OSX.RSPlug.A Trojan Horse out

Giaguara

Giaguara

Chmod 760
Staff member
Mod
Beware, a trojan for OS X is out. Link

a new piece of OS X malware has been discovered. Intego has named this malware the OSX.RSPlug.A Trojan Horse. Note that this malware is not a virus—it can’t self-propagate from one machine to another. It is, however, definitely malicious, and it’s packaged in a well-designed trojan horse wrapper. [..]
Click to expand...

It can get installed looking at videos (porn or other); you click a video to watch it, and see a message stating that your machine lacks the necessary codec. A disk image will then start downloading, and (depending on the settings on your machine) may then mount and launch an installer which asks for your admin password.

"Sorry, but you won’t be able to watch those videos, as no codec was installed."

Your DNS will be changed to point to malicious DNS machines. What this means is that even if you type www.apple.com in your browser’s URL area, you may be taken there, to a phishing “clone” of that site, or to another site completely—such as a porn site. Where you wind up depends solely on how the malicious DNS machines are configured. If you consider ebay.com or paypal.com, for instance, the consequences may be dire.
A cron job (scheduled task) will run every minute to restore the malicious DNS info, in case you change it.

More and how to remove here.
Nothing to worry though as long as you don't install software from odd places - especially those that use an installer and ask for your admin password.
 
Well, right now it's being used for some "racy" websites and yes, you have to be very foolish to have your system compromised by this. But I have to wonder with unpatched sites still having cross-site-scripting (XSS) issues if it's still possible to visit a legitimate site that had been compromised by a XSS vulnerability and then have something posing as a legitimate application being downloaded into your Mac. I'm sure by that time Apple would have patched it (or so I hope), but it's still something to be wary of.
 
That's what I'm worried about, too. If this got onto YouTube or something, it would make a real mess.

From what I know so far, though, it doesn't make me worry about OS X's security. Like I've always said, if you can write applications for an OS, you can write malware. That's the bottom line. Trojan horses will always be possible. So common sense must always be applied.

Having said that, how many of us have never entered our admin password for an installer we downloaded? I'm guessing zero. I think the biggest threat to OS X's security is the fact that people are conditioned to enter their admin password when asked. It's something that needs to be done fairly often, so people are not as wary about it as they should be. To make matters worse, it is rarely explained WHY admin privileges are needed.

I'm not sure if there's really anything Apple could do about this, but it's a problem.
 
Luckily I haven't been searching for pictures of Britney Spears or anything else like that, so I guess i'm fine. And since it doesn't spread, I dont think theres really anything to worry about.
 
spreading isn't exactly the only thing that can happen. I wonder if this virus has a back door/zombie component?
 
fryke said:
So basically, if you ain't stupid, you've got nothing to worry about. :)
Click to expand...
We are all sensible Mac users are we not? Surely no-one is going to be fooled by such a scam?

How about coming back a bit squiffy from the 'pub/bar/opium den' at one in the morning, and instead of being sensible and going to bed, decide to do some eBay shopping or watching YouTube videos of Dubya making an ass of himself?

As Nixgeek & Mikuro stated, just because this virus seems to be associated with porn sites right now, doesn't mean that it will stay contained within that genre of web viewing.

My point is that users may not always make sensible decisions when it comes to Mac security.

Or I am just speaking for myself here?
 
Yeah, but really. If youtube suddenly asked you to install a "codec", would you? I'm not sure.
 
fryke said:
Yeah, but really. If youtube suddenly asked you to install a "codec", would you? I'm not sure.
Click to expand...
Not now I wouldn't, thanks to personal experience and this forum's educational input over two years. But if I was a relatively new user? Well I'm not sure.
 
Would I? Probably not. But would other reasonable people? Yes, I think so.

To me, it would seem a little fishy, so I would investigate. But most exploits, on all platforms, target people who are NOT experts, who do NOT know what's "normal". Let's not confuse inexperience with stupidity.

Reasonable people sometimes get conned in the real world, too.

Now, trusting something from some random porn site...well, that is a bit stupid. :p

Actually, I thought of something Apple could do to alleviate this problem a bit: always provide a complete list of items any .pkg file will install. It should not be up to the pkg author to decide what details the user has access to. It wouldn't be a complete solution (since you can't expect users to understand what a file does just by its name, location, and geeky data like permissions), but it would help, anyway.

I occasionally use Pacifist to peek inside packages before installing, but I really shouldn't need to, and I certainly can't expect typical users to.
 
As you said: It wouldn't help. Think of it this way: A malicious developer of malware certainly wouldn't call the code he's trying to get installed "this.will.delete.all.your.files.app", but rather he'd talk about a codec and he'd _call_ it a codec. Maybe even with some humour. A DivXXX-codec for the porn-site, maybe. ;) But quite certainly, showing what a package installs wouldn't necessarily help. Even _if_ Apple would make package installation completely safe, the malicious developer then simply wouldn't _use_ Apple's package-installer. There's other ways to install stuff.
 
You must log in or register to reply here.
Back
Top