Mac OS X vulnerable? Trojan horse on the move

1 11 2007

Security software firm Intego is warning Mac OS X users today about a trojan horse that targets the Mac. OSX.RSPlug.A is showing up on pornography sites disguised as a movie. When someone clicks the link to watch the video clip, a Web page states that a new QuickTime codec must be installed. Opening the disk image that downloads results in the installer asking for an administrative password (which is the first serious sign of trouble); if the option to Open “Safe” Files After Downloading is enabled in Safari, the image opens automatically (you should disable that feature in Safari; see “Significant Safari Exploit Discovered,” 2007-09-07).

Once given root access, the trojan changes the computer’s DNS settings to point to phishing sites or ads for other pornography sites. Even if the DNS is reset manually, a background task added by the trojan changes the DNS again automatically.

Rob Griffiths at Macworld has written up instructions for removing OSX.RSPlug.A manually; Intego’s VirusBarrier X4 with updated virus definitions for 31-Oct-07 also identifies and removes the trojan. Griffith writes: “This is really bad. Really. And even though it’s targeted at porn surfers today, the malware could easily be associated with anything else, like a new viral video site, or a site that purports to show commercials from the upcoming Super Bowl.”

As always, the best defense against such attacks is to not install third-party software that you’re not familiar with, especially any that require an administrator password. Although the Mac has proved remarkably resilient to the threat of viruses and other malware, it’s not immune.

Advertisements

Actions

Information

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: