According to a report by Mac security vendor Intego, a malicious Trojan horse has been found on several porn Web sites, which claims to install the video codec necessary to view free pornographic videos on Macs.
The Trojan, a form of DNSChanger, uses a sophisticated method, via the Scutil command, to change the Mac's DNS server and redirect to malicious DNS servers.
Once the malicious DNS server is active, the users are directed to various phishing sites hiding behind well-known names like ebay, PayPal, etc. Users tend to get duped into disclosing their user names and passwords, credit card- or other account- numbers, taking these sites to be legitimate.
The other possibility is for these to be attempts at generating ad revenues through illegitimate means. When users visit these malicious Web sites, they see still photos from reputed porn sites. So when they click, hoping to see the videos, the Trojan gets installed.
The Trojan also installs a root crontab which checks every minute to ensure that its DNS server is still active.
Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system's GUI. Under Mac OS X 10.5, this can be seen in Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually.
Apparently, the Trojan also provides different versions targeting; perhaps according to the country in which the user is located for country-specific spoofing.
In order to prevent exploitation, Mac users can run Intego VirusBarrier X4 with its virus definitions dated October 31, 2007. Intego claims that VirusBarrier X4 will eradicate malicious code, and prevent the Trojan from being installed.
Source :
Techtree
Trojan Posing as Porn Facilitator
Linear Mode
