While things have been relatively quiet on the malware front for OS X since a raid on Russian payment processing firm ChronoPay appeared to have taken down MacDefender nearly two months ago, one new trojan horse did pop up earlier this month. As detailed by F-Secure, the trojan known as "OSX.QHost.WB.A" masquerades as a Flash Player installer but actually adds entries to a computer's hosts file to redirect users attempting to visit certain Google sites.
Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands.
The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.
Search results on the fake Google pages actually lead to pop-up windows that load external content which was broken at the time of discovery but presumably consisted of advertisements of some sort. While the threat as implemented at the time of discovery was relatively mild, inexperienced users falling for the trojan could find themselves unaware of what had happened to their systems and how to fix the hijacked routing added by the malware.
Consequently, Apple earlier this week made its first significant addition to its "XProtect.plist" file since the spate of MacDefender variants surfaced in June. The XProtect.plist file contains malware definitions to enable users' systems to recognize and warn users of malicious downloads, a feature that debuted with Mac OS X Snow Leopard back in 2009.
The original anti-malware system required manual updates to account for new threats, and as such was updated only rarely by Apple as part of larger software updates. But with an Apple software update issued in response to the MacDefender threat earlier this year, Mac OS X systems are now able to make daily checks for updates to that file to ensure up-to-date protection against malware.
No, it's not a "virus". It's a trojan. You think it's good, but its bad. (heh... depending on if you think "flash" is "good").
A question I have though, is under what conditions should ANY software modify the hosts file? Should Apple even allow programs that have been granted administrative rights to alter the hosts file? There is only a very limited benvolent use case for such an action, and that very related to what they did here: some anti-ad or anti-spyware utilities modify a host file to redirect known ad-producing domains to a "safe" domain. I personally think any modification of the host file should be given a warning like this:
The program _____ is trying to update a core Mac OS X system file that is used to provide network connectivity. While online advertisement blocking programs may require legitimate use of this file, most others applications may represent an attempt to install malicious software onto your computer. Are you sure you want to allow program _____ to modify this file?
Funny.... I updated Flash yesterday on my kids' Mac mini and I thought that writing a Trojan that masquerades as an update to Flash would be brilliant since Flash is updated so often and getting prompted that you need to update Flash to view a website is very common..... And then today, here it is.
Following six weeks of beta testing, iOS 16.4 was released to the public this week. The software update includes a handful of new features and changes for the iPhone 8 and newer. To install an iOS update, open the Settings app on the iPhone, tap General → Software Update, and follow the on-screen instructions.
Below, we have recapped eight new features and changes added with iOS 16.4,...
General Motors (GM) will phase out Apple CarPlay and Android Auto in its vehicles starting this year, shifting to a built-in infotainment system co-developed with Google (via Reuters).
GM owns Buick, Cadillac, Chevrolet, and GMC in the United States. It will stop offering Apple CarPlay and Android Auto starting with the 2024 Chevrolet Blazer, which goes on sale this summer. The company plans ...
Thursday March 30, 2023 7:13 am PDT by Joe Rossignol
With the Apple Music Classical app and an Apple Pay Later early access program now available, the list of previously-announced iOS features that have yet to launch is beginning to shrink. However, there are still a few features we are waiting for. Below, we have recapped three more iOS features that are expected to launch in 2023, including an Apple Card savings account for Daily Cash,...
Apple this week announced the official dates for the 34th annual Worldwide Developers Conference, with the annual WWDC keynote event set to take place on Monday, June 5. The keynote is where Apple unveils new versions of iOS, macOS, watchOS, and tvOS, and sometimes, we get hardware announcements.
Rumors this year suggest there are at least three new devices that are set to be unveiled in the ...
Thursday March 30, 2023 11:36 pm PDT by Tim Hardwick
iPhone 15 Pro and iPhone 15 Pro Max users will be able to customize the sensitivity of the solid-state buttons on their device, thanks to a new sensitivity toggle in Settings. That's according to details provided by a hitherto reliable source that shared additional details on the MacRumors forums. Earlier this week, the same anonymous tipster revealed that the iPhone 15 Pro models will use...
Apple has again pushed back mass production of its mixed-reality headset and the device may not appear at this year's Worldwide Developers Conference (WWDC), Apple analyst Ming-Chi Kuo today said.
Apple headset concept by David Lewis and Marcus Kane In a tweet, Kuo explained that Apple "isn't very optimistic" about whether the headset will be able to create an "iPhone moment." As a result,...
Thursday March 30, 2023 1:18 am PDT by Tim Hardwick
The periscope camera lens that will be exclusive to the iPhone 15 Pro Max will be solely supplied by Largan, according to the 相機鏡頭中獲利-apple-camera-lens-suppliers-face-two-risks-high-53db8da990b2">latest no by Apple industry analyst Ming-Chi Kuo.
Rumors about the iPhone getting a periscope lens have been circulating since early 2020, when Kuo first mentioned the possibility. The analyst...
Apple on March 27 released iOS 16.4, delivering 21 new emoji characters, support for Safari web push notifications, the return of the page-turning animation in the Books app, updates for the Podcasts app, and more.
Top Rated Comments
And yes, this is not a virus. This is malware.
A question I have though, is under what conditions should ANY software modify the hosts file? Should Apple even allow programs that have been granted administrative rights to alter the hosts file? There is only a very limited benvolent use case for such an action, and that very related to what they did here: some anti-ad or anti-spyware utilities modify a host file to redirect known ad-producing domains to a "safe" domain. I personally think any modification of the host file should be given a warning like this:
This has nothing to do with Flash.