9 Replies Latest reply: Aug 3, 2008 6:02 PM by Ronda Wilson
Klaus1 Level 8 Level 8 (44,495 points)
Whilst no viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions, the appearance of Trojans that can infect a Mac seems to be growing.

SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:

http://macscan.securemac.com/

The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X. One of the first of these was called DNSChanger Trojan and is also known as OSX.RSPlug. A Trojan Horse, the software attacks users attempting to play a fake video file.

Upon attempting to play the video, the victim received the following message:

“Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”

Upon running the installer, the user's DNS records are modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's DNS records stay modified on a minute-by-minute basis.

SecureMac's DNSChanger Removal Tool allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

A white paper has recently been published on the subject of Trojans by SubRosaSoft, available here:

http://www.macforensicslab.com/ProductsAndServices/index.php?mainpage=document_general_info&cPath=11&productsid=174

Also, beware of MacSweeper:

MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008

http://en.wikipedia.org/wiki/MacSweeper

On June 23, 2008 this news reached Mac users:

http://www.theregister.co.uk/2008/06/23/mac_trojan/

More information on Mac security can be found here:

http://macscan.securemac.com/

More on Trojans on the Mac here:

http://www.technewsworld.com/story/63574.html?welcome=1214487119

The latest news on the subject, from July 25, 2008, is:

Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.

The code could be a boon to phishing gangs who redirect web users to fake bank sites and steal login details.

In light of the news net firms are being urged to apply a fix for the loop-hole before attacks by hi-tech criminals become widespread.

Net security groups say there is anecdotal evidence that small scale attacks are already happening.
Further details here: http://news.bbc.co.uk/2/hi/technology/7525206.stm

There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac, and alternatives will probably appear in the future.

This User Tip will be updated from time to time as appropriate.

Note: AFAIK the foregoing is accurate and up to date, and this user tip is ready for publication, unless anyone has any objections or amendments?

20" 2.1GHz iSight iMac G5, 250GB HD, 1.5GB RAM, Mac OS X (10.4.11), iLife 6.0.3, Toast 7.1.3, iTunes 7.6.2, QTPro 7.5, Safari 3.1.2, iChat 3.1.9
  • 1. Re: Trojan Detection and Removal
    Ralph Johns (UK) Level 9 Level 9 (67,505 points)
    Possibly some of the links could be made shorter.

    SubRosaSoft's MacForensicLab on Malware and more as a For Instance.

    I tend to add the Title as the First line.
    Easier for later adding update info to the line See Mine

    Also if there are no further comments and you think it is ready the Instruction above the topic List read

    1. Create a new topic to post your tip. You may also suggest an edit to an existing tip, but please make sure to include a link to the existing tip. If you are not sure how to write a tip that you want to contribute, you may post your tip idea and request feedback and help from the community of contributors.
    2. Post a followup message to request feedback or announce that your tip is completed.
    3. If you receive feedback that you want to incorporate into your tip, create a new response with the edited tip and return to step #2.
    4. Approximately 5 days after you announce that your tip is completed (if there is no objection from another user), a Host will lock the thread and either move your completed tip to the User Tips Library or edit the existing tip. If your tip is moved, you will be credited as the author of the tip. If you request an edit to a tip that you did not write, you will receive credit in the byline ("This version of this User Tip submitted by: Mark W.").



    (I was sure it used to say that the title of the Follow up should be changed to Read User Tip Complete)



    8:09 PM Sunday; August 3, 2008
  • 2. Re: Trojan Detection and Removal
    Klaus1 Level 8 Level 8 (44,495 points)
    Thanks Ralph.

    I have added that first line, repeating the thread title.

    As for shorter links, I never use them. Why? It has become my distinct impression that many (most?) inexperienced posters fail to realise that the blue words form a link. Instead they usually assume that a bit of colour was added for emphasis, as an alternative to bold.

    I'll give it a few days to see if anyone else wants to comment.

    As hardly a soul ever comes here, I will also post this suggested User Tip in the Lounge!
  • 3. Re: Trojan Detection and Removal
    BDAqua Level 10 Level 10 (116,480 points)
    I've seen you post that once or twice, looks great!

    As for shorter links, I never use them. Why? It has become my distinct impression that many (most?) inexperienced posters fail to realise that the blue words form a link. Instead they usually assume that a bit of colour was added for emphasis, as an alternative to bold.


    Totally agree, but even people with experience like to get an idea of what they're in for and where. I only use tinyurl in cases where it's a ridiculous URL affecting readability of the Forums.
  • 4. Re: Trojan Detection and Removal
    Ralph Johns (UK) Level 9 Level 9 (67,505 points)
    Fair enough.



    11:00 PM Sunday; August 3, 2008
  • 5. Re: Trojan Detection and Removal
    Klaus1 Level 8 Level 8 (44,495 points)
    even people with experience like to get an idea of what they're in for and where

    Good point which I had forgotten.

    If I am going to be taken to clickheretogetyourmacfried.com I want to know in advance!
  • 6. Re: Trojan Detection and Removal
    Michael Conniff Level 7 Level 7 (33,120 points)
    Only one comment, Klaus, again related to the external links. The BBC one will expire before too long, I don't know about the others.

    I'm not sure what the best solution is—obviously you can't copy the content, but maybe you could put a short summary in parentheses next to the link?
  • 7. Re: Trojan Detection and Removal
    Klaus1 Level 8 Level 8 (44,495 points)
    I doubt whether that BBC link will expire in the foreseeable future.

    Look to the right under the column 'See Also'. I went back through several of those links until I stopped at this link from 2001:

    http://news.bbc.co.uk/2/hi/science/nature/1321176.stm

    Their old pages are usually obtainable 'for ever', but finding them using their search function is a different matter!

    (Why does that sound familiar?)
  • 8. Re: Trojan Detection and Removal
    Michael Conniff Level 7 Level 7 (33,120 points)
    Klaus1 wrote:
    I doubt whether that BBC link will expire in the foreseeable future.

    OK, if you've looked into this that's great!

    Not really convinced the BBC article is that good actually, but it probably raises awareness without being too scare-mongering!
  • 9. Re: Trojan Detection and Removal
    Ronda Wilson Level 8 Level 8 (40,695 points)
    +As for shorter links, I never use them. Why? It has become my distinct impression that many (most?) inexperienced posters fail to realise that the blue words form a link.+

    Yes, I came to that conclusion quite awhile ago, too. I now underline hypertext links so that the text is both blue and underlined. That usually does the trick.