Re: @cronos
"To state the bleedin' obvious to anyone who's actually read the article, the software does not AUTO-Install via the browser, QuickTime redirects to a site with an alledged codec and "The Trojan requires victims to enter the administrative password for their machine"."
One word: COBBLERS. The browser (not bloody Quicktime, it's a bogus message the browser is fooled into displaying), even when redirecting to another site and asking for root privs, is not telling the user exactly what he or she is installing. It is, in effect, saying "you need this bit of binary blob to view your smut and I approve wholeheartedly of the use of it" which is somewhat different to your scenario of the user saying "whoa, a root password prompt! WTF?" They're probably so used to MacOS asking for root privs at this point that it hardly registers any more. Yes, Ubuntu et al also do the same thing. It's still wrong no matter who does it and it is my opinion that MS have inherited this idea of UAC *from* the OSS world. In fact, MS's implementation is a little better; at least it warns the user of the possible consequences of supplying the administrative credentials. irrespective of the fact that most Vista boxen have null Administrator passwords.
OK, so the trojan poses as a Quicktime codec. The user should simply think "WTF? Quicktime's already installed" and suspect the worst? Nope, because they're trained by a lax security model to be guided by the machine making assumptions instead of the correct method of ensuring their machine does as it is told and no more. And that, my friend, is the whole point: They've got it wrong. Again.
This is endemic in the software world. Firefox, the OSS posterchild of security, does a similar thing on multiple platforms with its plugin finder, although this uses a central point of known values, as opposed to the site "requiring" the binary, to locate the appropriate software. A bit better, but only by a small margin. To quote the infamous spam solution reply form: "why should we trust you or your servers?" Konqueror, from which webkit evolved, doesn't do any of this at all. Most amusing.
Another little heads-up for the Mac users affected by this: Open a console and type "man resolv.conf" to learn how to remove the bogus DNS entries manually. It doesn't matter that the DNS textboxes are greyed out on the advanced networking applet. If you remove the bogus servers from /var/run/resolv.conf (yes, /etc/resolv.conf is a symlink) after blitzing the DNS check from crontab (removing whatever executable is referenced by that entry with "rm" would also be a good idea), you'll be cured and you'll also understand the underlying system a little better.
That's not to say I don't expect the vast majority to just dig out their installation DVD and start holding down C, another thing Microsoft has given us which will haunt us for decades to come. Be thankful this is a simple trojan and not a rootkit. For the same effect and much more fun removing the infection, just think of the hilarity that would ensue if the malicious site replaced dhclient with a modified version that rewrites resolv.conf with these bogus servers every time the lease renews. "chflags schg /sbin/dhclient" (assuming a UFS filesystem, I have no idea whether this works on HFS+) is a 99% sure prevention of this attack vector, but what are the chances of people listening? Even then, adding "prepend domain-name-servers ns.example.invalid ns2.example.invalid;" to dhclient.conf will achieve the same results but be a little easier to get rid of. This is all off the top of my head, of course. There are 101 ways to attack the securest of boxen; it just takes fooling the operator to effect 100 of them. Vendors supplying more and more ways to fool said operator is just plain short-sighted so, although I seem to have digressed, this whole rant brings us back to the point I tried to make earlier: The OS vendors are actively contributing to the ease of socially engineering root credentials from their users.
Oh, and it's Chronos. With an "h" and a capital "C". Not that you didn't already know, of course. The quality of trolling in these comments seems to be at an all-time low, amanfrommars excepted of course.