Filed under: Security, Video, Macintosh
Mac trojan masquerading as codec
by Christina Warren Nov 6th 2007 at 4:30PM
Late last week, Intego Security released a press release detailing a new Trojan web variant, aimed at Mac users. A Trojan, known as OSX.RSPlug.A (or OSX/Puper), is installed on the system by the user, under the guise that it is a video codec, required for playing a free video file. The installer, under the clever name MacCodec, requires administrative access to install (meaning the user has to not only specifically agree to download the file, he/she has to enter in the admin password before it will install), and instead of installing a codec, it runs a script that creates a scheduled task that changes the DNS server, in an attempt to redirect users to malicious phishing sites. Unsurprisingly, this Trojan seems to be almost exclusively targeting porn sites that offer those always-hard-to-resist "Download Sample Now" or "Free movie clip" downloads.
Like clockwork, the pandering , the hysteria and the schadenfreude has already hit the web. Many of these articles fail to adequately underscore a few points that, we at Download Squad, think are pretty important for users to consider:
- This is not the first Trojan to affect the Mac, nor will it be the last.
- This is a fairly simple, some might even say standard Trojan. It works exactly the same as the pre-existing Windows version.
- The user has to agree to download the file AND enter in an administrative password. Granting admin rights to a "codec" you are downloading off of a porn site (and note, the video doesn't download - the DMG for the trojan downloads, the video does not exist) is not something we recommend, regardless of your OS.
- The company that released the first press release, assessing the risk as "critical" - is a company that is trying to parlay this as a way to sell more copies of their Mac Antivirus product. McAfee, Sunbelt and others failed to deem this as anything other than low risk.
As always, users should never grant admin access to a program from an unknown source (especially if it is for a porn site, come on!). We admit, masquerading as a codec is pretty clever, considering QuickTime's lack of compatibility out of the box, with some of the most popular video formats. Luckily, Perian, an open-source, free and SAFE utility exists that quickly and easily provides QuickTime compatibility with a host of formats. Other solutions like VLC and Windows Media Components for QuickTime are also available for free.
Panda Labs has more information about the types of sites this Trojan seems to be stemming from and the types of messages the installer displays.
With Halloween fast approaching, it's a great time to get in some practice defending your territory against zombies. In Graveyard Shift, you take aim at zombies and other creepy-crawlies, blasting them into splatters of cartoony green guts. It's a casual first-person shooter, and it's very easy to get the hang of - use the mouse to aim, click to fire. Graveyard Shift has at least 15 levels, and it might even have some secret stages I haven't unlocked yet.
They key to getting good at Graveyard Shift is learning to use ...
Reader Comments (Page 1 of 1)
kojo87 said 5:39PM on 11-06-2007
and so it begins. looks like that Mac guy is about to catch PC's cold. too bad he has no immune system.
Reply
james 42 said 5:45PM on 11-06-2007
kojo87, way not to read the post, troll.
Reply
michael said 9:06PM on 11-06-2007
No way! I thought Macs were immune to things like viruses and trojans.
I guess not.
Reply
Reader said 1:02AM on 11-07-2007
As the article says, this is a rather non-threat.
Still, I suppose that's hardly going to stop those bashing Apple and Mac fanboys now.
I'd protest... except IMHO Apple probably had it coming after the more arrogant of their ads. Still feel sorry for honest Mac users, though. Oh, well.
Reply
TempusFugit said 7:17AM on 11-07-2007
It should be noted, however, that most of the Windows threats these days all rely on the user too. They expect the user to download it, open it, confirm it, and then run it and let it keep running. Big threats which break in through exploits are getting much rarer unless you haven't updated for years.
The problem lies with people. Saying it's not a threat because it requires the user is significantly untrue these days. If someone wants to view something and thinks they need to install something to get it to work, they will do. I've even seen people downloading zipped viruses in emails, unzipping them, entering a password to extract the zip which was in the email, running the program, agreeing to let it run, permitting it through the firewall, and then wondering why their computer got infected.
Reply
nat said 9:33AM on 11-07-2007
Quote: " Like clockwork, the pandering , the hysteria and the schadenfreude has already hit the web. Many of these articles fail to adequately underscore a few points that ..."
This is the best article I've read in months. Not for the subject matter or content, but for the resistance to sensationalism so far as to mock other highly credited news sources. Classic.
Keep up the good work dls!
Reply
Colin said 10:55PM on 11-07-2007
@3/michael:
And now you know! Consider yourself properly educated.
The type of person to fall prey to this type of Trojan is going to muck up ANY system they're using:
The warning the Trojan displays looks nothing like an actual QuickTime error. QuickTime is improperly capitalized. QuickTime never displays "Click here to download an updated version of this codec." Though I haven't seen the Trojan in action, I highly doubt it shows the appropriate QuickTime loading screen.
If anything, this simply proves that OS X users should educate themselves in ways of avoiding malware. The Activity Viewer window in Safari is your friend: If a video is actually embedded in the page, it will show up in the Activity Viewer. If you're not using Safari, View Source should suffice.
You shouldn't have "Open files considered safe" turned on in Safari. To a lot of people, the fact that Safari triggers Disk Utility inspires a false sense of confidence.
And common sense never hurts: Ultracodec? Really? I've never heard of that one before.
"If in doubt, Google it to find out."
Reply