A Domain Naming System (DNS)-changing Trojan targeting Macs is currently making the rounds disguised as MacCinema Installer (detected by Trend Micro as OSX_JAHLAV.D. This is the latest variant of OSX_JAHLAV.C, which was identified in June.
What is so bad about this trojan Virus? DNS servers are the white/yellow pages of the internet. Imagine one day you went into your phone book. Everything seemed to be the same way that things always had been. You go look up a very common company like “Superstore” or “Walmart”. You then go to the phone number section. Because you TRUST the phone book you take it’s word that this is the correct phone number to call. So you call the phone number. What would happen if that phone number actually went to a competing store or even worse it was a criminal wanting to steal your identity!
This virus works very similarly but the consequences are a lot worse and worst of all once you’ve been infected you can never trust internet name resolution until you remove the virus.
Here’s how the virus works once it is installed. When ever you look up a domain like “Google.com” or “Apple.com” your computer actually uses a server called a DNS server to lookup where to go. So in Manitoba we use MTS or Shaw. Both Companie’s have their own DNS server. When you make a request the request for the IP address goes to their DNS servers. Most of the time they already know the IP address and send that number back to you. Your browser then gets routed through the internet looking for that “IP address”.
Here’s the scary part! If you want to go somewhere your computer is now relying on the virus for directions and not your Internet Service provider. To make things even worse the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts.
Here’s a screenshot of what the virus looks like. Doesn’t it look very “Mac” like?
The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as:
- allincorx
- bigdron
- cikaredo
- civilizxx
- comeandtryx
- deribrowns
- draxxtermania
- givendream
- hitrowzone
- jumborad
- ltdkeeper
- operationelx
- oxxadox
- paxxtiger
- rednetx
- rstdeals
- simplexdoom
- sinisteer
- tdenuwas
- tniredrum
- ufapeace
If infected, a victim’s Web traffic can then be diverted to the website of the attacker’s choosing.
The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.
It would serve Mac users well to stay away from the above-mentioned domains and IP addresses or be wary of prompts to download software updates that do not come from Apple’s legitimate website.
Read more: http://blog.trendmicro.com/mac-os-x-dns-changing-trojan-in-the-wild/#ixzz0O4WVxlRp
Leave a Reply