Trojan Working on Mac Spreads Wild
Intego, the developer of security software for Mac, on October 31 2007 alerted on the Internet that Trojan OSX.RSPlug.A was circulating in the wild.
According to Intego, users who respond to forum postings promising free of charge porn unwittingly download the Trojan. This starts when they click on links embedded in the messages to learn that QuickTime can't play the file holding the movie and so are provided an alternative link that claims to take them to a different codec. But during the process of downloading and installing the code, users are asked to provide an administrator password, which then alters the Domain Name System (DNS) settings on Mac to connect the user's computer to a server that the sender of the Trojan operates.
Normally, a DNS server sends back the Internet Protocol address matching to its domain name, but in this case, the bogus server would send back false results, so that when users try to reach the online financial institution PayPal, they are turned towards a phishing site where the miscreants hijack their accounts.
In traditional phishing, e-mails purport to come from the related institution enticing the recipient to use the included link leading to a phishing site where the recipient is asked to verify his transaction or perform some other action that pretends to be official. This is the reason why banks advise customers to type the URL in the space bar of the browser instead of following any link. But in the case of the OSX.RSPlug.A Trojan, it works maliciously irrespective of the source of the URL, for the dubious DNS server redirects the user to where the miscreants want.
Confirming the report by Intego, McAfee too said that the Trojan corrupts Mac PCs via a DNS modification. With this DNS change, the Web traffic is redirected from genuine sites to those serving ads or phishing pages.
McAfee's Communications and Security Research Director, David Marcus, noted that although an unexpectedly large number of sites distribute the Trojan, yet the actual infections have been reported to be much less, in a statement published by Vnunet on October 31, 2007.
The OSX.RSPlug.A works successfully with Mac OS X 10.5 and 10.4, while other versions could also be affected.
Related article: Trojans to Target VoIP in 2006
» SPAMfighter News - 20-11-2007