New Mac OS X DNS changer spreads through social engineering

[Brian Warkoczeski]

New Mac OS X DNS changer spreads through social engineering

By Dancho Danchev

August 11th, 2009

www.zdnet.com

TrendMicro is reporting on a newly discovered 4th member of the 
OSX_JAHLAV malware family.

The latest variant is once again relying on social engineering, this 
time spreading under a QuickTime Player update (QuickTimeUpdate.dmg) 
with a DNS changer component enabling the malware authors to redirect 
and monitor the traffic of the victim.

The Trojan contains component files detected as UNIX_JAHLAV.D and 
obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then 
downloads a file from a malicious site and stores it as /tmp/{random 3 
numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to 
monitor the affected user’s activities. This may also cause the user to 
be redirected to phishing sites or sites where other malware may be 
downloaded from.

Not only are cybercriminals beginning to acknowledge the "under-served" 
Mac OS X segment, but also, they're already borrowing tricks from the 
Microsoft Windows playbook such as OS-independent tactics like fake 
codecs and bogus video players. The irony? Both the Mac OS X and Windows 
malware are hosted on the same domains, with copies of each served on 
the basis on browser detection.

For rest of the article, see:

http://blogs.zdnet.com/security/?p=4024&tag=nl.e550