Skip to Content

Intego reporting new OS X trojan horse in the wild

by Michael Rose Oct 31st 2007 at 1:45PM

Ah, Halloween, when all the nasties come out. Just when you thought it was safe to go surfing again, Mac AV vendor Intego is reporting an OS X-specific Trojan horse showing up on some sites and forums. The bit of nasty, which Intego is calling OSX.RSPlug.A and other sources refer to as DNSchanger or Ultracodec/Zlob (Windows version), is delivered on the pretense of installing a QuickTime codec necessary to view adult videos. Once the .dmg is downloaded and the installer is run (with administrative permissions), rather than a new video codec you've got rogue DNS server settings + a cron job that continually sets your DNS back to the bogus entries. Making matters worse, on Tiger the fake DNS settings are invisible in the Network system preference pane.

These fake DNS entries might mislead your machine to spyware sites (unlikely to affect your Mac), pay-per-click search engines (annoying but not dangerous), more pornography (potentially troublesome), or -- and this is really the problem -- Potemkin versions of financially sensitive sites like PayPal, eBay or banks, which would presumably capture your login credentials before handing you off to the genuine article.

While at least one unfortunate poster at Apple's support forum has been bitten by this malware, some simple precautions -- turning off "Open Safe Files" in Safari and, hmm, I dunno, not installing software downloaded from pornography sites -- will go a long way toward preventing the spread of this malware. Remember, a Trojan does not self-distribute; this code depends on user behavior as the vector of infection, so behave.

Update: Rob Griffiths at Macworld has posted helpful detection and removal instructions for the Trojan.

via MacTech

View Tags

Related Stories

Categories

Security

Ah, Halloween, when all the nasties come out. Just when you thought it was safe to go surfing again, Mac AV vendor Intego is reporting an...
 

Add a Comment

Sign in »
*0 / 3000 Character Maximum

19 Comments

Filter by:
Rob Clark

Relatively harmless? Maybe I'm a more cautious Mac user than most but if I recall correctly, a Trojan on any OS is a bad, dangerous thing.

November 01 2007 at 12:27 PM Report abuse rate up rate down Reply
apeguero

I use my VMWare Fusion Vista session to view PR0N on my Mac. This way if I get a virus or something there then all I do is Zap that instance. Problem solved.

November 01 2007 at 6:59 AM Report abuse rate up rate down Reply
(01)

Huh, less than a week after Leopard drops as well, go figure. I still figure that anyone who engages in this type of internet behavior deserves it, but it's brutal nonetheless.

October 31 2007 at 10:35 PM Report abuse rate up rate down Reply
Michael Rose

CL: Even if your router is set for OpenDNS, this will change your resolver settings on the affected machine and it will not respect the router settings. Now, if you have your router set to block UDP port 53, that would effectively prevent your machine from contacting the bogus DNS servers... perhaps worth considering.

October 31 2007 at 9:23 PM Report abuse rate up rate down Reply
Will

#9 - It looks more like a generic virion rendering, especially the area where the gp120 proteins would be, which is not congruent with HIV.

Here's HIV...
http://www.lib.uiowa.edu/hardin/md/pictures22/cdc/948_AIDS02bbb_lores.jpg

Anyhoo...

October 31 2007 at 6:12 PM Report abuse rate up rate down Reply
CL

just got my thinking, what will happen if i have openDNS set up on my router and get this bug on my computer, which DNS will it ended up using?

October 31 2007 at 6:01 PM Report abuse rate up rate down Reply
terrovision

would having little snitch help prevent this... ie. when smthg wants to make a tcp/udp connection?

October 31 2007 at 5:34 PM Report abuse rate up rate down Reply
Mark 2000

Why do people still pay for or go out of their way for porn? Does usenet, bittorrent, limewire, pornotube, and youporn not have enough? Geez.

October 31 2007 at 3:11 PM Report abuse rate up rate down Reply
Mo

As always, the weakest link in the chain lies between the chair and the keyboard.

All the security measures in the world won't help ignorance and stupidity at the end of the day, assuming you still want to be able to do the things you can do now.

October 31 2007 at 3:00 PM Report abuse rate up rate down Reply
Will

Thankfully, the culture of most Mac software is to not need Admin rights to be installed, unlike, historically, Windows has been.

And hopefully this should be lesson to folks to not trust pretty much anything that needs your admin password to install.

It would be nice if there was some way to know why a program needs admin rights, but as a rule I generally avoid any program (save updates from Apple) that need admin rights.

For example, I think Google Earth wants it for some unknown reason, but as soon as it asked I canceled and deleted the download, basically for fear that Google was going to "also" install some Google desktop or toolbar or some other horror on my machine.

The things is, in the Windows world, I feel like everything I install a piece of software, I'm smoking a cigarette. Every new software install shortens the lifespan of the computer until I eventually have to reinstall the machine. Each software package another nail in the coffin.

I don't get that feeling on the Mac, since I can simply (most of the time) delete the application from where it was installed, assuming I even installed it off of the Disk Image rather than just run it in place.

So, I'm always leery of any software that wants admin on my Mac, and I don't give it out freely.

October 31 2007 at 2:47 PM Report abuse rate up rate down Reply
Buy an ad here

Hot Apps on TUAW

Tweets

© 2012 AOL Inc. All Rights Reserved.