Apple has updated XProtect, the native malware protection component in Mac OS X, to detect a new click fraud trojan that hijacks Google searches.The trojan was discovered at the beginning of August by security researchers from Finnish antivirus vendor F-Secure and it is distributed as a fake Flash Player update.
Once executed on the system, the trojan adds rogue entries to the hosts file with the purpose for hijacking the DNS of google.* domain names.
This results in users being directed to a fake Google Search site hosted on servers controlled by the attackers.
Editing the hosts file is a simple and straight-forward method of overriding DNS answers provided by the ISP, but regular users might not be aware of it.
Such was the case of a Mac OS X user who reported the issue on Apple's support forums on Sunday. "A few days ago, Safari started giving me the error message that it can't load http://www.google.com because the server www.google.com could not be found," he wrote.
The user's computer was probably infected for many days, but he only realized that something is wrong when the server used by attackers got shut down. This is proof of how surreptitious such threats can be.
The intention of most trojan creators is not to cause damage, but to keep infected computers under their control for as long as possible. Infected computers can be used to generate income from illegal activities like spamming, DDoSing, search results hijacking (click fraud), and others.
According to ZDNet, Apple updated its XProtect signatures to detect the new trojan as OSX.QHost.WB.A, this being the first malware definition update released by the company since the June Mac Defender attacks.
Security researchers warn that the number of threats targeting Mac users will only increase in the future, and will require more proactive defense mechanisms than the rudimentary one provided by XProtect.