31 October 2007 @ 16:20OSX.RSPlug.A Trojan Horse for Mac OS X

Intego is reporting that there is a Mac OS X trojan on some porn sites that is masquerading as video codec installer for Quicktime.

OSX.RSPlug.A (also known as OSX_DNSCHAN.A) is being distributed as a DMG which contains an installer package. Once the installer is run with administrator privileges, the computers DNS settings are altered to direct them to phishing sites. What this means is that the unsuspecting victim can find themselves typing URLs to legitimate sites, such as eBay or PayPal, into their browser’s address bar, but instead of going to that site, the rogue DNS server will send them to a malicious site, all while the user still sees the legitimate URL in their browser bar.

This is particularly bad, in my opinion, as most casual users will never know that anything has changed their network settings. On the other hand, this trojan requires a good bit of user interaction for it to cause any harm. What must the user do in order to become a victim?

  1. Visit an unsavory website.
  2. Agree to download something from an untrusted site.
  3. Double-click the installer package.
  4. Enter their administrator name and password.

This is not a simple drive-by infection, but a malicious site that uses social engineering to get users to install malicious software.
My advice once again is to NEVER install or open any files from untrusted sources or questionable web sites.

To check for and remove hijacked DNS settings, first navigate to “/Library/Internet Plug-Ins/” and delete plugins.settings if it exists.

Then check your root crontab by typing the following command in the Terminal and pressing return followed by your administrator password:

sudo crontab -l > ~/rootcrontab.txt; sudo crontab -l

If you see something like this (or anything that you know shouldn’t be there):

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

You can remove the entire root crontab by typing the following command in the Terminal and pressing return followed by your administrator password (if asked):

sudo crontab -r

Alternatively, you may open the rootcrontab.txt that is in your Home folder, remove the offending line and leave the legitimate lines, save the file, and type the following command in the Terminal and press return followed by your administrator password (if asked):*

sudo crontab ~/rootcrontab.txt

Now you should check that your Network Settings and scutil correspond by typing in the Terminal scutil and Return followed by:

show State:/Network/Global/DNS

Now go to the DNS settings in the Network Preference Pane and see if there are additional addresses in the scutil list that are not in your DNS settings in the Network Preference Pane. If so, delete all of the addresses in the DNS settings in the Network Preference Pane and re-enter only the ones that you know are legitimate. Type exit in the Terminal.

Now you should reboot and check the above items again — be sure that there is nothing in your root crontab and be sure that scutil corresponds with the DNS settings in the Network Preference Pane.

*if you are more comfortable using sudo crontab -e , please do so, but for the non-geeky, the vi editor can be confusing at first.

Be Sociable, Share!

by | Add a comment | Posted in exploits, mac, malware, security | Link to this

Add a Comment

Show who you are with a Gravatar.

 

Sign up for PayPal and start accepting credit card payments instantly.

Staples Logo

Get fed!

rss icon subscribe to Geek stuff

rss icon Geek stuff in your inbox

Add the "Geek stuff" Google Gadget to your homepage

Add the "Daily Deals" Google Gadget to your homepage

Apparel

Search Amazon

Search Amazon.com
Search Amazon.co.uk

Recent Forum Topics

    Advert

    Web hosting by ICDSoft