Trojan Jahkav-C, more to come?
Tuesday, June 23, 2009 at 06:18PM Similar to the way in which users are enticedto install helper applications on the PC, Mac users who visit sites that deliver porn, such as PornTube(which should be on your black list), may get more then they bargain for. The downloaded Trojan hasnames such as HDTVPlayer3.5.dmg, VideoCodec.dmg, macTubePlayer.dmg. This is not self replicating, the user is the defense and it contacts the attacker. When installing applications from the Web users should make sure they trust the source, especially if they need to provide their admin(root) password. Checking the hash (MD5 and SHA) can go a long way as well in ensuring that the file recieved is the intended file.
The Trojan works by using a Perl script that communicates over http allowing the infected computer to exchange data with the attacker. Users may also find a malicious shell scriptsAdobeFlash in the /Library/Internet Plug-Ins. This is a variant of OSX.RSPlug, OSX/Puper and OSX/Jahlav.
drStrangeP0rk
Wow, that took less time then I though. Venture capitalist Guy Kawasaki got a surprise from an auto feed from Twitter. His followers saw post promoting a sexy video of Leighton Meester. When hitting the link OSX/Jahlav-C would be downloaded and then install. The original feed called NowPublic but lower profile accounts are spreading the Trojan via Twitter. Do not open links or install any software from un-trusted sites. You do not need any codec or ActiveX controller to watch videos. (Unless your living in 1996) If you like nude photos stick to legitimate sites and never follow links from email or social sites, most likely you will encounter malicious code.
Link to orignal article on attack
http://news.cnet.com/8301-1009_3-10272457-83.html?part=rss&subj=news&tag=2547-1_3-0-5
drStrangeP0rk
Dark Reading is reporting that Trend Micro has discovered a new variant called OSX_JAHLAV.D infecting computers, it still posesas as a media player. The current version is changing DNS entries and sending unsuspecting users to redirected domains. Currently various anti-virus and firewall products do detect it. Users can do a search, find it and remove it, reset their DNS in System>Preferences and flush the cache with the following command:
- dscacheutil -flushcache
There are other handy options, the man page is a must read.
It is suspected that it may have been tested for creating a Mac BotNet but in its current form it represents a manageable threat. However Mac users must make sure that they have taken steps to secure their systems. Many years ago some friends and I loved making simple client servers and aliasing commands to have fun with one another. The point is all Unix/Linux boxes have security available but it must be used and managed. The Mac as a Unix (BSD) box is no different.
drStrangeP0rk
One more time since the article is fresh.
http://macscan.securemac.com/osxjahlav-c-dnschanger-trojan-horse/
Reader Comments