Last Updated: 2007-11-02 02:36:39 UTC
by Bojan Zdrnja (Version: 2)
We received some reports of various companies (http://www.intego.com/news/ism0705.asp) reporting about a Mac DNS changer Trojan in the wild. As I happened to receive a sample of it, I decided to analyze it quickly.
The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows operating systems . In case of execution, the Trojan changes the DNS settings on the machine and reports back to the C&C server.
While the Trojan is relatively simple and not a big threat, two things came to my mind immediately: the bad guys are taking Mac now seriously – this is a professional attempt at attacking Mac systems (and they could have been much more damaging really). The second thing that folks at Sunbelt noticed (http://sunbeltblog.blogspot.com/2007/10 ... rojan.html) is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this.
So, let’s see what really happens here. The “social engineering” part has been seen million times – an unsuspecting user visits a web site with a movie on it, however, he needs to download a new codec in order to view it. On Windows, that new codec is typically a PE executable, for Mac the bad guys prepared a DMG archive (DMG files are like ISOs). The user is then prompted to install the package and during this process he will have to supply the administrator credentials. Yep, it’s game over from this point in time (and the attack is exactly the same as on Windows – keep in mind that these users *will* willingly supply these credentials.