According to Trend Micro a new variant of the Mac OS X Trojan, OSX_JAHLAV, has been found in the wild. The new version, OSX_JAHLAV.D, is a new variant from the .C release identified back in June of this year.
The malware presents itself as an updated video codec for the Quicktime player, and is pushed out by malicious websites as a required Quicktime update needed to view video content on the site. It is downloaded as a Mac Disk Image file (QuickTimeUpdate.dmg) and has an associated installer program for “MacCinema”. When run, the malware changes the DNS settings on the local machine allowing future web traffic to be redirected to sites of the hacker’s choosing.
Obviously to be infected by this Trojan requires downloading the file, running the installer script, and entering valid user credentials, and the overall impact of the trojan is pretty mild. However, what I find interesting about this particular threat is that it is clearly trying to take advantage of the less savvy Mac user’s belief that they are safe from all bad things on the net. And more importantly, I believe it reiterates the belief that the bad guys will continually find new ways to make money – although a simple attack, if successful, it can provide an easy avenue to potentially trick naive Mac users into buying things from these fake websites just because things are not working the way they expect. Given that, I believe we will continue to see more and more updates to this malware and others like it as the growing Mac community provides a new “green market” for malware.
More information on this trojan, and specifically IPs associated with the malware, can be found on Trend’s site.