A trojan for your Mac? OSX.RSPlug.A

New for your Halloween enjoyment is the the OSX.RSPlug.A Trojan Horse in the wild for OSX.

So, let’s see what really happens here. The “social engineering” part has been seen million times – an unsuspecting user visits a web site with a movie on it, however, he needs to download a new codec in order to view it. On Windows, that new codec is typically a PE executable, for Mac the bad guys prepared a DMG archive (DMG files are like ISOs). The user is then prompted to install the package and during this process he will have to supply the administrator credentials. Yep, it’s game over from this point in time (and the attack is exactly the same as on Windows – keep in mind that these users *will* willingly supply these credentials. .. [1]

A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:
Quicktime Player is unable to play movie file.
Please click here to download new version of codec. … [2]

The old tricked by a fake Porn Codec routine.

Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)
The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server. [2]

These magic DNS servers are currently [1]
s1=85.255.116.71
s2=85.255.112.63

The guys at SunbeltBLOG submitted a copy to VirusTotal for analysis with the result of zero products detecting the trojan.

[1] DNS changer Trojan for Mac (!) in the wild (2007-NOV-01) [SANS]
[2] OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to Redirect to Malicious DNS Servers (2007-OCT-30) [INTEGO]
[3] Trojan Horse warning: What you need to know (2007-OCT-31) [MacWorld]
[4] Mac trojan in the wild (2007-OCT-31) [BoingBoing]

About these ads
This entry was posted in Mac, security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s