Trojan attacks Macs

Receiving some attention this week was the OSX/RSPlug-A Trojan horse, the latest in a very short list of malware that has been designed to specifically target the Mac OS X operating system.

"The Trojan horse poses as a codec to help users view pornographic videos, but in fact changes DNS server entries to direct surfers unwittingly to other Web sites," explains Brett Myroff, CEO of master Sophos distributor, Netxactics.

"This could be for the purposes of phishing, identity theft or simply to drive traffic to alternative Web sites."

This is not a red alert, however, but it is a wake-up call to Mac users that they can be vulnerable to the same kind of social engineering tricks as their Windows cousins, Myroff says.

"The truth is there is very little Macintosh malware compared to Windows, but clearly criminal hacker gangs are no longer shy of targeting the platform."

Windows users remain the primary targets of a number of Trojans and worms making their appearance this week. Troj/Maran-BC, for example, affects the Windows OS and its main side-effect includes installing itself in the registry. It also occurs as Trojan-PSW.Win32.Magania.bdd.

The file avp.exe is registered as a new system driver service named "VGADown", with a display name of "Audio Adapter" and a start-up type of automatic, so it is started automatically during system start-up.

The W32/Virut-S virus has also been noted and is currently spreading via infected files. The W32/SpyBot-OD worm, also on the radar, allows others to access the user`s computer and installs itself in the registry

"W32/SpyBot-OD runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels," says Myroff.

"It includes functionality to access the Internet and communicate with a remote server via HTTP."

The W32/SdBot-DIN worm also makes an appearance, and again, allows others to access the user`s computer and install itself in the registry. Its behaviour is similar to W32/SpyBot-OD, with functionality to access the Internet and communicate with a remote server, Myroff says.

When first run, W32/SdBot-DIN copies itself to <System>dllcachemravsc32.exe.

The file mravsc32.exe is registered as a new system driver service, named "Distributed Allocated Memory Unit", and a start-up type of automatic, so it is also started automatically during system start-up.

The W32/Virut-R virus also spreads via infected files. It allows others to access the user`s computer. "W32/Virut-R is an executable file virus for the Windows platform. It runs continuously in the background, infecting executable files and allowing a remote user to access the computer," says Myroff.

"It`s interesting that the OSX/RSPlug-A Trojan horse generated as much column-centimetre attention as it did. A Trojan like this for Windows would hardly receive as much attention because they are encountered everyday. Nevertheless, it obviously makes sense for Mac users to ensure they are protected."