Jump to content

Mac Trojan disguised as Flash Player initiates redirection attack


AlienForce1

Recommended Posts

AlienForce1

There's a new Mac OS X Trojan in town, and it masquerades as a FlashPlayer.pkg installer, warns F-Secure.

qUQ1G.jpg

"Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands," say the researchers.

The infected users are consequently faced with a fake Google Search page that looks very much like the legitimate one and is unlikely to raise suspicions as the URL in the address bar says google.com.tw or similar (but without the www).

KZVU9.jpg

When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page .

Here's a search request on the real Google.com.tw site on a clean system:

RVjca.jpg

And here's the same request on an infected system:

EY7PX.jpg

At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.

The other remote server returning fake search requests appears to be still active.

F-Secure detects this as Trojan:BASH/QHost.WB.

Source : F-Secure Weblog

Link to comment
Share on other sites


  • Replies 5
  • Views 2k
  • Created
  • Last Reply
  • Administrator

Please link to the source/original article. ;)

Link to comment
Share on other sites


AlienForce1

Please link to the source/original article. ;)

- there was already a link to orig. article

There's a new Mac OS X Trojan in town, and it masquerades as a FlashPlayer.pkg installer, warns F-Secure.

- but , I complied with the request

Link to comment
Share on other sites


  • Administrator

Please link to the source/original article. ;)

- there was already a link to orig. article

There's a new Mac OS X Trojan in town, and it masquerades as a FlashPlayer.pkg installer, warns F-Secure.

- but , I complied with the request

Oh I see. I did saw the warns F-Secure thing, but I thought this article was from a 3rd-party news site. Nice to see the link in the end anyway. :)

Link to comment
Share on other sites


It was a link to the article, but it wasn't a credit to the source. We must give (visible) credits to the entities that created the stories, courtesy&politeness being among the reasons :) Just linking inside the article is not enough.

Thank you for adding the source :)

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...