Security firm F-Secure has discovered 32 variants of it, but claims about its powers have been wildly overstated, according to experts.
"Looks like the Mac Trojan we posted about last week was not an isolated incident. The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the Trojan for the Mac too," Mikko Hypponen, chief research officer at F-Secure, wrote in his blog this week.
Last week, Mac security software vendor Intego
The Trojan is being disguised as a codec, a device used to decode digital streams. If it is downloaded, it alters a computer's domain name system (DNS) server, redirecting the machine to porn sites of the malware distributor's choice. The prime purpose appears to be to make money when people click on ads served on the sites.
The "payloads" of the 32 variants of the Trojan are the same as the original discovered by Intego. However, F-Secure technical manager Patrik Runald said the Trojan is also on a reconnaissance mission of sorts: it reports its findings back to an IP address in the Ukraine.
"It reports the name of the computer and the operating system version back to another IP address within the Ukraine to keep track of the installs they have," he told ZDNet Australia.
There is also a version for Windows platform users, said Runald, and it was this version that led him to the conclusion the group behind the DNS-changing Mac Trojan is the same group behind the malware released earlier this year known as "zlob."
"Zlob is also about click ads and showing ads on your PC and are also typically distributed through fake codecs," Runald said.
It shows that Macs are "starting to get interesting for the bad guys," he added.
"It's not an isolated incident because it's a professional gang behind it, not some teenagers trying to prove a point," Runald said. "They're actually making money out of it and because of this it's unlikely to end soon."
However, Runald said, the Trojan does not mean Mac platforms are facing a malware epidemic.
Liam Tung of ZDNet Australia reported from Sydney.