Newly discovered 4th member of the OSX_JAHLAV malware family.

[MeatPounder]

TrendMicro is reporting on a newly discovered 4th member of the OSX_JAHLAV malware family.

The latest variant is once again relying on social engineering, this time spreading under a QuickTime Player update (QuickTimeUpdate.dmg) with a DNS changer component enabling the malware authors to redirect and monitor the traffic of the victim.

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

Not only are cybercriminals beginning to acknowledge the “under-served” Mac OS X segment, but also, they’re already borrowing tricks from the Microsoft Windows playbook such as OS-independent tactics like fake codecs and bogus video players. The irony? Both the Mac OS X and Windows malware are hosted on the same domains, with copies of each served on the basis on browser detection.

From fake ActiveX objects at adult sites like the “Macintosh Porn Tube”, to bogus codecs and players, these tactics have been dominating the Windows threatscape for years, and will continue to do so, simply because they work. However, among the key advantages a cybercriminal coding/generating malware targeting Apple’s Mac OS X has, is the overall perception of its invincibility to malware, a state of false feeling of security shared across a huge number of people.

Meanwhile, Apple Inc. is already offering security advice stating that “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.”