Mac's First Trojan Begins to Breed

The gang behind a Mac Trojan has been churning out slightly modified versions to evade malware detection.

The Mac's first Trojan won't be its last: Security researchers at F-Secure have found that the gang behind the malware has been churning out slightly modified versions to evade anti-malware detection.

That's nothing new—the fake codec the Trojan is masquerading as is a variant of Trojan.DNSChanger, malware that's been plaguing Windows users for some time.

"This operation keeps modifying their … Trojans constantly: they have been doing this for their Windows malware for a long time; now they are also doing it for Mac," F-Secure's Mikko Hyppönen told eWEEK. F-Secure noted the new variants in a Nov. 7 posting.

It's not a challenge to antivirus companies, which can build detection so that these slight modifications don't matter much, he said.

There are typically multiple sites that distribute the DNS Changer Trojan. At any given time, there might be thousands of variants active. Adam Thomas, a Sunbelt security researcher, told eWEEK that as of five days ago, one site——was serving up 1,090 slightly different installers, each one built for a different "affiliate" site.

The DNS Changer Trojan was being served on porn sites, purportedly as a codec that would enable visitors to view porno videos. Various porn sites would each get one installer, which the gang would then use for tracking purposes. The codecs are modified throughout the day to evade detection.

"Welcome Mac anti-malware companies to our world," Hyppönen said.

Many Mac enthusiasts have been skeptical about this Trojan, dismissing the hype as overreaction. Their arguments boil down to three tenets: There are far fewer threats to the Mac operating system than for Windows, users are at risk only if they surf porn, and a user must go to great length to get infected—i.e., download the fake codec, open it, run the installer, and enter in an administrative password.


Craig Schmugar of McAfee Avert Labs rebutted these arguments noting that it only takes one threat to get infected, dozens of domains have been found that serve the malware and yet have nothing explicitly to do with porn, and a click-to-install requirement didn't keep Bagle from becoming one of the most successful pieces of Windows malware ever.

"Many variants came as a password-protected ZIP archive attached to an e-mail message. The password was sent as an image attached to the message. Before getting infected, a user would have to open the suspicious e-mail message, open the suspicious ZIP attachment, manually enter the password provided in the other email attachment, and then run the virus. Result: many thousands of users getting infected," Schmugar said.


Read more here about why the Mac has become more vulnerable to maleware.

"Password-protected archives are an anomaly for most users, on Mac or Windows. I contend that the social engineering around installing a software package to watch a video is greater than that of having to enter a password provided in an email message simply to access what's supposed to be a photo," he said in a Nov. 2 posting.

What truly sets the Mac version of the DNS Changer Trojan apart is that it's a dish cooked up by professional malware chefs, Schmugar said.

"Unlike [early] Windows malware, this Mac Trojan is authored by professionals who likely pull in thousands of dollars a month through click fraud, hijacked affiliate sales, and other illegal activity," he said.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.