If a user is tricked into running the Trojan horse, OSX/ZuRu downloads and runs a Python script that collects various information from an infected Mac, including but not limited to: What does OSX/ZuRu do to an infected Mac? Researchers later found several other disk images infected with OSX/ZuRu, disguised as other Mac software including Microsoft Remote Desktop, Navicat, SecureCRT, and also reportedly SnailSVN. The malicious site that linked to the Trojan disk image used a very similar domain: iterm2net.īaidu has reportedly removed the fraudulent link from its search results. The real iTerm2 site is hosted at, which appeared as the second result in the Baidu search. This technique of introducing malicious results into search queries is known as search engine poisoning.Īttempting to download iTerm2 from the lookalike site would instead download a disk image infected with an OSX/ZuRu Trojan horse.
Rather than the top result being the legitimate iTerm2, the first link actually led to a malware site designed to look virtually indistinguishable from the legitimate software’s homepage. Baidu poisoned search results for iTerm2 led to OSX/ZuRu malware.