We've come across a fake FlashPlayer.pkg installer (MD5: 1fc90b8f532028805d167b2b0ac9ce11) for Mac:
Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 220.127.116.11, which is located in Netherlands.
The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.
As an example, this is what Google.com.tw looks like on a normal, uninfected system:
In contrast, this is what Google.com.tw looks like on an infected system:
When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.
Here's a search request on the real Google.com.tw site on a clean system:
And here's the same request on an infected system:
Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server:
At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.
The other remote server returning fake search requests appears to be still active.
We detect this trojan as Trojan:BASH/QHost.WB.
Analysis by — Brod
Corrected on August 9th: The MD5 for the installer is as above; the previous MD5 cited (2ee750f19f2cb43968af78b0dd0be541) is for the BASH file in the PKG.