31 October 2007 @ 16:20OSX.RSPlug.A Trojan Horse for Mac OS X
Intego is reporting that there is a Mac OS X trojan on some porn sites that is masquerading as video codec installer for Quicktime.
OSX.RSPlug.A (also known as OSX_DNSCHAN.A) is being distributed as a DMG which contains an installer package. Once the installer is run with administrator privileges, the computers DNS settings are altered to direct them to phishing sites. What this means is that the unsuspecting victim can find themselves typing URLs to legitimate sites, such as eBay or PayPal, into their browser’s address bar, but instead of going to that site, the rogue DNS server will send them to a malicious site, all while the user still sees the legitimate URL in their browser bar.
This is particularly bad, in my opinion, as most casual users will never know that anything has changed their network settings. On the other hand, this trojan requires a good bit of user interaction for it to cause any harm. What must the user do in order to become a victim?
- Visit an unsavory website.
- Agree to download something from an untrusted site.
- Double-click the installer package.
- Enter their administrator name and password.
This is not a simple drive-by infection, but a malicious site that uses social engineering to get users to install malicious software.
My advice once again is to NEVER install or open any files from untrusted sources or questionable web sites.
To check for and remove hijacked DNS settings, first navigate to “/Library/Internet Plug-Ins/” and delete plugins.settings if it exists.
Then check your root crontab by typing the following command in the Terminal and pressing return followed by your administrator password:
sudo crontab -l > ~/rootcrontab.txt; sudo crontab -l
If you see something like this (or anything that you know shouldn’t be there):
* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1
You can remove the entire root crontab by typing the following command in the Terminal and pressing return followed by your administrator password (if asked):
sudo crontab -r
Alternatively, you may open the rootcrontab.txt that is in your Home folder, remove the offending line and leave the legitimate lines, save the file, and type the following command in the Terminal and press return followed by your administrator password (if asked):*
sudo crontab ~/rootcrontab.txt
Now you should check that your Network Settings and
scutil correspond by typing in the Terminal
scutil and Return followed by:
Now go to the DNS settings in the Network Preference Pane and see if there are additional addresses in the
scutil list that are not in your DNS settings in the Network Preference Pane. If so, delete all of the addresses in the DNS settings in the Network Preference Pane and re-enter only the ones that you know are legitimate. Type
exit in the Terminal.
Now you should reboot and check the above items again — be sure that there is nothing in your root crontab and be sure that
scutil corresponds with the DNS settings in the Network Preference Pane.
*if you are more comfortable using
sudo crontab -e , please do so, but for the non-geeky, the vi editor can be confusing at first.