Smith College TechNotes blog

You may have heard of a trojan known to install itself on Windows computers by exploiting security holes in MySpace pages. This type of malware belongs to a family called Puper, which has been affecting computer users since 2005.

Yesterday, McAfee Avert Labs announced that the authors of Puper have unleashed a similar piece of malware that affects Mac OS X. The trojan masquerades as a codec needed to play videos on a website. (As of October 31st, McAfee said that the trojan is only found on porn websites, but don’t expect this to last, like all viruses, the trojan will soon be planted on other types of websites as well.) If you are a visitor to a site with the Puper trojan, you will be prompted to install a DMG file that contains an installer for a program called “MacCodec.” Depending on your browser settings, your computer may download and open the file automatically.

What does the trojan do? According to the McAfee Avert Labs description,

In the background, a script is created which then creates a scheduled task to change the DNS to point to a malicious server. In effect, instead of getting valid entries for websites like you would expect, you’re now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you.

For more information on DNS changing trojans: Puper (Zlob): What Are the Attackers Targeting? [McAfee Avert Labs Blog]

So, what can you do to protect yourself? Practice safe browsing: lock-down your browser (instructions below), and only download from sites you trust and install programs that you download intentionally. If you are unsure whether a program is legitimate, you can check to see if that program is also available from a trusted download site like MacUpdate.com or VersionTracker.com (not all legit programs are available on these sites, but they can serve as a good reality check).

To protect your computer and change your settings, follow these steps:

• Firefox
  Go to the Firefox menu and choose “Preferences.”
  Click on the “Main” tab and check “always ask me where to save files.”
• Safari
  Go to the “Safari” menu and choose “Preferences.”
  Click on the General tab and un-check “open ’safe’ files after downloading.”

Source: McAfee Avert Labs Blog, “Crimeware comes to OS X”

Edit: For more information (including instructions on detecting and removing the trojan), see the MacWorld article, Trojan Horse warning: What you need to know