OS X DNS Changers, part three

Excerpt

Well it looks like my first day on duty I have the pleasure of sharing the latest and greatest in OS X DNS hijacking script. For those long time readers of ISC this topic may sound somewhat familiar, that is because this subject has been covered twice before in some detail. Since this entry is on the long side of things, I will very quickly cover the important part for readers who DO NOT have the time to read all of this.

http://isc.sans.org/diary.html?storyid=5390

DNS Changer Trojan Revisited

(Minor) evolution in Mac DNS changer malware

This article tracks the state of this trojan since it was first reported. Apparently, more AV products will alert on the trojan since its initial discovery, although the authors are now attempting to evade notice by obfuscating the install code.

This is a nice, short, and sweet article.

DNS changer Trojan for Mac (!) in the wild

http://isc.sans.org/diary.html?storyid=3595

This is rather shocking (and not so shocking...both at the same time).

This is NOT a failing of OS X. This trojan installs via some social engineering...a human and not object failure.

[UPDATE:

I've added the following rule (highlighted at the above link) to two of my Snort sensors:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; content:"GET "; depth:4; content:" HTTP/1.1|0d 0a|Accept-Language\: "; pcre:"/Accept-Language\: [a-zA-Z0-9]{20}/"; classtype:trojan-activity; sid:2007650; rev:1;)]