Security researchers at Sophos and ParetoLogic uncover a new variant of a Trojan targeting Mac computers. The discovery follows buzz triggered by Apple once again publishing old advice suggesting its customers use anti-virus software for additional protection.
Security researchers have uncovered an updated version of malware
targeting Mac computers.
The discovery comes after some in the security industry called attention to Apple again repeating old advice on using anti-virus software
as an additional layer of protection in the Security Advice section of a page on Mac OS
aka Snow Leopard. While the amount of known malware affecting Mac
computers remains infinitesimal when compared with Microsoft Windows, there
have been signs that attackers
are starting to pay more attention to Mac users.
In this case, researchers have uncovered a new variant of the Jahlav
According to researchers at Sophos
on June 9 and 10,
Jahlav poses as an Active X video codec on a pornography Website. If users
download it, the Trojan attempts to download other malicious files from the
Though the malware does not seem to be downloading anything at the moment,
that could change in the future, said Graham Cluley, senior technology
consultant at Sophos.
"My suspicion would be that it will lead to a fake anti-virus [program],"
Cluley said. "The reason why I suspect that is if because if you go to the
Web page on a Windows computer then you get served Windows scareware. So, if
that's how the hacking gang is planning to make money from Windows users, it's
probably the same methodology for their Mac victims."
As a part of the installation, a malicious shell script file called AdobeFlash
is created in the /Library/Internet Plug-Ins folder and configured to run
periodically. Inside the script in an encoded format is another shell script,
which in turn contains a Perl script that communicates with a remote Website to
download more malware from the attacker.
Researchers at Sophos also received new code for the Tored
worm, which made headlines in May
when it was reported that the worm's
authors were attempting to build a Mac botnet. However, the worm is still too
buggy to be a major worry, Cluley said.
"The worm attempts to scoop up other e-mail addresses from your Mac and
forward itself to them; however, it does require user interaction," he
said. "The truth is that Tored is so poorly written that I suspect it is
unlikely to ever spread effectively in the world. It doesn't appear to have any
particular payload other than attempting to spread. Judging by the juvenile
messages embedded inside its code, I think this worm is being written more with
the intention of the author showing off to his friends than to make money."