DealsOnTheWeb Daily Deal: It's Friday, time for the Amazon Friday Sale!
OSX.RSPlug.A: New Mac Trojan Horse
by , 8:05 AM EDT, November 1st, 2007
The computer security company Intego has discovered a trojan horse application dubbed OSX.RSPlug.A that targets Mac OS X. The trojan horse has been appearing on some pornography Web sites as a new QuickTime codec.
A trojan horse is an application that appears to be legit, but performs some form of malicious act when run.
In this case, victims find the application by clicking on what appears to be a thumbnail image of a movie. Next, they see a dialog that offers to download a new QuickTime codec. If users download and double-click the installer disk image icon, then enter their administrator name and password, their Internet DNS settings are changed to redirect them to phishing sites and other pornography sites.
The trojan horse also adds a chrontab entry that checks and resets the DNS entries every minute in case someone tries to manually change the numbers.
OSX.RSPlug.A is not like a virus that can move from computer to computer. Instead, it requires users to intentionally install it. The application can, however, automatically launch and ask for the user's administrator name and password when downloaded with Safari thanks to the browser's "Open safe files" feature.
Disabling Safari's "Open safe files" feature will not only prevent this trojan horse from automatically running, it is also a good all around safety move. This excerpt from a 2006 TMO Quick Tip shows how:
One of Safari's features can automatically uncompress and open files and applications you download from the Internet. Unfortunately, that feature could potentially be abused by someone that wants to install an application on your Mac without your knowledge, so it's best to turn it off. Here's how:
- Launch Safari.
- Choose Safari > Preferences from the menu bar.
- Click the General button.
- Uncheck Open "safe" files after downloading.
 Disabling "Open Safe Files" prevents applications from installing without your knowledge. |
|---|
For now, this exploit appears to be limited to the subset of Web surfers that visit pornography Web sites, but that doesn't mean it won't be adapted for other sites as well. OSX.RSPlug.A takes advantage of the trusting nature many Web surfers have, and could just as easily appear on sites that offer what would otherwise seem to be legit TV show and movie downloads, or even family home videos.
Additional information about OSX.RSPlug.A is available at the Intego Web site.
Observer Comments
Thu Nov 01, 2007 2:53 pm Subject: Open "safe" files
I agree, the "open 'safe' files after downloading" feature should be disabled. While it doesn't play much of a role in this (obviously if a user is willing to agree to install it, they'd open the disk image themselves anyway), it has been compromised more than once in the past with proof-of-concept exploits. It's only a matter of time before someone finds another way to trick it, and next time it might actually be used for malware.
If it were really safe, Apple wouldn't feel the need to put "safe" in quotes. :p
As for this trojan, the moral of the story is: Be careful what you install, and be EXTRA careful what you give administrator privileges to.
Recent Headlines - Updated Saturday, November 29th, 2008
- Sat., 9:00 PM
- Podcast - Apple Weekly Report #135: Apple Lawsuits, Banned iPhone Ad, Green MacBook Ad
- Fri., 12:45 PM
- Podcast - Mac Geek Gab #178: Batch Permission Changes, Encrypting Follow-up, Re-Enabling AirPort, and GigE speeds
- Thu., 1:30 PM
- iPO Review - Scosche kickBACK iPhone case
- 7:00 AM
- Happy Thanksgiving from TMO!
- Wed., 6:00 PM
- TMO Appearances - Nancy Gravley Joins MacJury Gift Guide
- 5:15 PM
- TMO Visits The Bay, a Premium Apple Reseller in New Zealand
- 3:25 PM
- iPO Oh the Games You'll Play - iPhone: The Wii of Handheld Gaming Devices?
- 2:15 PM
- Sonnet Releases Simply Fast FireWire 800 to 400 Adapter
- 1:10 PM
- Mac Gaming News - Disney Plans 1st Annual PotC Online Thanksgiving Event
- 12:05 PM
- iPodObserver - UK Shuts Down iPhone 3G Ad
- 11:15 AM
- TMO Appearances - Jeff Gamet on MacJury Gift Guide
- 10:30 AM
- TMO Contest - TMO Announces Macworld Expo Pass Winners
- 9:50 AM
- PhotoCopy 1.1 Adds iPhoto Event Support
- 9:15 AM
- Acclivity Buys MYOB US
- 8:30 AM
- Review - Bento 2 Holiday Pack
- 7:50 AM
- Microsoft Offers Black Friday Office Discount
- 7:30 AM
- iPO Quick Tip - iPhone: Google Street View
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
Seagate 1TB 7200.11 7200RPM/32MB Cache SATA Drive $112 Hitachi 320GB 7200RPM/16MB Cache 2.5" SATA Drive $96. Samsung 500GB 5400RPM/8MB Cache 2.5" SATA Drive $138. ATA-SATA Internal External Firewire Drives & More. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: Mac Pro FB-DIMMs: 2Gig kit $95, 4Gig Kit $179, 8Gig Kit $355! MacBook 2Gig Kit $78, 4Gig Kit $149! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
Marshmallow Popper Gun Shooter: $9.99 Delivered - Make the Yam Side Dish a Sporting Event 
OnSale's ThanksGiving Day/Black Friday Combo Sale - Turkey, Deals, and LeftOvers - The Holiday Trifecta! 
Fall Knuckle Deep into Dell Small Business's Black Friday Sale - Going on Now!!!!! 
File Your Nails Now - Overstock's Black Friday Sale is Coming! Get Great Gifts at Great Prices 
