Phishing trojan targets Mac OSX

Posted by   Virus Bulletin on   Nov 1, 2007

DNS hijack disguised as codec threatens Apple systems.

A new trojan affecting Apple's Mac OSX operating system - a relative rarity in the malware world - has been seen in the wild. The trojan, thought to belong to the highly prevalent Zlob (aka Puper) family, is being served by numerous fake codec sites, linked to from porn sites. Once installed, the trojan hijacks DNS settings to redirect visits to PayPal and some online banking sites to phishing sites.

The trojan, first reported by Mac security specialist Intego, uses typical social engineering tactics to persuade users to install it. Links to content on porn sites bring up a message saying a certain codec is required to play the media, redirecting users to the trojan download sites, which are apparently locale-aware and provide trojans set up to target local financial institutions.

Once the user has agreed to the install and granted it root access to the system, the trojan doctors DNS pointers to ensure any attempt to visit certain sites will be taken instead to phishing sites modelled on the real versions, which can then gather highly sensitive login information for theft and ID fraud purposes. Other web requests may be redirected to advertising or porn sites.

More details on the attack are at Intego here, at the SANS Internet Storm Center here, at Sunbelt here or at McAfee here.

Posted on 01 November 2007 by Virus Bulletin



Latest posts:

New additions complete the VB2020 localhost programme

The programme for VB2020 localhost - the first virtual, and entirely free to attend VB conference - is now complete, with new additions to both the live programme and the on-demand programme.

VB2020 localhost call for last minute papers: a unique opportunity

Why VB2020 localhost presents a unique opportunity for you to share your research with security experts around the globe.

VB2020 localhost call for last-minute papers now open!

The call for last-minute papers for VB2020 localhost is now open. Submit before 17 August to have your paper considered for one of the nine slots reserved for 'hot' research!

Announcing... VB2020 localhost

Announcing VB2020 localhost: the carbon neutral, budget neutral VB conference!

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.