Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:21 PM
Connect Directly

Mac OS X Trojan Attack Changes DNS Settings

Researchers spot new variant of malware that prepares machines for botnet recruitment and other cybercrime uses

A new Trojan attack aimed at Mac OS X machines poses as a media player update but instead changes the Domain Name Service (DNS) settings on the victim's machine.

Researchers at Trend Micro recently spotted the Trojan, which poses as a QuickTime Player update and goes by the fake name "MacCinema Installer," in the wild. It's a new variant of an existing Trojan, but with a twist: "What's interesting is that it's a DNS-changing Trojan" for Mac OS X, says David Perry, global director of education for Trend Micro.

Perry says the malware, which Trend Micro has identified as OSX_JAHLAV.D, is basically a stage one infection, meaning that it's likely more a way for cybercrime brokers to set up infected machines for sale later. "The reason they get DNS control is so that later in the game you can sell these assets to a criminal enterprise," which can then change the DNSes and redirect the infected machines, he says.

"We don't know the ultimate use of the machine ... but it's being set up to sell later."

The good news is that the attack doesn't really do any major damage -- yet -- and it's fairly simple to clean it up. Trend suggests dragging and dropping "MacCinema" in the Mac trash box and then changing your machine's DNS settings to "auto."

"This version just changes your DNS. That's just stage one," says Jamz Yaneza, threat research manager for Trend Micro. But the machine is basically set to be automatically updated by the bad guys, although this version of the Trojan doesn't do so at this time, he says.

While the conventional wisdom is that Macs don't get viruses, this attack shows they aren't immune from attack, says. "That might be true [that Macs don't get viruses], but they get Trojans and everything else," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.