Filed under: Security
Intego reporting new OS X trojan horse in the wild
Ah, Halloween, when all the nasties come out. Just when you thought it was safe to go surfing again, Mac AV vendor Intego is reporting an OS X-specific Trojan horse showing up on some sites and forums. The bit of nasty, which Intego is calling OSX.RSPlug.A and other sources refer to as DNSchanger or Ultracodec/Zlob (Windows version), is delivered on the pretense of installing a QuickTime codec necessary to view adult videos. Once the .dmg is downloaded and the installer is run (with administrative permissions), rather than a new video codec you've got rogue DNS server settings + a cron job that continually sets your DNS back to the bogus entries. Making matters worse, on Tiger the fake DNS settings are invisible in the Network system preference pane.These fake DNS entries might mislead your machine to spyware sites (unlikely to affect your Mac), pay-per-click search engines (annoying but not dangerous), more pornography (potentially troublesome), or -- and this is really the problem -- Potemkin versions of financially sensitive sites like PayPal, eBay or banks, which would presumably capture your login credentials before handing you off to the genuine article.
While at least one unfortunate poster at Apple's support forum has been bitten by this malware, some simple precautions -- turning off "Open Safe Files" in Safari and, hmm, I dunno, not installing software downloaded from pornography sites -- will go a long way toward preventing the spread of this malware. Remember, a Trojan does not self-distribute; this code depends on user behavior as the vector of infection, so behave.
Update: Rob Griffiths at Macworld has posted helpful detection and removal instructions for the Trojan.
via MacTech
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
thethirdmoose said 1:51PM on 10-31-2007
This isn't really a security issue. If you have to ENTER YOUR PASSPORT to install a "virus", then it's not really a virus, its just an id-ten-t error.
Reply
Michael Rose said 1:53PM on 10-31-2007
Moose: "password" not "passport." And it's not a virus, it's a Trojan horse.
Malware that you install yourself is just as malicious as malware that sneaks onto your machine. The real difference is how hard you smack yourself on the forehead.
Reply
mds said 1:54PM on 10-31-2007
Trojans are always a security issue. And yes, it's not a virus – read the headline again!
Reply
Luigi193 said 1:55PM on 10-31-2007
If you install it, it isn't a virus...right??
Reply
Luigi193 said 2:04PM on 10-31-2007
Oops...sorry I BLAME THE MOOSE!
Reply
Ian Klier said 2:22PM on 10-31-2007
The bigger security risk to this is that once you can get a computer to use a malicious DNS server, you can then create or proxy popular sites (such as amazon, etc.) and snag logins, password, and any information entered. Granted for HTTPS sites you would have to use a fake certificate which will cause most browsers to alert the user, but if the user clicks through the alert they can still use the site, while the malicious user record everything.
More info Google MITM or Man-in-the-middle
Reply
Chris P. said 2:25PM on 10-31-2007
The Internet and Pornography go together like white on rice.
We would still be content with dial-up modem speeds until this day, had the likes of Tia Carrera not inspired us to....excel and improve our communication mediums. ;)
Reply
dagamer34 said 2:27PM on 10-31-2007
Considering that you have to enter your password to give it full permission to wreak havoc on your system, OS X has not and probably never will be fully protected against idiots. There's not much you can do if the user WANTS to be dumb!
Reply
fdm said 2:43PM on 10-31-2007
Ummm, am I the only one who noticed that this is a picture of the HIV virus? Pornography and the internet aside... kind of weird.
Reply
Will said 2:49PM on 10-31-2007
Thankfully, the culture of most Mac software is to not need Admin rights to be installed, unlike, historically, Windows has been.
And hopefully this should be lesson to folks to not trust pretty much anything that needs your admin password to install.
It would be nice if there was some way to know why a program needs admin rights, but as a rule I generally avoid any program (save updates from Apple) that need admin rights.
For example, I think Google Earth wants it for some unknown reason, but as soon as it asked I canceled and deleted the download, basically for fear that Google was going to "also" install some Google desktop or toolbar or some other horror on my machine.
The things is, in the Windows world, I feel like everything I install a piece of software, I'm smoking a cigarette. Every new software install shortens the lifespan of the computer until I eventually have to reinstall the machine. Each software package another nail in the coffin.
I don't get that feeling on the Mac, since I can simply (most of the time) delete the application from where it was installed, assuming I even installed it off of the Disk Image rather than just run it in place.
So, I'm always leery of any software that wants admin on my Mac, and I don't give it out freely.
Reply
Mo said 3:00PM on 10-31-2007
As always, the weakest link in the chain lies between the chair and the keyboard.
All the security measures in the world won't help ignorance and stupidity at the end of the day, assuming you still want to be able to do the things you can do now.
Reply
Mark 2000 said 3:11PM on 10-31-2007
Why do people still pay for or go out of their way for porn? Does usenet, bittorrent, limewire, pornotube, and youporn not have enough? Geez.
Reply
black milk said 6:57PM on 11-01-2007
would having little snitch help prevent this... ie. when smthg wants to make a tcp/udp connection?
Reply
CL said 6:01PM on 10-31-2007
just got my thinking, what will happen if i have openDNS set up on my router and get this bug on my computer, which DNS will it ended up using?
Reply
Will said 6:13PM on 10-31-2007
#9 - It looks more like a generic virion rendering, especially the area where the gp120 proteins would be, which is not congruent with HIV.
Here's HIV...
http://www.lib.uiowa.edu/hardin/md/pictures22/cdc/948_AIDS02bbb_lores.jpg
Anyhoo...
Reply
Michael Rose said 9:23PM on 10-31-2007
CL: Even if your router is set for OpenDNS, this will change your resolver settings on the affected machine and it will not respect the router settings. Now, if you have your router set to block UDP port 53, that would effectively prevent your machine from contacting the bogus DNS servers... perhaps worth considering.
Reply
(01) said 10:35PM on 10-31-2007
Huh, less than a week after Leopard drops as well, go figure. I still figure that anyone who engages in this type of internet behavior deserves it, but it's brutal nonetheless.
Reply
apeguero said 7:04AM on 11-01-2007
I use my VMWare Fusion Vista session to view PR0N on my Mac. This way if I get a virus or something there then all I do is Zap that instance. Problem solved.
Reply
Rob Clark said 1:30PM on 11-01-2007
Relatively harmless? Maybe I'm a more cautious Mac user than most but if I recall correctly, a Trojan on any OS is a bad, dangerous thing.
Reply