Security software firm Intego is warning Mac OS X users today about a trojan horse that targets the Mac. OSX.RSPlug.A is showing up on pornography sites disguised as a movie. When someone clicks the link to watch the video clip, a Web page states that a new QuickTime codec must be installed. Opening the disk image that downloads results in the installer asking for an administrative password (which is the first serious sign of trouble); if the option to Open “Safe” Files After Downloading is enabled in Safari, the image opens automatically (you should disable that feature in Safari; see “Significant Safari Exploit Discovered,” 2007-09-07).
Once given root access, the trojan changes the computer’s DNS settings to point to phishing sites or ads for other pornography sites. Even if the DNS is reset manually, a background task added by the trojan changes the DNS again automatically.
Rob Griffiths at Macworld has written up instructions for removing OSX.RSPlug.A manually; Intego’s VirusBarrier X4 with updated virus definitions for 31-Oct-07 also identifies and removes the trojan. Griffith writes: “This is really bad. Really. And even though it’s targeted at porn surfers today, the malware could easily be associated with anything else, like a new viral video site, or a site that purports to show commercials from the upcoming Super Bowl.”
As always, the best defense against such attacks is to not install third-party software that you’re not familiar with, especially any that require an administrator password. Although the Mac has proved remarkably resilient to the threat of viruses and other malware, it’s not immune.