run the virus. Result: many thousands of users getting infected," Schmugar said. Read more here about why the Mac has become more vulnerable to maleware. "Password-protected archives are an anomaly for most users, on Mac or Windows. I contend that the social engineering around installing a software package to watch a video is greater than that of having to enter a password provided in an email message simply to access what's supposed to be a photo," he said in a Nov. 2 posting. What truly sets the Mac version of the DNS Changer Trojan apart is that it's a dish cooked up by professional malware chefs, Schmugar said. "Unlike [early] Windows malware, this Mac Trojan is authored by professionals who likely pull in thousands of dollars a month through click fraud, hijacked affiliate sales, and other illegal activity," he said. Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.
 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel