Jared Heinrichs

  • Technology Blog
  • Winnipeg Computer Repair
  • Winnipeg Photographer
  • Cooking With Jared
You are here: Home / Operating System / Mac OS X / MacCinema installer virus in the wild. (OSX JAHLAV.c)

Aug 13, 2009 By Jared Heinrichs Leave a Comment

MacCinema installer virus in the wild. (OSX JAHLAV.c)

A Domain Naming System (DNS)-changing Trojan targeting Macs is currently making the rounds disguised as MacCinema Installer (detected by Trend Micro as OSX_JAHLAV.D. This is the latest variant of OSX_JAHLAV.C, which was identified in June.

What is so bad about this trojan Virus? DNS servers are the white/yellow pages of the internet. Imagine one day you went into your phone book. Everything seemed to be the same way that things always had been. You go look up a very common company like “Superstore” or “Walmart”. You then go to the phone number section. Because you TRUST the phone book you take it’s word that this is the correct phone number to call. So you call the phone number. What would happen if that phone number actually went to a competing store or even worse it was a criminal wanting to steal your identity!

This virus works very similarly but the consequences are a lot worse and worst of all once you’ve been infected you can never trust internet name resolution until you remove the virus.

Here’s how the virus works once it is installed. When ever you look up a domain like “Google.com” or “Apple.com” your computer actually uses a server called a DNS server to lookup where to go. So in Manitoba we use MTS or Shaw. Both Companie’s have their own DNS server. When you make a request the request for the IP address goes to their DNS servers. Most of the time they already know the IP address and send that number back to you. Your browser then gets routed through the internet looking for that “IP address”.

Here’s the scary part! If you want to go somewhere your computer is now relying on the virus for directions and not your Internet Service provider. To make things even worse the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts.

Here’s a screenshot of what the virus looks like. Doesn’t it look very “Mac” like?

clip_image001

The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as:

  • allincorx
  • bigdron
  • cikaredo
  • civilizxx
  • comeandtryx
  • deribrowns
  • draxxtermania
  • givendream
  • hitrowzone
  • jumborad
  • ltdkeeper
  • operationelx
  • oxxadox
  • paxxtiger
  • rednetx
  • rstdeals
  • simplexdoom
  • sinisteer
  • tdenuwas
  • tniredrum
  • ufapeace

If infected, a victim’s Web traffic can then be diverted to the website of the attacker’s choosing.

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

It would serve Mac users well to stay away from the above-mentioned domains and IP addresses or be wary of prompts to download software updates that do not come from Apple’s legitimate website.

Read more: http://blog.trendmicro.com/mac-os-x-dns-changing-trojan-in-the-wild/#ixzz0O4WVxlRp

Filed Under: Mac OS X

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Categories

  • Board Game Rules
  • Camera
  • Computer Hardware
    • Blackberry
    • drivers
    • iPad
    • Magic Jack
    • USB
  • Damn Small Linux
  • Exam Notes
  • Facebook
  • FREE Flashcards
  • Games
    • PC
      • League of Legends
    • Wii
    • xbox 360
  • Music
  • Networking
    • Cisco Certification
    • Mitel
    • Palo Alto Firewall
  • News
    • Google
    • Microsoft
  • Operating System
    • Active Directory (2003)
    • Android
    • Command Prompt
    • Damn Small Linux
    • Group Policy
    • Hyper-V
    • IIS
    • ISA 2006
    • Mac OS X
    • Microsoft Exchange Server
    • Powershell
    • Security
    • SME Server
    • Terminal Server 2003
    • Ubuntu Linux
      • Adito Web SSL VPN
      • OpenVpn-als
      • Webmin
    • Virtual Machine Manager
    • Windows 2003 SBS
    • Windows 2003 Server
    • Windows 2008
    • Windows 2008 R2
    • Windows 2012R2
    • Windows 7
    • Windows 8
    • Windows Command Line
    • Windows Deployment Services
    • Windows Server Backup
    • Windows Vista
    • Windows XP
  • Phones
  • Photography
  • Photos
    • Animals
    • Misc
    • Nature
    • Portraits
  • Portfolio
  • Programming
    • CSS
    • HTML
    • jQuery
    • MySQL
    • PHP
    • Script
  • Programs
    • Acrobat
    • Acrobat Reader
    • Adobe Dreamweaver
    • Adobe Illustrator
    • Adobe Photoshop
    • Anti-virus Software
    • Antivirus
    • Backup Exec
    • Bittorent
    • Blackberry BESADMIN
    • Internet Explorer 9
    • Lightroom
    • Microsoft Office
    • Netbeans
    • Onenote
    • Outlook
    • Shelby
    • Sysprep
    • Trend
    • Video Editing
    • Visual Studio
    • Windows Live Writer
    • WireShark
    • XP Mode
    • Zarafa
  • Recipe
  • Review
  • Software Links
  • Troubleshooting
  • Uncategorized
  • Videos
  • Web Applications
    • Brage
    • Google
    • Spiceworks
    • Wordpress
  • Web Browsers
    • Internet Explorer
  • Web Server
    • XAMPP
  • Winnipeg
    • ISP

Try searching this site!

Copyright © 2021 Winnipeg Web Design