Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    A Domain Naming System (DNS)-changing Trojan targeting Macs is currently making the rounds disguised as MacCinema Installer (detected by Trend Micro as OSX_JAHLAV.D. This is the latest variant of OSX_JAHLAV.C, which was identified in June.

    Click

    The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as:

    • allincorx
    • bigdron
    • cikaredo
    • civilizxx
    • comeandtryx
    • deribrowns
    • draxxtermania
    • givendream
    • hitrowzone
    • jumborad
    • ltdkeeper
    • operationelx
    • oxxadox
    • paxxtiger
    • rednetx
    • rstdeals
    • simplexdoom
    • sinisteer
    • tdenuwas
    • tniredrum
    • ufapeace

    If infected, a victim’s Web traffic can then be diverted to the website of the attacker’s choosing.

    The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

    Trend Micro Advanced Threats Researcher Feike Hacquebord notes the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts.

    It would serve Mac users well to stay away from the above-mentioned domains and IP addresses or be wary of prompts to download software updates that do not come from Apple’s legitimate website.

    Mac users are protected by the Smart Protection Network through Trend Micro Security for Mac and Smart Surfing for Mac.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice