"Intego's researchers discovered this threat after seeing an
unusual amount of spam, attempting to lead users to porn sites, in Mac forums,"
Laurent Marteau, CEO of Intego told AVN Online. "Following
some of the links, we found that they were leading to pages that offered
nothing more than an eventual download."
Upon arriving at the fraudulent sites, surfers are offered a codec to download in order to view popular adult videos. After clicking on the still galleries, users are redirected to a page that says the QuickTime player is unable to play the movie. Surfers then are prompted to download a new version of a Mac codec to view the material.
"This malware is different from others mainly in its criminal intent - it doesn't damage files or harm computers, but, as has been seen for some time on Windows computers, hijacks a user's browsing by changing their DNS server," Marteau said. "It is especially malicious because its techniques are sophisticated, and it even checks every minute to see if its changes are still effective.
Once the codec has been authorized, a Trojan horse is installed and receives full root privileges to the user's computer. No video codec is actually installed. The fraudsters then can redirect future browsing to fake websites, lift passwords and private information, and send spam ads for adult websites.
Apple spokeswoman Lynn Fox said the company knows about the threat and urges Mac users to be careful about what they download.
"Apple has a great track record for keeping Mac OS X users secure, and, as always, we encourage people to install software only from trusted sources," Fox said in a statement.
The retooled Trojan does not target vulnerability in the Macintosh operating system; it requires a user to fall for a social-engineering ruse by approving the download and offering an administrator's password. Users who try to return to the website arrive at the same page and receive a new download.
"Education is important here; users shouldn't download files without thinking, and they should never install software they cannot trust," Marteau added. "However, in many cases, users do these things out of good faith. Only up-to-date antivirus software can ensure that their mistakes are not fatal."
Symantec Corp. researchers have reported that there also are Windows versions of the fraudulent sites.