Much like the iWork '09 and Adobe CS4 infected install packages we reported on in the spring, these Snow Leopard download sites are enticing users to get a free copy of the popular software, only to add a malicious version of a DNS Changer Trojan to their Mac.
TrendMicro has reported the threat on their blog:
Once executed, OSX_JAHLAV.K decrypts codes, which include a script that downloads other malicious scripts. The said script then alters the DNS configuration and includes two additional IP addresses in its DNS server. Users are thus possibly redirected to phishing sites and other fraudulent sites. In fact, some of these bogus sites are reportedly hosting FAKEAV (rogue antivirus) variants and components.Users are advised to only obtain copies of Mac OS X 10.6 Snow Leopard from Apple directly, or other trusted retailers.