Exploit: OSX.RSPlug.A Trojan Horse
Discovered: October 30, 2007
Description: A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:
Quicktime Player is unable to play movie file.?Please click here to download new version of codec.
After the page loads, a disk image (.dmg) file automatically downloads to the userís Mac. If the user has checked Open ďSafeĒ Files After Downloading in Safariís General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.
If the user then proceeds with installation, the Trojan horse installs; installation requires an administratorís password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.
Link for entire article.http://www.intego.com/news/ism0705.asp
How to detect and remove OSX.RSPlug.A
1. In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.
2. In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message crontab: no crontab for root.
3. Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.
4. Reboot your Mac.
The only people who should be infected today are those who have broken the number one rule of internet computing: don't download and install programs (especially those that are (a) package installers that (
request your admin password) from untrusted sources.
link for more info;http://www.macosxhints.com/article.php?sto...071031114140862
31 variants and counting.http://www.f-secure.com/weblog/archives/00001312.html
Macscan is charging it's paying costomers more money for the fix.
I use Clamxav and Virusbarrier.
But I'm paranoid.
Edited by 12x48y, 17 December 2007 - 08:31 PM.