The trojan is found in pornographic sites masquerading as a video codec.
It isn’t a huge threat because to become infected you need to go through several steps:
When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:
Quicktime Player is unable to play movie file.
Please click here to download new version of codec.
After the page loads, a disk image (.dmg) file automatically downloads to the userâ€™s Mac. If the user has checked Open â€œSafeâ€ Files After Downloading in Safariâ€™s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.
If the user then proceeds with installation, the Trojan horse installs; installation requires an administratorâ€™s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.
The trojan takes over the Mac’s DNS settings and from time-to-time re-directs the Mac to phishing or pornographic websites.
According to Intego, the security company reporting this trojan:
The best way to protect against this exploit is to run Intego VirusBarrier X4 with its virus definitions dated October 31,2007. Intego VirusBarrier X4 eradicates the malicious code and prevents the Trojan horse from being installed
Right – I can see why they are talking it up then! Stlll, if you do find you Mac bringing you to websites you didn’t ask for and you (or someone using your Mac – ahem!) have recently installed a video codec, maybe you should look into this further.
This is the first major malware reported which is specifically targeted at OS X since the operating system was released in 2001. I guess it is a sign of OS X’s increasing popularity.