The Mac Observer

Skip navigational links

OSX.RSPlug.A: New Mac Trojan Horse

by , 8:05 AM EDT, November 1st, 2007

The computer security company Intego has discovered a trojan horse application dubbed OSX.RSPlug.A that targets Mac OS X. The trojan horse has been appearing on some pornography Web sites as a new QuickTime codec.

A trojan horse is an application that appears to be legit, but performs some form of malicious act when run.

In this case, victims find the application by clicking on what appears to be a thumbnail image of a movie. Next, they see a dialog that offers to download a new QuickTime codec. If users download and double-click the installer disk image icon, then enter their administrator name and password, their Internet DNS settings are changed to redirect them to phishing sites and other pornography sites.

The trojan horse also adds a chrontab entry that checks and resets the DNS entries every minute in case someone tries to manually change the numbers.

OSX.RSPlug.A is not like a virus that can move from computer to computer. Instead, it requires users to intentionally install it. The application can, however, automatically launch and ask for the user's administrator name and password when downloaded with Safari thanks to the browser's "Open safe files" feature.

Disabling Safari's "Open safe files" feature will not only prevent this trojan horse from automatically running, it is also a good all around safety move. This excerpt from a 2006 TMO Quick Tip shows how:

One of Safari's features can automatically uncompress and open files and applications you download from the Internet. Unfortunately, that feature could potentially be abused by someone that wants to install an application on your Mac without your knowledge, so it's best to turn it off. Here's how:

  • Launch Safari.
  • Choose Safari > Preferences from the menu bar.
  • Click the General button.
  • Uncheck Open "safe" files after downloading.

Disabling "Open Safe Files" prevents applications from installing without your knowledge.

For now, this exploit appears to be limited to the subset of Web surfers that visit pornography Web sites, but that doesn't mean it won't be adapted for other sites as well. OSX.RSPlug.A takes advantage of the trusting nature many Web surfers have, and could just as easily appear on sites that offer what would otherwise seem to be legit TV show and movie downloads, or even family home videos.

Additional information about OSX.RSPlug.A is available at the Intego Web site.

Recent TMO Headlines - Updated November 20th

Wed, 8:18 AM
‘Settlers of Catan’ Could be Niantic’s Next AR Game
Wed, 6:36 AM
Tim Cook Talks Steve Jobs, Environment and Privacy at Salesforce Dreamforce
Tue, 5:48 PM
Apple TV+ Review: 'The Elephant Queen' - Beautifully Presented, Poignant
Tue, 3:55 PM
WT:Social is a New Social Network From WikiTribune
Tue, 3:20 PM
BONDIC Pocket 3D Liquid Plastic Welding Kit: $14.99
Tue, 2:28 PM
Dr Mac and the New Logitech Mouse – TMO Daily Observations 2019-11-19
Tue, 2:24 PM
Apple Partners With 100cameras for iPhoneography
Tue, 2:03 PM
Need the Tor Browser on iOS? Try Onion Browser
Tue, 11:20 AM
Apple's Very Parental App Store Decisions
Tue, 10:59 AM
The EU's Battle With Big Tech is Only Just Beginning
Tue, 10:57 AM
Did Apple Maps Forget Michigan’s Upper Peninsula?
Tue, 10:22 AM
Thousands of Disney+ Accounts Hacked and Being Sold Online
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!