The Mac Observer

Skip navigational links

Choose text size: Select small text. Select medium text. Select large text.

OSX.RSPlug.A: New Mac Trojan Horse

by , 8:05 AM EDT, November 1st, 2007

The computer security company Intego has discovered a trojan horse application dubbed OSX.RSPlug.A that targets Mac OS X. The trojan horse has been appearing on some pornography Web sites as a new QuickTime codec.

A trojan horse is an application that appears to be legit, but performs some form of malicious act when run.

In this case, victims find the application by clicking on what appears to be a thumbnail image of a movie. Next, they see a dialog that offers to download a new QuickTime codec. If users download and double-click the installer disk image icon, then enter their administrator name and password, their Internet DNS settings are changed to redirect them to phishing sites and other pornography sites.

The trojan horse also adds a chrontab entry that checks and resets the DNS entries every minute in case someone tries to manually change the numbers.

OSX.RSPlug.A is not like a virus that can move from computer to computer. Instead, it requires users to intentionally install it. The application can, however, automatically launch and ask for the user's administrator name and password when downloaded with Safari thanks to the browser's "Open safe files" feature.

Disabling Safari's "Open safe files" feature will not only prevent this trojan horse from automatically running, it is also a good all around safety move. This excerpt from a 2006 TMO Quick Tip shows how:

One of Safari's features can automatically uncompress and open files and applications you download from the Internet. Unfortunately, that feature could potentially be abused by someone that wants to install an application on your Mac without your knowledge, so it's best to turn it off. Here's how:

  • Launch Safari.
  • Choose Safari > Preferences from the menu bar.
  • Click the General button.
  • Uncheck Open "safe" files after downloading.

Disabling "Open Safe Files" prevents applications from installing without your knowledge.

For now, this exploit appears to be limited to the subset of Web surfers that visit pornography Web sites, but that doesn't mean it won't be adapted for other sites as well. OSX.RSPlug.A takes advantage of the trusting nature many Web surfers have, and could just as easily appear on sites that offer what would otherwise seem to be legit TV show and movie downloads, or even family home videos.

Additional information about OSX.RSPlug.A is available at the Intego Web site.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:Guest
Thu Nov 01, 2007 12:34 pm Subject:

Limited "subset"?

Are you kidding? Even my catholic, chest beating friends have looked at porn online.


 Reply | Quote
Close Name:Guest
Thu Nov 01, 2007 1:58 pm Subject: The articles

Quote
Guest wrote:
Limited "subset"?

Are you kidding? Even my catholic, chest beating friends have looked at porn online.


I only go to porn sites to read the articles

Seriously, I guess it depends on your definition of what is porn.


 Reply | Quote
Close Name:Mikuro Posts: 457 Joined: 15 Jun 2002
Thu Nov 01, 2007 2:53 pm Subject: Open "safe" files

I agree, the "open 'safe' files after downloading" feature should be disabled. While it doesn't play much of a role in this (obviously if a user is willing to agree to install it, they'd open the disk image themselves anyway), it has been compromised more than once in the past with proof-of-concept exploits. It's only a matter of time before someone finds another way to trick it, and next time it might actually be used for malware.

If it were really safe, Apple wouldn't feel the need to put "safe" in quotes. :p

As for this trojan, the moral of the story is: Be careful what you install, and be EXTRA careful what you give administrator privileges to.


 Reply | Quote
Comment on this Article


Guest Posts Visible. Hide Them.
Back to top  Page 1 of 1    

You cannot edit your comments.   You cannot delete your comments.

Comments are currently closed. Please email the author instead.


Recent Headlines - Updated February 12th

Sat, 4:11 PM
MacOS KenDensed - MacOS KenDensed: iPad 3 Frenzy, Big-time Apple & Steve Jobs, G-Man
Fri, 8:10 PM
News - Apple Sues Motorola Mobility in California Over German Case
7:54 PM
Free on iTunes - OnLive Desktop: Windows & Office on Your iPad
7:43 PM
Product News - Apple Rolls Out MacBook Air Configurations for Education
6:35 PM
Just a Peek - Battle Pocket Bulge With The Hint for iPhone
6:01 PM
Rumor - Apple Reportedly Bringing MacBook Air Styling to Pro Line
4:50 PM
Particle Debris - The Hidden Gotchas of Browser Security
3:56 PM
Apple Stock Watch - Analyst: Paying a Dividend Makes Sense for Apple
2:58 PM
Deal Brothers - iMac 27-inch 2.93GHz Intel Quad-Core i7 processor:  $1,999
2:45 PM
In-Depth Review - Theodolite App for iOS is Breathtaking
12:52 PM
Apple Stock Watch - Mizuho Securities Starts Apple Coverage with $635 Target
11:35 AM
Hot Forum Topic - Forum Poll: Are You Planning on Buying a New iPad?

The Mac Observer Reader Specials

  • TypeStyler 11 is now in the Mac App Store!! -- Special Introductory Price of $59.95!! -- To Buy From The Mac App Store Click Here Now!! Or buy direct from Strider Software.
  • Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
  • Poker Mac If you're using a Mac, then you've gotta check out Online Poker Mac. This mac poker and online casino mac site actually does the unthinkable, it actually rewards!
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!