Trend Micro Uncovers DNS-Changing Mac Trojan

 
 
By Brian Prince  |  Posted 2009-08-11 Email Print this article Print
 
 
 
 
 
 
 

Researchers at Trend Micro have spotted a Domain Name System-changing Trojan targeting Mac computers.

Disguised as MacCinema Installer, the Trojan is detected by Trend Micro as OSX_JAHLAV.D and is considered to be an update to the OSX_JAHLAV.C malware identified in June. The malware poses as an Apple QuickTime Player update with the file name QuickTimeUpdate.dmg. Users are prompted to download the malware when viewing certain videos from .com domains with the IP address 91.214.45.73, such as:

• allincorx • bigdron • cikaredo

A full list of the domains can be found here. If a computer is infected, an attacker can reroute the victim's Web traffic to rogue Websites, according to the TrendLabs Malware Blog.

"The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F," wrote Det Caraig, a researcher with Trend Micro. "The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user's activities. This may also cause the user to be redirected to phishing sites or sites [that] other malware may be downloaded from."

Trend Micro officials noted that the domain names have been set up so that if the main IP is taken down, cyber-criminals can easily move the back end to another IP address without the need to change code or scripts. Mac users should stay away from the domains and IP addresses Trend Micro has listed and be wary of prompts to download software updates that do not come from Apple's legitimate Website.

 
 
 
 
del.icio.us | digg.com
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Close
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel