Many Internet surfers learned a lesson whentheir computers were infected by visiting questionable Web sites. Thesesurfers began using Macs as most malware target the Windows operatingsystem. Well, soon enough, it may not matter which OS you are using.
According to Intego's press release,a Trojan horse has been found on several pornography sites that claimsto install a video codec required to view the content on Macs.
Symantec Security Response has also confirmed this, and added detection for the threat as OSX.RSPlug.A.It appears that the Mac is becoming popular enough that the "bad guys"think it is worth spending time and effort in developing malware forthe Mac OS. If we see a rise in Mac malware, then we will have toassume that there are profits to be made in malware for Macs as well.Stay tuned.
As far as this particular attack goes, it is not only attackingMacs. These Web sites also supply a Windows version of the Trojan,thereby increasing the attack space by targeting two operating systems.When a visitor access the pornography sites, they are redirected to amalicious Web site where we can see the handywork of our old friend WebAttacker.There is script here that checks the browser to determine what OS thevisitor is using. If it is a Mac, then the site will send OSX.RSPlug.A, and if it is Windows then it will send Trojan.Flush.A.On a Mac, the visitor can simply click "Cancel" on the pop-up messageto stop the download. However, the Windows version is a bit nastier ascanceling the download only causes the pop-up to reappear. Fortunately,Trojan.Flush.A was proactively detected as Bloodhound.Packed.7 at the time.
Windows Screenshot
Mac Screenshot
Technically, the Mac version of the Trojan isn't really thatcomplex. It is basically a variant of Trojan.Flush, which has beenaround for a couple of years. The threat requires visitors of amalicious Web site to fall for a social engineering trick, which inthis case is the site(s) informing them that an installation of a videocodec is necessary to view the content they are trying to access andasking them to download and install the software. The threat thenmodifies DNS settings on the compromised computer, just like similarmalware that runs on Windows. However, as with any legitimate softwarefor Macs, users will be prompted to enter their admin password duringthe installation, which may make them think twice about continuing withthe installation. We're continuing to perform analysis on the threat,so watch this space for further information.
So for those of you who thought you can use Macs to surf any type ofWeb sites on the Internet and not get infected, those days may becoming to an end sooner than you expected.
*Symantec Security Response would like to thank Intego for their assistance.