In this section

• Home
• Security
• SophosLabs blog
• 2007
• 11

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

8 November 2007 12:20 GMT

Trojans for Mac

Earlier this month a new piece of malware targeting the Apple Mac was discovered called OSX/RSPlug-A. Occasionally these things come along and make the news then quickly disappear.

This one appears to be different though. The actual functionality of the malware is fairly simple. It modifies settings to redirect DNS requests to a server under the control of the attacker. DNS is the part of the internet protocol that turns the more human readable web address into a specific numeric address of the machine that contains the web pages.

So when you type in “www.website.com” into your browser, a request is sent to the DNS server configured on your machine to turn it into an IP address “123.456.789.0″ for example. By taking over you DNS configuration the attacker can change which machine you connect to, to be one that they control “012.345.678.9″. This means the attacker can do a wide variety of things, server up fake bank websites to steal credentials, display adverts and so on.

One thing we do know is that this malware is connected to a widespread family of malware called ‘Zlob‘. The Zlob family use the same lure, of displaying pornographic material by asking the user to load a new ‘codec’ in order to view the material. In the Windows versions of this malware, it is used for a variety of purposes, displaying adverts and often displaying fake ‘You are infected’ messages then asking the user to purchase a full copy of a product to clean your machine (similar to this).

Many of the sites currently serving up Zlob malware, will serve up the Mac ‘version’ of the malware if it detects that the browser being used is Safari. As with a large proportion of malware these days, the only vulnerability being exploited in this case is the one between the chair and the keyboard (the user).

I’m not trying to scaremonger, but as a Mac user myself (at home) it is concerning that the Mac appears to have become the focus of at least one malware gang. We’ll be keeping a close eye on how this evolves over the coming days and weeks and be doing further analysis. Ultimately, the increase or otherwise of this malware family will be driven by how effective the attackers are at infecting people. They are in business to make money, so if they don’t see a return on their investment, they won’t invest more.

So my plea to other Mac users is to ensure you use anti-virus products, take care where you are browsing and don’t become a vulnerability that can be exploited.

Mark Harris, Director of SophosLabs

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot