A Domain Naming System (DNS)-changing Trojan targeting Macs is currently making the rounds disguised as MacCinema Installer (detected by Trend Micro as OSX_JAHLAV.D. This is the latest variant of OSX_JAHLAV.C, which was identified in June.
 |
The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as:
- allincorx
- bigdron
- cikaredo
- civilizxx
- comeandtryx
- deribrowns
- draxxtermania
- givendream
- hitrowzone
- jumborad
- ltdkeeper
- operationelx
- oxxadox
- paxxtiger
- rednetx
- rstdeals
- simplexdoom
- sinisteer
- tdenuwas
- tniredrum
- ufapeace
If infected, a victim’s Web traffic can then be diverted to the website of the attacker’s choosing.
The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.
Trend Micro Advanced Threats Researcher Feike Hacquebord notes the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts.
It would serve Mac users well to stay away from the above-mentioned domains and IP addresses or be wary of prompts to download software updates that do not come from Apple’s legitimate website.
Mac users are protected by the Smart Protection Network through Trend Micro Security for Mac and Smart Surfing for Mac.
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
August 12th, 2009 at 11:27 am
It’s a trojan, not a worm/virus. Trojans are malware that can only propagate with the user’s assistance. Use some common sense: every browser on the planet tells you where the download is coming from – if it’s supposedly a quicktime update and it’s not coming from quicktime servers, it’s a safe bet that it’s crapware.
September 2nd, 2009 at 12:31 am
It is clear that the threats are growing for MacOS X because the platform is gaining interest in the area of malware writers and distributors.
A lot of people think they are safe by using MacOS X alone and up to a certain level it is true but they don’t see the whole picture. Most malware can only be executed on Windows platforms but we have to be alert.
I think it is a matter of time before we see the first real malware distributions targeting MacOS X users. If that happens, I expect a high level of infected machines because most MacOS X users don’t have any security software installed, yet.