While things have been relatively quiet on the malware front for OS X since a raid on Russian payment processing firm ChronoPay appeared to have taken down MacDefender nearly two months ago, one new trojan horse did pop up earlier this month. As detailed by F-Secure, the trojan known as "OSX.QHost.WB.A" masquerades as a Flash Player installer but actually adds entries to a computer's hosts file to redirect users attempting to visit certain Google sites.
Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands.
The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.
Search results on the fake Google pages actually lead to pop-up windows that load external content which was broken at the time of discovery but presumably consisted of advertisements of some sort. While the threat as implemented at the time of discovery was relatively mild, inexperienced users falling for the trojan could find themselves unaware of what had happened to their systems and how to fix the hijacked routing added by the malware.
Consequently, Apple earlier this week made its first significant addition to its "XProtect.plist" file since the spate of MacDefender variants surfaced in June. The XProtect.plist file contains malware definitions to enable users' systems to recognize and warn users of malicious downloads, a feature that debuted with Mac OS X Snow Leopard back in 2009.
The original anti-malware system required manual updates to account for new threats, and as such was updated only rarely by Apple as part of larger software updates. But with an Apple software update issued in response to the MacDefender threat earlier this year, Mac OS X systems are now able to make daily checks for updates to that file to ensure up-to-date protection against malware.
No, it's not a "virus". It's a trojan. You think it's good, but its bad. (heh... depending on if you think "flash" is "good").
A question I have though, is under what conditions should ANY software modify the hosts file? Should Apple even allow programs that have been granted administrative rights to alter the hosts file? There is only a very limited benvolent use case for such an action, and that very related to what they did here: some anti-ad or anti-spyware utilities modify a host file to redirect known ad-producing domains to a "safe" domain. I personally think any modification of the host file should be given a warning like this:
The program _____ is trying to update a core Mac OS X system file that is used to provide network connectivity. While online advertisement blocking programs may require legitimate use of this file, most others applications may represent an attempt to install malicious software onto your computer. Are you sure you want to allow program _____ to modify this file?
Funny.... I updated Flash yesterday on my kids' Mac mini and I thought that writing a Trojan that masquerades as an update to Flash would be brilliant since Flash is updated so often and getting prompted that you need to update Flash to view a website is very common..... And then today, here it is.
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99.
The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
Wednesday February 3, 2021 3:09 pm PST by Juli Clover
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option.
A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
Apple has been involved in a long-running iPhone trademark dispute in Brazil, which was revived today by IGB Electronica, a Brazilian consumer electronics company that originally registered the "iPhone" name in 2000.
IGB Electronica fought a multi-year battle with Apple in an attempt to get exclusive rights to the "iPhone" trademark, but ultimately lost, and now the case has been brought to...
Wednesday August 25, 2021 3:55 am PDT by Tim Hardwick
Google has rolled out picture-in-picture support as an "experimental" feature for YouTube premium subscribers, allowing them to watch video in a small window when the app is closed.
If you're a premium YouTube subscriber looking to try out picture-in-picture, follow these steps: Launch a web browser and sign into your YouTube account at YouTube.com.
Navigate to www.youtube.com/new.
Scroll...
Apple has published a FAQ titled "Expanded Protections for Children" which aims to allay users' privacy concerns about the new CSAM detection in iCloud Photos and communication safety for Messages features that the company announced last week. "Since we announced these features, many stakeholders including privacy organizations and child safety organizations have expressed their support of...
Tuesday October 15, 2019 9:44 am PDT by Eric Slivka
Apple is currently engaged in a cat-and-mouse game with persistent kids looking to circumvent Screen Time restrictions, but the company has been receiving some criticism for not moving quickly enough to lock down some of the loopholes, reports The Washington Post.
A few of the loopholes and ways for parents to shut them down are documented on the site Protect Young Eyes, while these and...
Monday September 24, 2018 3:26 pm PDT by Juli Clover
Apple's new macOS Mojave update is not compatible with mid-2010 and mid-2012 Mac Pros with stock GPUs, but it is supported on 2010 and 2012 Mac Pro models that have been upgraded with graphics cards that support Metal.
Apple today shared a new support document that provides a list of graphics cards that are Metal-capable, which will be useful for 2010 and 2012 Mac Pro owners who want to...
Friday September 3, 2021 11:13 am PDT by Juli Clover
For this week's giveaway, we've teamed up with MAXOAK to offer MacRumors readers a chance to win a Bluetti portable power station and an accompanying solar panel. Bluetti makes a range of portable power station options that are useful for camping, emergencies, power outages, off-grid living, and similar situations.
The Bluetti EB70 is a solid middle of the road option that offers 716Wh and...
If you unwrapped an Apple product today it likely came with one of the company's first-party Lightning cables, but having an extra on hand is always a good idea, so you can place it in other rooms in your house, in your car, or in a bag when you travel.
For that reason, now's a good time to shop for third-party Lightning cables that are cheaper than Apple's own accessory, but still Made For...
Apple has stopped selling the second-generation 10.5-inch iPad Pro, originally released in June 2017, after launching a new 10.5-inch iPad Air today.
The 10.5-inch iPad Pro had remained available from $649 following the release of 11-inch and 12.9-inch iPad Pro models in October 2018, but it has been replaced by the 10.5-inch iPad Air with a cheaper starting price of $499.
The new iPad...
Top Rated Comments
And yes, this is not a virus. This is malware.
A question I have though, is under what conditions should ANY software modify the hosts file? Should Apple even allow programs that have been granted administrative rights to alter the hosts file? There is only a very limited benvolent use case for such an action, and that very related to what they did here: some anti-ad or anti-spyware utilities modify a host file to redirect known ad-producing domains to a "safe" domain. I personally think any modification of the host file should be given a warning like this:
This has nothing to do with Flash.