Remove the OSX.RSPlug.A Trojan
Question any Mac user about what kind of anti-virus program they use and the majority of them will answer Ëœnone'. A Mac under attack? That's almost blasphemous, is the expected reaction. Unfortunately all is not hunky dory in the Mac Kingdom, and our precious machines may just be under attack. A piece of malware, dubbed OSX.RSPlug.A trojan horse, is doing the rounds and MacWorld gives some tips on how to disinfect your machine.
To check if you machine has been afflicted with the malware, check the top-level /Library -> Internet Plug-Ins folder, and look for a file named plugins.settings. If it’s there, then you got a bad case of the OSX.RSPlug.A trojan horse.
In OS X 10.5, your DNS entries will be altered to point to a malicious server to handle further requests. This can be disastrous if you are using Paypal, your online bank controls, or any other heavily phished targets.
So how do you combat this problem, and free your Mac from this obnoxiously nasty malware? The easiest route (and most expensive) is to install an anti-virus program like VirusBarrier. Sure boys, it may bruise your Mac ego but hey its either that or skipping surfing porn altogether.
If investing in an Anti-Virus Software is not in the cards, then OS X 10.5 and OS X 10.4 users need to:
- Navigate to /Library -> Internet Plug-Ins.
- Delete the plugins.settings file and empty the trash. This is the file that resets your DNS info.
- Type sudo crontab r in the terminal and provide your admin password when asked. This will kill the cronjob that runs the malware to change your DNS info if you tried to fix it.
- Now, proceed to the Network System Preferences panel and copy the entries on the DNS Server box and retype those same values in the box. Once you’re done, click Apply.
- The final step involves rebooting the system.
For more info on OSX.RSPlug.A check out Infinite Loop.
Your system should now be free from the little bugger but just to be on the safe side, avoid installing software from untrusted sources. Yeah we know we sound preachy, but hey its good advice.
What are you talking about, skipping porno? You have to manually install this virus from the porn site, there’s no ‘automated’ attack vector. Basically, the only people vulnerable are people who don’t read blogs, they just use a mac and install whatever software porn sites tell them to. A rare individual.
@Tom…Pretty sure it was a tongue in cheek comment aka sarcasm.
I recently came across this bug on a customers machine…I guess we should all be thankful it’s so easy to remove.
[...] has since changed icons. More recently, Shirley pointed out to me that my bug had been used on a Mac site! (Of all things!) Heh. I only posted the graphic on the Nemiver mailing list, so I [...]
I can’t find the plugins.settings file. I surely looked in /Library/Internet Plug-ins instead of ~/Library/Internet Plug-ins. And the grayed-out DNS IP addresses are still there!
Posted this on the Macworld thread…. think It might be of some help to people here:
Phew…… showed my first trojan horse the door….. Thank you for the great how-to!
Glad I recently conquered my Terminal-shyness, otherwise this would really have been a sweaty-hands-affair.
One thing puzzles me though.
sudo crontab -l got this result:
* * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1
Which is weird… I guess… it’s got a different name, even more misleading, maybe this links to the other one? Deleted (copied ofcourse) the Quicktime.xpt file also, just in case.
Can anyone shed some light on this one? I still have the file if you’re interested.
+Edit: I’ve now figured out that the two files are practically identical, bar some quotes here and there around the $0 (reason?) so if you have the file QuickTime.xpt, REMOVE IT!!!!+
+Cunning, because there also is a flashplayer.xpt file…. which is different, so genuine I guess.+
By the way: My trojan came in this disguise:
- codecmpg4291.dmg
- opens into disk named: 193 (and still I was not suspicious…. doofus)
- install.pkg inside
- Opens up into MacVideo installer (nope…. although that’s a lot of non -consistent names there, still I wasn’t suspicious…. Macs don’t have Viruses and Trojans you know…. yeah… right)
- Prompts for admin password (yep… I’m ignorant)
The DNS-servers showing up in Little-snitch (lookupd) and via scutil were:
0 : 85.255.113.134
1 : 85.255.112.140
Both from: UkrTeleGroup Ltd. Country : Ukraine (UA) (via cyberabuse)
My macbookpro normally gets its DNS servers through my Airport Base-station which is my router… so that can’t be right.
And I’m in Holland, not Ukraine….
I’ve not mailed the abuse to the Ukrainian ISP, ofcourse.
+Edit: During the installation process the installer phones home: 64.28.184.6+
+The Malware distributor seems to be Cernel.net AKA Esthost,+
+See this Webserver forum entry: http://www.webservertalk.com/archive154-2005-12-1316937.html+
Ok…hope this slightly different naming might help others, maybe googling.
My macbookpro is getting it’s DNS from 10.0.1.1 again, so I think I’m ok.
and I swear I’ll never surf for porn again! (yeah right)
Thnx and Grtz
Dennis
[...] [...]
Hi Guys, I just found a pretty nice site for a free iphone unlock / jailbreak/ iphone 3g 3gs and iphone4 jailbreak.
http://www.anysim.net
http://www.bmw-eba.de.tl
I posted about this earlier on my own web page. Your article has actually given me some food for thought, I feel you will have made many very intriguing points. I want I would discovered it earlier, prior to writing my very own post.