Mac Trojan “In Wild” On Porno Site — Apocalypse Pending
9:04 am, June 12th, 2009, Leander Kahney
Screenshot from Sophos' webpage detailing the OSX/Jahlav-C Trojan.
A new Mac Trojan has been spotted “in the wild” on a porno website, prompting a wave of misleading and inaccurate Mac malware stories.
A Trojan named OSX/Jahlav-C has been spotted on a porno website (xhottube.net), the British security group Sophos said on Friday.
In a blog post about the virus, Sophos also mentioned an update to an email worm called OSX/Tored-A, which has prompted news organizations to warn of renewed malware attacks against Macs.
But only the OSX/Jahlav-C is in the wild, and even Sophos described the OSX/Tored-A as “lame.”
The new OSX/Jahlav-C Trojan infects Macs when visitors to the “hardcore” porno website try to watch the site’s main video. They are prompted to download a “missing Video ActiveX Object” but are infected with the OSX/Jahlav-C Trojan instead, says Sophos.
The social engineering here isn’t very sophisticated — ActiveX is associated with Windows. In addition, it’s unclear what the OSX/Jahlav-C Trojan actually does. Sophos says “it will eventually run a Perl script that uses http to communicate with a remote website and download code supplied by the attacker.”
What that code does, Sophos doesn’t say. Apparently, it hasn’t executed the Perl script yet. Sophos rates the Trojan as low to medium risk.
“Although there is only a tiny amount of Mac malware compared to Windows viruses, that’s going to be little consolation if your gorgeous new MacBook gets infected,” said a sarcastic post on the company blog. “And sadly we know that many Mac users still believe they are somehow magically immune from attacks.”
The company made a condescending video demonstrating the attack (posted after the jump) — “Is it safe to surf for porn on an Apple Mac?”
UPDATE: ParetoLogic, a Canadian anti-virus company, is also warning about OSX/Jahlav-C. The Trojan is associated with PornTube, says MacNN.
UPDATE 2: Reader Scam Finder says the Trojan doesn’t exist on the xhottube site. Scam Finder tried to purposely infect his Mac but failed. See the comment below.
Is it safe to surf for porn on an Apple Mac? from Sophos Labs on Vimeo.
Posted by Leander Kahney in Apple, News, Software, Web | Comment on this article
If you enjoyed this article:
Subscribe via RSS or email, or follow us on Facebook and Twitter
Trojan Horse. Still requires user to do something.
In any case I think it’s a bit silly since it comes up with something about “ActiveX” and Macs can’t even USE ActiveX.
Cameron, on June 12th, 2009 at 9:07 am
The problem is that the trojan does not exist. This is the second mac malware that sophos has made up. As i was curious, cause Im wipeing leopard tomorrow anyways I went to the website it is (xhottube.net), and looked if the behavior is happened. I followed the steps to the word, and this is what happen
1. “you need to install a codec to watch this movie”
2. click ok
3. page changes
4. Safari alerts page contains malware.
5. pressed continue.
6. error 403 forbidden.
Their previous one was supposedly hosted on (http://www.hdtvxvid.org/index-1.html)
SCAM FINDER, on June 12th, 2009 at 9:48 am
A Trojan on a porn website. I did hear the industry was aiming for a higher level of safety for it’s actors. What no screen shots?
solar, on June 12th, 2009 at 10:08 am
Hmm…I’ll probably get bashed by other secuity pros for saying this but … I do not consider it a security issue when a user knowingly downloads and executes something on their computer. Same reason I don’t consider it a security issue when someone gives out their credit card number to somone calling from the “credit card” company.
Khürt Williams, on June 12th, 2009 at 10:45 am
Oh no!!! A piece of malware for the Mac! Run for the hills! Hide your babies and women folk!!! Duck and cover! Oh, the humanity!!!!!!
Yawn.
10^2 pieces of malware for the Mac. 10^6 for Windows. That’s 4 orders of magnitude difference. That’s not “a tiny amount of Mac malware compared to Windows”, that’s “a tiny, tiny, tiny, tiny! amount of Mac malware compared to Windows”.
One new piece in the wild in what, 3 months? That’s like a 1% increase in the volume of malware for the Mac. If Windows had an article written for every piece of malware that infects it, there’d be over 20,000 articles written every day! (ref: F-Secure quotes 25K+ per day) The publishing industry would buckle under the strain of keeping up!
Compared to 1 per quarter.
The Mac gets dumped on disproportionately because it’s News! when a Mac-specific piece of malware comes out (and the AV Co’s. want to sell something for the Mac). (Did anyone take note of the fact that the same site that hosted this Mac malware also hosted a Windows version? Hmm? Nope, didn’t think so…) BTW, the site that hosted the Mac threat, xhottube.net, no longer delivers it. So it’s no longer a threat.
Yawn.
Alphaman, on June 12th, 2009 at 11:57 am
I think that new Apple users might not be aware that Active-X was a PC thing, although it’s certainly a red flag for me.
As for the “Is it safe to surf for porn on a Mac?” headline… about as safe as it is to surf for just about anything on any computer — there will always be those who take advantage of the unwary to try to install malware, and there really just isn’t a foolproof way to combat it. (My solution is never to download software updates from prompts on any untrusted site — which should include any site that allows the public to provide their own content — and always get them from the manufacturer instead, but most users wouldn’t know how to do that or wouldn’t have the patience to do so.)
