[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Anyone seen this yet? The Mac Trojan in the wild.

Subject: Anyone seen this yet? The Mac Trojan in the wild.
From: Steven Kolins <email@hidden>
Date: Thu, 08 Nov 2007 15:17:22 -0500
Delivered-to: email@hidden
Delivered-to: email@hidden
Thread-index: AcgiRF6UnPrZOI43EdyHoQAWy4uwIg==
Thread-topic: Anyone seen this yet? The Mac Trojan in the wild.
User-agent: Microsoft-Entourage/11.3.6.070618

Some links - 

In general:
http://www.eweek.com/article2/0,1895,2171538,00.asp
http://blog.trendmicro.com/rogue-domain-name-system-servers-5breposted5d/

Specific Mac version:

http://peki.blogspot.com/2007/11/dnschanger-effects.html
http://isc.sans.org/diary.html?storyid=3595

Recent updates in ClamXav/Clamav and Norton AV will pick up the installer
package of the new Mac Trojan - but not the dmg of the installer. They pick
up some parts that get installed if those places (most notably the
'plugins.settings' file installed in the /Library/Internet Plugins folder.)
Thankfully on the Mac side an admin password is required to install it.

This is the first widespread Mac trojan and already has copycats and it's
been out less than a month.

If infected here's a discussion of cleaning the trojan - but note people may
use use cron jobs in 10.4 so it's not appropriate to dump cron jobs like the
article suggests (they do not come installed on 10.4 by default but they do
on 10.3 so 10.3 users shouldn't dump cron jobs anyway.) Instead use
something like Cronnix to review the cron jobs and remove inappropriate
ones. Note getting rid of the DNS entries, and the Cron jobs, are
insufficient to being "clean".

http://www.macosxhints.com/article.php?story=20071031114140862

Note you can not proxy block these rogue DNSes - this isn't port 80 traffic.
This is port 53 traffic and would require a firewall rule but crafted to
allow all actual DNS servers to go ahead and keep running while blocking
everyone else - no easy task.
-- 
'    '   '  ' ' ' ''"""""""""""'' ' '  '   '    '
Steven Kolins
Alamance-Burlington Schools, NC USA
LanTech/Mac Systems Tech
336-516-4082

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: Anyone seen this yet? The Mac Trojan in the wild.
  - From: "David Schultz, Jr." <email@hidden>
- Re: Anyone seen this yet? The Mac Trojan in the wild.
  - From: Ed Pastore <email@hidden>
- Re: Anyone seen this yet? The Mac Trojan in the wild.
  - From: Steven Kolins <email@hidden>

Prev by Date: Leopard and building software from a developer standpoint.
Next by Date: Re: Anyone seen this yet? The Mac Trojan in the wild.
Previous by thread: Re: Leopard and building software from a developer standpoint.
Next by thread: Re: Anyone seen this yet? The Mac Trojan in the wild.
Index(es):
- Date
- Thread

Home