Update: The GM release of Leopard handles these files differently than pre-release developer builds did.

This still won’t protect you from rogue installers though. That involves more social engineering and less design error.

If you can get some unsuspecting user, on any operating system, to install your software, you can gain complete control of their computer.

There is a grey zone between trusting third-party developers and being trusting of any third-party (to the point of installing a trojan).

Everyone should exercise caution when it comes to installing anything, especially something that asks for administrator authentication. You should ask yourself, “Why does this installer need an administrator password?”

In many cases, the tools necessary to check the installer you just downloaded are right there in your Utilities folder. You can right-click the package to “Show Package Contents”. Then navigate to “Contents/Resources/”, and open the preflight and postflight files in a text editor. Look for anything suspicious. If you are not sure what it all means, there are plenty of forums and communities on the internet that can help you understand. The other thing you can do is drag the package onto Installer.app, then in the Menu bar select “Show Files”. This will show you every file that the Installer is installing and where it is to be installed. Again, if it doesn’t make sense, just ask someone.

Intego is reporting that there is a Mac OS X trojan on some porn sites that is masquerading as video codec installer for Quicktime.

OSX.RSPlug.A (also known as OSX_DNSCHAN.A) is being distributed as a DMG which contains an installer package. Once the installer is run with administrator privileges, the computers DNS settings are altered to direct them to phishing sites. What this means is that the unsuspecting victim can find themselves typing URLs to legitimate sites, such as eBay or PayPal, into their browser’s address bar, but instead of going to that site, the rogue DNS server will send them to a malicious site, all while the user still sees the legitimate URL in their browser bar.

This is particularly bad, in my opinion, as most casual users will never know that anything has changed their network settings. On the other hand, this trojan requires a good bit of user interaction for it to cause any harm. What must the user do in order to become a victim?

1. Visit an unsavory website.
2. Agree to download something from an untrusted site.
3. Double-click the installer package.
4. Enter their administrator name and password.

This is not a simple drive-by infection, but a malicious site that uses social engineering to get users to install malicious software.
My advice once again is to NEVER install or open any files from untrusted sources or questionable web sites.

To check for and remove hijacked DNS settings, first navigate to “/Library/Internet Plug-Ins/” and delete plugins.settings if it exists.

Then check your root crontab by typing the following command in the Terminal and pressing return followed by your administrator password:

sudo crontab -l > ~/rootcrontab.txt; sudo crontab -l

If you see something like this (or anything that you know shouldn’t be there):

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

You can remove the entire root crontab by typing the following command in the Terminal and pressing return followed by your administrator password (if asked):

sudo crontab -r

Alternatively, you may open the rootcrontab.txt that is in your Home folder, remove the offending line and leave the legitimate lines, save the file, and type the following command in the Terminal and press return followed by your administrator password (if asked):*

sudo crontab ~/rootcrontab.txt

Now you should check that your Network Settings and scutil correspond by typing in the Terminal scutil and Return followed by:

show State:/Network/Global/DNS

Now go to the DNS settings in the Network Preference Pane and see if there are additional addresses in the scutil list that are not in your DNS settings in the Network Preference Pane. If so, delete all of the addresses in the DNS settings in the Network Preference Pane and re-enter only the ones that you know are legitimate. Type exit in the Terminal.

Now you should reboot and check the above items again — be sure that there is nothing in your root crontab and be sure that scutil corresponds with the DNS settings in the Network Preference Pane.

*if you are more comfortable using sudo crontab -e , please do so, but for the non-geeky, the vi editor can be confusing at first.

There is an interesting read over at Network World concerning some recent discoveries pertaining to the Storm Worm botnet.

The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Korman, host-protection architect for IBM/ISS, who led a session on network threats.

I had a chance to play with a developer’s install of Leopard recently. I like some of the new features, but there are others such as Time Machine that I won’t be able to fully review until my copy of Leopard arrives on October 26.

If you read my previous article about malicious files masquerading as completely innocent JPEGs, Excel files, etc., you may have thought to yourself, “I would never fall for that!”, or “I take precautions like browsing the filesystem in Column Mode.” Unfortunately, it turns out that Leopard appears to be taking a step backward in revealing to users the true nature of their files.

Read the rest of this entry »

**If you are looking for the actual iPhone v2 (iPhone 3G), check out the WWDC08 coverage.**

I’m making available some Leopard screenshots, spy photos of the second revision of the iPhone, and the proposed pricing schedule for new models.

.

Download here.

.

.

Read the rest of this entry »