The fact is sufficiently rare to be mentionned. A “trojan” for OSX (Leopard included) is in the wild. It work by asking the user to download a codec to see a video (I let you guess what type of video it can be 
). It look like something like that on the web page:
“Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”
When the user click a .dmg is downloaded and the user is asked to give the administrator password (Nobody use the admin account as is every day account right ? ). Instead of installing the promised codec, it changes the default DNS. Hence when you ask for a web site, the new DNS redirect you to a fake site… Of course the user should be aware that something is wrong because the admin password is asked but I have a little doubt here… Of course the dns will not redirect every site to fake one.
The advisory can be found here: Intego Security Memo
A good idea would be to deny the fake DNS in firewall however I haven’t found it. If anyone knows it, it could be useful. It also could be nice to check which site are redirected.
1 Response to “OSX Trojan”