New Trojan Horse targets Mac users
New Trojan Horse targets Mac users
By Jim Dalrymple
Security research company Intego on Monday issued a security alert about a new Trojan Horse called OSX.RSPlug.A that specifically targets Mac users. The Trojan is a form of DNSChanger that changes the Mac’s Domain Name Server (DNS) address.
According to Intego, the Trojan has been found on several pornographic Web sites. When trying to view a movie, the user is told that “Quicktime Player is unable to play movie file. Please click here to download new version of codec.” Read more...
[Via Macworld]
_______________________________________________________________
Trojan Horse warning: What you need to know
How to detect—and remove—the OSX.RSPlug.A Trojan Horse
By Rob Griffiths
As you may have read, a new piece of OS X malware has been discovered. Intego has named this malware the OSX.RSPlug.A Trojan Horse. Note that this malware is not a virus—it can’t self-propagate from one machine to another. It is, however, definitely malicious, and it’s packaged in a well-designed trojan horse wrapper.
Your machine could be infected if you’ve recently gone looking for some, um, less-than-flattering pictures of Britney Spears. Thinking you’ve found what you’re looking for, you click a video to watch it, only to see a message stating that your machine lacks the necessary codec. A disk image will then start downloading, and (depending on the settings on your machine) may then mount and launch an installer which asks for your admin password.
Rule #1: Do
not install software from untrusted sources, especially if that software comes as an installer package and requests your administrator’s password! However, if you do proceed to run the installer, here’s what will happen:
- Sorry, but you won’t be able to watch those videos, as no codec was installed.
- Your DNS will be changed to point to malicious DNS machines. What this means is that even if you type www.apple.com in your browser’s URL area, you may be taken there, to a phishing “clone” of that site, or to another site completely—such as a porn site. Where you wind up depends solely on how the malicious DNS machines are configured. If you consider ebay.com or paypal.com, for instance, the consequences may be dire.
- A cron job (scheduled task) will run every minute to restore the malicious DNS info, in case you change it.
This is really bad. Really. And even though it’s targeted at porn surfers today, the malware could easily be associated with anything else, like a new viral video site, or a site that purports to show commercials from the upcoming Super Bowl. Because this thing may spread to other such sites, we spent some time investigating the trojan—no, not its source sites!—to determine the best way to tell if you’ve been infected, as well as how to remove the software if you do find it on your machine. Read more...
[Via Macworld]
