Filed under: Security
New variant of RSPlug trojan making the rounds
Our friends at Intego sent out an alert this morning, warning users about a new variant of the RSPlug trojan horse, found on several adult websites. The risk to users is classified as "medium."
RSPlug trojans, themselves a form of DNSChanger, change local DNS settings to redirect to phishing sites for banks, PayPal, and eBay. All these trojans must be downloaded at the user's request, and an administrator password has to be supplied.
When visiting certain sites, the user is alerted that there is a "Video ActiveX Object Error" and is told that their "Browser cannot play this video file." The alert instructs the user to download the "missing Video ActiveX Object." If the user clicks OK, a disk image called "cleanlive.dmg" downloads (which may change in the future). Depending on the user's browser settings, this disk image may mount and installation may automatically start.
Intego VirusBarrier X5 users are, as you might imagine, already protected. Updating your virus definitions today will improve detection.
And, as always, be careful where you put your mouse online.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Flunky Carter said 12:35PM on 11-18-2008
If perian/vlc won't play it... chances are that it's a fake!
Reply
RazorD said 12:48PM on 11-18-2008
This brings up a good point though, i dont have any anti virus software on my mac, would you guys recommend Intego VirusBarrier X5?
Reply
Beanie said 12:50PM on 11-18-2008
No. I don't know anyone who uses any kind of virus protection for the Mac. Just keep in mind of what you are downloading and don't put your password in for admin priveleges if you aren't sure. As simple as that. Nothing can run without a password entered while running as admin in OS X.
sam said 1:12PM on 11-18-2008
I like to run a combo of security software. I have 3 firewall programs including the built in firewall, two virus scanners that run in the background, and two programs I use to scan files when I download them.
You just have to remember when you install software that has to use a specific port that you need to open up that port in all 3 firewalls and write a script that will open it up in the system firewall after every reboot (because the setting won't stick).
Beyond this, I don't leave my computer plugged into the net for more then a few minutes at a time for fear of getting pwned. I am behind 10 levels of NAT routers just for extra safety.
Nah, I'm just kidding - I don't use Windows anymore. Welcome to the 21st century!
Aman Patel said 10:11AM on 11-19-2008
I recommend ClamXav. It's free and works quite well.
http://www.clamxav.com/
Matthew Hillyer said 12:50PM on 11-18-2008
Why did they choose ActiveX tho for an error. I mean... why not say you are missing a safari/ff plugin, or a qt plugin...
If you are gonna try to trick me, then dammit put some effort into it.
Reply
2shae said 1:42PM on 11-18-2008
Probably because they try to reach the recent Windows switchers who might be used to seeing the word ActiveX.
Just_a_guy said 1:38PM on 11-18-2008
that's why I use "no script" on firefox :)
Reply
balls said 1:59PM on 11-18-2008
+1
Simon Arch said 1:42PM on 11-18-2008
Intego? Let me know when someone reputable reports this.
Reply
autoy said 1:42PM on 11-18-2008
Yes, big WTF @ ActiveX. Laughable.
Reply
Shunnabunich said 1:57PM on 11-18-2008
Here comes a fresh barrage of Stockholm Syndrome victims citing this as "evidence" that OS X is "just as insecure" as Windows. If my eyes were rolling any harder they'd pop out of their sockets.
Reply
balls said 1:59PM on 11-18-2008
Which version of OS X and which version of Windows?
Shunnabunich said 2:12PM on 11-18-2008
Exactly.
Fannar said 3:30PM on 11-18-2008
Well, isn't Intego themselves just producing these "viruses" ? Or at least paying someone to make them so they can sell more of their products. Just a thought.
Reply
darwiniandude said 3:38PM on 11-18-2008
OK, so what's the URL? I want to know what happens if you click Annuler. :)
Reply
brian said 3:40PM on 11-18-2008
I'm happy with Apple's security overall but having "Open 'safe' files after downloading" checked by default in Safari is just dumb, dumb, dumb. They even put the word "safe" in quotes--they KNOW there's no such thing as an always-safe filetype!
Reply
Laurence said 4:12PM on 11-18-2008
darwinian, anuller is french for cancel, so i'm guessing the person who took the screenshot is french ;)
i work for an apple reseller in australia, and we sell intego products. almost nobody buys them (although the paranoid ones still do) after i explain to them how the admin password works: if your computer asks you for a password, it's modifying how the computer works. if you're not a) installing software, or b) unlocking a system preference pane, cancel immediately, cos something fishy is going on
Reply
Laurence said 4:14PM on 11-18-2008
in other news, i can't spell annuler correctly.
Jesse said 6:10PM on 11-18-2008
All the more reason to actually read (and comprehend) those pop-up and alert boxes before blindly clicking OK and typing in your password.
Reply