Mac Porn Surfers Subject to QT Flaw

Attackers are going after Macintosh computer users who are visiting pornographic web sites, claiming to offer a plug-in that installs a video codec necessary to play the movie files within QuickTime.

On certain profiles, the links to the Trojan download appear as stills to a supposed porn clip. When a Mac user clicks on the link, they are taken to a page with the message "Quicktime Player is unable to play movie file. Please click here to download new version of codec." From there, the install would proceed like a normal program install.

Instead, the plug-in is actually a Trojan horse that hijacks the Mac's DNS settings, resetting them to a malicious one that will actually redirect popular websites such as eBay, Paypal, and some banks.

The supposed codec never installs, thus when the user returns to the page, they will still receive the same above message. Uninstalling the application won't take away the changed settings, according to Intego Security, which disclosed the flaw.

"Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system's GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually," the company said.

In addition to the DNS hijack, a root crontab is installed to ensure the malicious DNS server is always being used, even when the user changes locations, which can sometimes change the DNS server used.

Intego said in an advisory it had reason to believe there were several different versions of the Trojan, and country-specfic ones as well. The company said its anti-virus software for the Mac would protect against the exploit.

There was no immediate word whether Apple planned to take any action on the vulnerability through an update for QuickTime.

41 Responses to Mac Porn Surfers Subject to QT Flaw

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.