If you can get some unsuspecting user, on any operating system, to install your software, you can gain complete control of their computer.

There is a grey zone between trusting third-party developers and being trusting of any third-party (to the point of installing a trojan).

Everyone should exercise caution when it comes to installing anything, especially something that asks for administrator authentication. You should ask yourself, “Why does this installer need an administrator password?”

In many cases, the tools necessary to check the installer you just downloaded are right there in your Utilities folder. You can right-click the package to “Show Package Contents”. Then navigate to “Contents/Resources/”, and open the preflight and postflight files in a text editor. Look for anything suspicious. If you are not sure what it all means, there are plenty of forums and communities on the internet that can help you understand. The other thing you can do is drag the package onto Installer.app, then in the Menu bar select “Show Files”. This will show you every file that the Installer is installing and where it is to be installed. Again, if it doesn’t make sense, just ask someone.

Intego is reporting that there is a Mac OS X trojan on some porn sites that is masquerading as video codec installer for Quicktime.

OSX.RSPlug.A (also known as OSX_DNSCHAN.A) is being distributed as a DMG which contains an installer package. Once the installer is run with administrator privileges, the computers DNS settings are altered to direct them to phishing sites. What this means is that the unsuspecting victim can find themselves typing URLs to legitimate sites, such as eBay or PayPal, into their browser’s address bar, but instead of going to that site, the rogue DNS server will send them to a malicious site, all while the user still sees the legitimate URL in their browser bar.

This is particularly bad, in my opinion, as most casual users will never know that anything has changed their network settings. On the other hand, this trojan requires a good bit of user interaction for it to cause any harm. What must the user do in order to become a victim?

1. Visit an unsavory website.
2. Agree to download something from an untrusted site.
3. Double-click the installer package.
4. Enter their administrator name and password.

This is not a simple drive-by infection, but a malicious site that uses social engineering to get users to install malicious software.
My advice once again is to NEVER install or open any files from untrusted sources or questionable web sites.

To check for and remove hijacked DNS settings, first navigate to “/Library/Internet Plug-Ins/” and delete plugins.settings if it exists.

Then check your root crontab by typing the following command in the Terminal and pressing return followed by your administrator password:

sudo crontab -l > ~/rootcrontab.txt; sudo crontab -l

If you see something like this (or anything that you know shouldn’t be there):

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

You can remove the entire root crontab by typing the following command in the Terminal and pressing return followed by your administrator password (if asked):

sudo crontab -r

Alternatively, you may open the rootcrontab.txt that is in your Home folder, remove the offending line and leave the legitimate lines, save the file, and type the following command in the Terminal and press return followed by your administrator password (if asked):*

sudo crontab ~/rootcrontab.txt

Now you should check that your Network Settings and scutil correspond by typing in the Terminal scutil and Return followed by:

show State:/Network/Global/DNS

Now go to the DNS settings in the Network Preference Pane and see if there are additional addresses in the scutil list that are not in your DNS settings in the Network Preference Pane. If so, delete all of the addresses in the DNS settings in the Network Preference Pane and re-enter only the ones that you know are legitimate. Type exit in the Terminal.

Now you should reboot and check the above items again — be sure that there is nothing in your root crontab and be sure that scutil corresponds with the DNS settings in the Network Preference Pane.

*if you are more comfortable using sudo crontab -e , please do so, but for the non-geeky, the vi editor can be confusing at first.

If you have a digital camera with an SD card slot, and have dreamed about wirelessly uploading you digital photos to a website, then dream no more. Eye-Fi is just that.

Whenever you are within an open Wi-Fi network, you can upload your photos to many photo sharing and printing sites including Fotki, Shutterfly, dotPhoto, webshots, phanfare, Picasa Web albums, flickr, TypePad, Wal-Mart, snapfish, VOX, smugmug, facebook, photobucket, Kodak Gallery, and Sharpcast.

I know someone already who would love this.

You can pick one up at Amazon.

In a press release today,

Apple® today announced that it sold (or delivered in the case of maintenance agreements) over two million copies of Mac OS® X Leopard since its release on Friday, far outpacing the first-weekend sales of Mac OS X Tiger, which was previously the most successful OS release in Apple’s history.

Sherlock is no more in Leopard. Even if you perform an upgrade to Leopard, Sherlock will be removed.

I haven’t used Sherlock in years, so it will not be of any consequence to me. I did just now fire it up on a 10.4 machine to see what I may have been missing. The conclusion — nothing.