OSX.RSPlug.A Trojan Horse out

**Giaguara** · #1 October 31st, 2007, 04:47 PM

Beware, a trojan for OS X is out. Link

Quote:

a new piece of OS X malware has been discovered. Intego has named this malware the OSX.RSPlug.A Trojan Horse. Note that this malware is not a virus—it can’t self-propagate from one machine to another. It is, however, definitely malicious, and it’s packaged in a well-designed trojan horse wrapper. [..]

It can get installed looking at videos (porn or other); you click a video to watch it, and see a message stating that your machine lacks the necessary codec. A disk image will then start downloading, and (depending on the settings on your machine) may then mount and launch an installer which asks for your admin password.

"Sorry, but you won’t be able to watch those videos, as no codec was installed."

Your DNS will be changed to point to malicious DNS machines. What this means is that even if you type www.apple.com in your browser’s URL area, you may be taken there, to a phishing “clone” of that site, or to another site completely—such as a porn site. Where you wind up depends solely on how the malicious DNS machines are configured. If you consider ebay.com or paypal.com, for instance, the consequences may be dire.
A cron job (scheduled task) will run every minute to restore the malicious DNS info, in case you change it.

More and how to remove here.
Nothing to worry though as long as you don't install software from odd places - especially those that use an installer and ask for your admin password.

**fryke** · #2 October 31st, 2007, 05:28 PM

So basically, if you ain't stupid, you've got nothing to worry about.

**Giaguara** · #3 October 31st, 2007, 05:48 PM

Yep

nixgeek · #4 November 1st, 2007, 10:54 AM

Well, right now it's being used for some "racy" websites and yes, you have to be very foolish to have your system compromised by this. But I have to wonder with unpatched sites still having cross-site-scripting (XSS) issues if it's still possible to visit a legitimate site that had been compromised by a XSS vulnerability and then have something posing as a legitimate application being downloaded into your Mac. I'm sure by that time Apple would have patched it (or so I hope), but it's still something to be wary of.

Mikuro · #5 November 1st, 2007, 11:10 AM

That's what I'm worried about, too. If this got onto YouTube or something, it would make a real mess.

From what I know so far, though, it doesn't make me worry about OS X's security. Like I've always said, if you can write applications for an OS, you can write malware. That's the bottom line. Trojan horses will always be possible. So common sense must always be applied.

Having said that, how many of us have never entered our admin password for an installer we downloaded? I'm guessing zero. I think the biggest threat to OS X's security is the fact that people are conditioned to enter their admin password when asked. It's something that needs to be done fairly often, so people are not as wary about it as they should be. To make matters worse, it is rarely explained WHY admin privileges are needed.

I'm not sure if there's really anything Apple could do about this, but it's a problem.