New: Trojan.OSX.BASH/QHost.WB.A, Posing as FlashPlayer.pkg Installer (heehee!)

--
F-Secure has posted news about a new Trojan horse for Mac OS X. It is currently being called "BASH/QHost.WB". Using the standard malware naming system, the official name should be Trojan.OSX.BASH/QHost.WB.A. So far I am unaware of why it is being given a 3-part name. Most likely there will be the usual proliferation of other names across the anti-malware community before a final name is established.

F-Secure's report is well documented and worth reading here:

Trojan: BASH/QHost.WB

Why I'm laughing, heehee: Of all the software to fake for Mac OS X, it is HILARIOUS that these malware rats chose the Adobe FlashPlayer installer. Is there any more hated software for Mac OS X than Adobe Flash?! Oops. I don't see this Trojan becoming very proliferated. But there are always victims, so it is worth documenting what this thing does.

So far there is no documentation as to where the Trojan is found. As usual, double-check the source of ALL your software. NEVER install anything you've been sent or randomly picked up off the net without verifying it as legitimate. Obviously, the safest place to pick up the Adobe FlashPlayer software is directly from Adobe. Also keep in mind that Adobe FlashPlayer has historically been found to be profoundly insecure. Be absolutely certain you are installing the most recent version of FlashPlayer and check Adobe at least once a month for security updates.

When installing the fake FlashPlayer.pkg file, it looks like Apple's standard installer, fooling you that it is legitimate.

After installation, Trojan.OSX.BASH/QHost.WB.A takes over your 'hosts' file and damages it to dump your web browsers to a phishing site located in the Netherlands. The malware can easily damage the hosts file for further fake forwarding in the future. (Say that 10 times!). The Mac OS X hosts file is located here:

/private/etc/hosts

You can read about the purpose of the hosts file here:

Hosts (file) @ Wikipedia

The current version hijacks a series of Google web addresses. If you read F-Secure's notes you'll see that there are detectable differences between the real Google pages and the fake phishing pages.

Using the phishing site results in bogus search results. Clicking on the result URLs only returns you back to the phishing site. Meanwhile, however, the bogus site nails your browser with a series of pop-up pages which it grabs from a nefarious remote server.

At this time, the pop-up remote server is not providing any information to the phishing site. Possibly, this is a prototype malware being used either for demonstration purposes or to prove a hacking method to the hacking community. No doubt we will know more about the situation in the near future.

Most likely, Apple will be integrating a signature for Trojan.OSX.BASH/QHost.WB.A into their XProtect anti-malware system in Mac OS X 10.6 and 10.7. At the moment of my posting this article, Apple has not yet updated their XProtect.plist file.

Share and Enjoy!

:-Derek