Security software firm Intego is warning Mac OS X users about a Trojan horse that targets the Mac. OSX.RSPlug.A is showing up on pornography sites disguised as a video plug-in. When someone clicks the link to watch certain video clips, a Web page states that a new QuickTime codec must be installed. Opening the disk image that downloads results in the installer asking for an administrator password (which is the first serious sign of trouble); if the option to Open “Safe” Files After Downloading is enabled in Safari, the disk image opens automatically (you should disable that feature in Safari; see “Significant Safari Exploit Discovered,” 2007-09-07).
Once given root access, the Trojan horse changes the computer’s DNS settings to point to phishing sites or ads for other pornography sites. Even if the DNS is reset manually, a background task added by the Trojan horse changes the DNS again automatically.
Rob Griffiths at Macworld has written up instructions for removing OSX.RSPlug.A manually; Intego’s VirusBarrier X4 with updated virus definitions for 31-Oct-07 also identifies and removes the Trojan horse. Griffith writes: “This is really bad. Really. And even though it’s targeted at porn surfers today, the malware could easily be associated with anything else, like a new viral video site, or a site that purports to show commercials from the upcoming Super Bowl.”
As always, the best defense against such attacks is to avoid installing third-party software with which you’re unfamiliar, especially any that requires an administrator password. Although the Mac has proven remarkably resilient to the threat of viruses and other malware, it’s not immune.