If users thought the Mac-targeted Trojan discovered last week was a one-off, they'll need to think again — security firm F-Secure has discovered 32 variants of it, but claims about its powers have been wildly overstated, acccording to experts.
"Looks like the Mac Trojan we posted about last week was not an isolated incident. The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the Trojan for the Mac too," writes Mikko Hypponen, chief research officer at F-Secure.
Last week, Mac security software vendor Intego discovered a Trojan designed for Mac OS X being distributed via porn sites.
The Trojan is being disguised as a codec — a device used to decode digital streams. If it is downloaded, it alters a computer's domain name system (DNS) server, redirecting the machine to porn sites of the malware distributor's choice. The prime purpose appears to be to make money when people click on ads served on the sites.
The "payloads" of the 32 variants of the Trojan are the same as the original discovered by Intego. However, F-Secure technical manager Patrik Runald said the Trojan is also on a reconnaissance mission of sorts — it reports its findings back to an IP address in the Ukraine.
"It reports the name of the computer and the operating system version back to another IP address within the Ukraine to keep track of the installs they have," he told ZDNet Australia.
There is also a version for Windows platform users, said Runald, and it was this version which led him to the conclusion the group behind the DNS-changing Mac Trojan is the same group behind the malware released earlier this year known as "zlob".
Read this
Photos: Inside the cage at F-Secure
At its Helsinki headquarters, Finnish antivirus company F-Secure opened the door to give a glimpse inside its mobile-malware testing cage
"Zlob is also about click ads and showing ads on your PC and are also typically distributed through fake codecs," said Runald.
It shows that Macs are "starting to get interesting for the bad guys", he added.
"It's not an isolated incident because it's a professional gang behind it, not some teenagers trying to prove a point. They're actually making money out of it and because of this it's unlikely to end soon."
However Runald said the Trojan does not mean Mac platforms are facing a malware epidemic.
Security firm Sunbelt Software's Alex Eckelberry writes on his blog that users should not be alarmed by spurious claims of the Trojan's powers: "We've seen quite a bit of FUD out there about the Trojan DNSChanger — both Windows and Mac versions — hijacking your DNS settings and then redirecting you to malicious websites, stealing personal identities, killing your dog and even crank-calling your grandmother with naughty messages... This Trojan is all about generating affiliate commissions by redirecting search results."