EJ, on June 12th, 2009 at 1:12 pm
[...] A few weeks back, we heard that a Dyson vac would be in the Transformers movie, but we never saw a pic, just this (clever) Worth1000 mockup. Then, today, we read on CrunchGear—well, pretty much exactly what we already knew, illustrated by this (clever) Worth1000 mockup. This is not what you’ll see in the movie. But it’s clever. [CrunchGear and Worth1000] The floating bike concept is as old as, well, at least as old as bikes. And the idea of building a boat out of (empty) water jugs is pretty old too. That said, we applaud Li Wieguo for this masterful DIY plan for retrofitting said bike with said waterjugs. And I just love this picture, taken in Naishahu Park in the Chinese province of Hubei, for some reason. [Inhabitat] Dell buying Palm? At first it sounds less likely than that Microsoft-Yahoo deal that keeps not happening. Then it sounds plausible: Palm has no cash, Dell still has a bit to burn. But then we slap ourselves in the face and say, business speculation is typically not our thing. When there are some facts on the table, we’ll talk. [Reuters and NYT] It wouldn’t be Remainders without some trumped-up Apple story. This time, it’s a virus. A little one, that doesn’t do anything particular, that is allegedly transmitted to people who go to a porn site and watch the “main video.” Why are we not shrieking and standing on a chair? Well, because the security firm Sophos branded it low-to-medium risk, and the only person who tried to infect his Mac couldn’t seem to do it. Call us when there’s a real bug to worry about. [Cult of Mac] [...]
We R Pirates » Blog Archive » Remainders – Things We Didn’t Post [Remainders], on June 12th, 2009 at 7:20 pm
what is amusing is that all the mentions of malware for the Mac recently have been tied to select groups — porn site surfers, software by torrent thieves etc.
where are the huge universal mega killer ones. Dang it. I want my Conflicker and I want it now. I mean it’s not really THAT hard to program a unix malware. It’s not brain surgeon.
Lucas, on June 13th, 2009 at 8:55 am
[...] A few weeks back, we heard that a Dyson vac would be in the Transformers movie, but we never saw a pic, just this (clever) Worth1000 mockup. Then, today, we read on CrunchGear—well, pretty much exactly what we already knew, illustrated by this (clever) Worth1000 mockup. This is not what you’ll see in the movie. But it’s clever. [CrunchGear and Worth1000] The floating bike concept is as old as, well, at least as old as bikes. And the idea of building a boat out of (empty) water jugs is pretty old too. That said, we applaud Li Wieguo for this masterful DIY plan for retrofitting said bike with said waterjugs. And I just love this picture, taken in Naishahu Park in the Chinese province of Hubei, for some reason. [Inhabitat] Dell buying Palm? At first it sounds less likely than that Microsoft-Yahoo deal that keeps not happening. Then it sounds plausible: Palm has no cash, Dell still has a bit to burn. But then we slap ourselves in the face and say, business speculation is typically not our thing. When there are some facts on the table, we’ll talk. [Reuters and NYT] It wouldn’t be Remainders without some trumped-up Apple story. This time, it’s a virus. A little one, that doesn’t do anything particular, that is allegedly transmitted to people who go to a porn site and watch the “main video.” Why are we not shrieking and standing on a chair? Well, because the security firm Sophos branded it low-to-medium risk, and the only person who tried to infect his Mac couldn’t seem to do it. Call us when there’s a real bug to worry about. [Cult of Mac] [...]
Remainders – Things We Didn’t Post [Remainders] « Gizmo Geek – Tech and Gadgets News, on June 14th, 2009 at 1:28 am
I was actually able to download this file and did not get the 403 error. I was using firefox. No warning of Malware. The installer was there on my desktop and ready to go. Still curious as to what this thing does but into the trash it goes. I do find it odd that the example site on Sophos is the actual site in question.
So this was nothing more than a scare tactic by Sophos to sell more software? Shame on them.
Macfan1, on June 14th, 2009 at 7:35 pm
If I’m running as a standard user, can a download put itself somewhere where it can get permissions to execute, chmod a file, and run in the background all without user involvement?
razmaspaz, on June 15th, 2009 at 12:48 pm
to raz:
it is my understanding of the way that Unix does things, no. any malware worth its salt is going to want to install into the system files and only an admin can do that. so you would be prompted for the admin username and password. even if you were logged in as an admin it will still ask for the password.
Lucas, on June 16th, 2009 at 11:23 am
[...] Leighton Meester. However, the link pointed to the OSX/Jahlav-C Trojan, a rare Mac Trojan that has popped up recently on a couple of porno [...]
Guy Kawasaki’s Twitter Feed Used to Spread Porno Trojan | Cult of Mac, on June 24th, 2009 at 12:33 pm
This virus DOES exist. i went to that site, and it asked me to download that ActiveX Object, and stupidly i did but tried exiting while it was “downloading”. My Norton was detecting a risk, and all of a sudden all these windows popped up with corrupted files, and my entire Windows program is corrupt and my computer is done. I need it to be completely re installed with windows (at the very least). This virus does exist, it happened to me the night before last, and there was no way of removing it. It corrupts every file in windows.
Jade, on July 29th, 2009 at 3:43 pm
Oh, and I don’t have a macbook, I just have an HP computer and now it’s totalled.
Jade, on July 29th, 2009 at 3:45 pm
Thank you looking for details. It helped me in my responsibility
Wainaattins, on November 25th, 2009 at 4:41 pm