OSX.RSPlug.A: New Mac Trojan Horse || The Mac Observer

OSX.RSPlug.A: New Mac Trojan Horse

by , 8:05 AM EDT, November 1st, 2007

The computer security company Intego has discovered a trojan horse application dubbed OSX.RSPlug.A that targets Mac OS X. The trojan horse has been appearing on some pornography Web sites as a new QuickTime codec.

A trojan horse is an application that appears to be legit, but performs some form of malicious act when run.

In this case, victims find the application by clicking on what appears to be a thumbnail image of a movie. Next, they see a dialog that offers to download a new QuickTime codec. If users download and double-click the installer disk image icon, then enter their administrator name and password, their Internet DNS settings are changed to redirect them to phishing sites and other pornography sites.

The trojan horse also adds a chrontab entry that checks and resets the DNS entries every minute in case someone tries to manually change the numbers.

OSX.RSPlug.A is not like a virus that can move from computer to computer. Instead, it requires users to intentionally install it. The application can, however, automatically launch and ask for the user's administrator name and password when downloaded with Safari thanks to the browser's "Open safe files" feature.

Disabling Safari's "Open safe files" feature will not only prevent this trojan horse from automatically running, it is also a good all around safety move. This excerpt from a 2006 TMO Quick Tip shows how:

One of Safari's features can automatically uncompress and open files and applications you download from the Internet. Unfortunately, that feature could potentially be abused by someone that wants to install an application on your Mac without your knowledge, so it's best to turn it off. Here's how:

Launch Safari.
Choose Safari > Preferences from the menu bar.
Click the General button.
Uncheck Open "safe" files after downloading.

Disabling "Open Safe Files" prevents applications from installing without your knowledge.

For now, this exploit appears to be limited to the subset of Web surfers that visit pornography Web sites, but that doesn't mean it won't be adapted for other sites as well. OSX.RSPlug.A takes advantage of the trusting nature many Web surfers have, and could just as easily appear on sites that offer what would otherwise seem to be legit TV show and movie downloads, or even family home videos.

Additional information about OSX.RSPlug.A is available at the Intego Web site.

Observer Comments

Show: Subjects Only | Full Comments

Close Name:Guest
Thu Nov 01, 2007 12:34 pm Subject:

Limited "subset"?

Are you kidding? Even my catholic, chest beating friends have looked at porn online.

Reply | Quote

Close Name:Guest
Thu Nov 01, 2007 1:58 pm Subject: The articles

Quote
Guest wrote:
Limited "subset"?

Are you kidding? Even my catholic, chest beating friends have looked at porn online.

I only go to porn sites to read the articles

Seriously, I guess it depends on your definition of what is porn.

Reply | Quote

Close Name:Mikuro Posts: 457 Joined: 15 Jun 2002
Thu Nov 01, 2007 2:53 pm Subject: Open "safe" files

I agree, the "open 'safe' files after downloading" feature should be disabled. While it doesn't play much of a role in this (obviously if a user is willing to agree to install it, they'd open the disk image themselves anyway), it has been compromised more than once in the past with proof-of-concept exploits. It's only a matter of time before someone finds another way to trick it, and next time it might actually be used for malware.

If it were really safe, Apple wouldn't feel the need to put "safe" in quotes. :p

As for this trojan, the moral of the story is: Be careful what you install, and be EXTRA careful what you give administrator privileges to.

Reply | Quote

Comment on this Article

Guest Posts Visible. Hide Them.
Back to top Page 1 of 1

You cannot edit your comments. You cannot delete your comments.

Comments are currently closed. Please email the author instead.

Recent Headlines - Updated November 8th

Sat, 7:58 PM: News - Apple TV 3.0.1 Update Fixes Missing Content Bug
Fri, 7:45 PM: Rumor - Taiwan Leak Shows Verizon UTMS/CDMA iPhone for Q3 2010
6:40 PM: News - iPhone Moves Into RadioShack
6:30 PM: News - Apple to Open Stunning Paris Apple Store in Le Louvre on Saturday
5:43 PM: Free on iTunes - Dictionary, Dictionary, Dictionary, And More
4:09 PM: John Martellaro's Blog - Particle Debris (week ending 11/6) Failure IS an Option
3:32 PM: Games - The Latest App Store Games: Gravity Sling, RocketBird, Ground Effect, Checkers!
2:25 PM: Games - Star Soccer 2010 for Mac Puts Gamers in Role of Up-and-Coming Player
2:15 PM: How-To - The Mysteries of Rosetta Housekeeping
1:33 PM: News - iPhone Game Developer Sued for Collecting User’s Cell Numbers
1:17 PM: Games - Warhammer Online Expands Trial Play Option
11:19 AM: Rumor - Apple May Be Bringing RFID to the iPhone

The Mac Observer Reader Specials

TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
RamJet Memory: Mac Pro 8-core 8GB Kit $199.99, 4GB Kits $109.99! Sale on MacBook and MacBook Pro 8GB kits $549.99! New MacBook DDR3 2GB for $49.99. iMac and Mac mini 4GB Kits for $79.99! 1TB SATA Hard Drives for $109.99! Click here
OWC: Get the Right Memory for Your Mac Top Quality, Competitive Price, Lifetime Backed Free Expert Support + Installation Videos too! MacBook & mini 8GB, iMac 16GB, Mac Pro up to 32GB. Click here
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!
For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.