OSX.RSPlug.A Trojan Info and Removal

To many Windows users, it sounds all too familiar. Attempting to watch a video online, a prompt directs them to download a codec to enable viewing. However, the download is malware, and it infects their computer.

osx_trojan

Now this popular, and successful social engineering technique is being used to spread a Mac OSX trojan, OSX.RSPlug.A. At this time spam is being flooded onto Mac forums trying to lure users to the sites where this is employed. The pornography sites present a still image of a video. Clicking on the image to play the video returns the following message:

Quicktime Player is unable to play movie file.
Please click here to download new version of codec.

After that page loads the malware is download as a disk image (.dmg), and launches an installer. The installer requires the user to enter the admin password. If the password entered then the malware infection is complete. This infection alters DNS setting to redirect web pages, and advertisments for porn sites. However, it could just as easily be used for phishing attacks, or search redirects.

The easiest way to tell if you’ve been infected is to go to the top-level /Library -> Internet Plug-Ins folder, and look for a file named plugins.settings. If you find one there, chances are, you’re infected.

If you’re infected, here are removal instructions from MacWorld:

  1. In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.
  2. In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message crontab: no crontab for root.
  3. Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.
  4. Reboot your Mac.

While this is newsworthy because there are rarely OSX trojans, there is no ground-breaking code, or new social engineering techniques employed. The goal of this trojan is to generate revenue. This could easily be replicated by any site displaying popular videos, and quickly become widespread among Apple users. While Apple market share has been on the rise, at about 8% it’s still a low-priority target for money-seeking malware authors. However, this could change as Apple continues to gain market share. Is this the start of a new wave of malware aimed at Apple users?

  • Pingback: Apple Blog » OSX.RSPlug.A Trojan Info and Removal()

  • danny

    when i installed madden 08 i was not able to play it like before because a message comes up saying it can not find a compatible direct 3d device or on my other game a direct 3d accelerator.

  • danny

    when i installed madden 08 i was not able to play it like before because a message comes up saying it can not find a compatible direct 3d device or on my other game a direct 3d accelerator.

  • Pingback: Fuzzy Thoughts » Blog Archive » Where do I Stand on the Mac v. PC debate? Why Would You Want to Switch()

  • Gus

    It's all down hill from here. Now that Mac is growing from a puddle to a lake, more people are wanting to fish there.

  • Gus

    It's all down hill from here. Now that Mac is growing from a puddle to a lake, more people are wanting to fish there.

  • MoNsTeReNeRgY22

    Not even Macs are perfect. =)

  • MoNsTeReNeRgY22

    Not even Macs are perfect. =)

  • The Pale Scot

    You should point out that this is happening at porn sites, between Limewire and Bittorrent, why would anyone go there? And anyone thats not an Apple newbie knows that if you have Perrian and Divx installed, there should be no need for any other codecs.

  • The Pale Scot

    You should point out that this is happening at porn sites, between Limewire and Bittorrent, why would anyone go there? And anyone thats not an Apple newbie knows that if you have Perrian and Divx installed, there should be no need for any other codecs.

  • Pingback: Where do I Stand on the Mac v. PC debate? Why Would You Want to Switch » Fuzzy Thoughts()

  • gols

    mmm...i prefer to use Protemac NetMine

  • gols

    mmm...i prefer to use Protemac NetMine

  • saurabh273008

    Now this popular, and successful social engineering technique is being used to spread a Mac OSX trojan, OSX.RSPlug.A. At this time spam is being flooded onto Mac forums trying to lure users to the sites where this is employed. The pornography sites present a still image of a video. Clicking on the image to play the video returns the following message:
    ----------------------------------------------------------------------
    Tech Info

  • Mac OS is not perfect.