Trojan Targeting Mac Spreads as Attackers Eye Apple

Security researchers at Sophos and ParetoLogic uncover a new variant of a Trojan targeting Mac computers. The discovery follows buzz triggered by Apple once again publishing old advice suggesting its customers use anti-virus software for additional protection.

Security researchers have uncovered an updated version of malware targeting Mac computers.

The discovery comes after some in the security industry called attention to Apple again repeating old advice on using anti-virus software as an additional layer of protection in the Security Advice section of a page on Mac OS X 10.6, aka Snow Leopard. While the amount of known malware affecting Mac computers remains infinitesimal when compared with Microsoft Windows, there have been signs that attackers are starting to pay more attention to Mac users.

In this case, researchers have uncovered a new variant of the Jahlav Trojan. According to researchers at Sophos and ParetoLogic on June 9 and 10, Jahlav poses as an Active X video codec on a pornography Website. If users download it, the Trojan attempts to download other malicious files from the Internet.

Though the malware does not seem to be downloading anything at the moment, that could change in the future, said Graham Cluley, senior technology consultant at Sophos.

"My suspicion would be that it will lead to a fake anti-virus [program]," Cluley said. "The reason why I suspect that is if because if you go to the Web page on a Windows computer then you get served Windows scareware. So, if that's how the hacking gang is planning to make money from Windows users, it's probably the same methodology for their Mac victims."

As a part of the installation, a malicious shell script file called AdobeFlash is created in the /Library/Internet Plug-Ins folder and configured to run periodically. Inside the script in an encoded format is another shell script, which in turn contains a Perl script that communicates with a remote Website to download more malware from the attacker.

Researchers at Sophos also received new code for the Tored worm, which made headlines in May when it was reported that the worm's authors were attempting to build a Mac botnet. However, the worm is still too buggy to be a major worry, Cluley said.

"The worm attempts to scoop up other e-mail addresses from your Mac and forward itself to them; however, it does require user interaction," he said. "The truth is that Tored is so poorly written that I suspect it is unlikely to ever spread effectively in the world. It doesn't appear to have any particular payload other than attempting to spread. Judging by the juvenile messages embedded inside its code, I think this worm is being written more with the intention of the author showing off to his friends than to make money."