Remove the OSX.RSPlug.A Trojan

Posted by Tanya Palta on 11/10/07 in News, Tutorial

Kill SX.RSPlug Question any Mac user about what kind of anti-virus program they use and the majority of them will answer ‘none’. A Mac under attack? That’s almost blasphemous, is the expected reaction. Unfortunately all is not hunky dory in the Mac Kingdom, and our precious machines may just be under attack. A piece of malware, dubbed OSX.RSPlug.A trojan horse, is doing the rounds and MacWorld gives some tips on how to disinfect your machine.

To check if you machine has been afflicted with the malware, check the top-level /Library -> Internet Plug-Ins folder, and look for a file named plugins.settings. If it’s there, then you got a bad case of the OSX.RSPlug.A trojan horse.

This is bad! In OS X 10.5, your DNS entries will be altered to point to a malicious server to handle further requests. This can be disastrous if you are using Paypal, your online bank controls, or any other heavily phished targets.

So how do you combat this problem, and free your Mac from this obnoxiously nasty malware? The easiest route (and most expensive) is to install an anti-virus program like VirusBarrier. Sure boys, it may bruise your Mac ego but hey its either that or skipping surfing porn altogether.

If investing in an Anti-Virus Software is not in the cards, then OS X 10.5 and OS X 10.4 users need to:

Navigate to /Library -> Internet Plug-Ins.
Delete the plugins.settings file and empty the trash. This is the file that resets your DNS info.
Type sudo crontab –r in the terminal and provide your admin password when asked. This will kill the cronjob that runs the malware to change your DNS info if you tried to fix it.
Now, proceed to the Network System Preferences panel and copy the entries on the DNS Server box and retype those same values in the box. Once you’re done, click Apply.
The final step involves rebooting the system.

For more info on OSX.RSPlug.A check out Infinite Loop.

Your system should now be free from the little bugger but just to be on the safe side, avoid installing software from untrusted sources. Yeah we know we sound preachy, but hey its good advice.

del.icio.us tag this | digg this | permalink | ping

4 Comment(s)

Legend:

Guest

Article Author

Contributor

Tom said on

November 10th, 2007 at 8:43 am

What are you talking about, skipping porno? You have to manually install this virus from the porn site, there’s no ‘automated’ attack vector. Basically, the only people vulnerable are people who don’t read blogs, they just use a mac and install whatever software porn sites tell them to. A rare individual.

-3

Brushy said on

November 10th, 2007 at 9:08 am

@Tom…Pretty sure it was a tongue in cheek comment aka sarcasm.

I recently came across this bug on a customers machine…I guess we should all be thankful it’s so easy to remove.

(subscribed to comments) Add karma

Tak said on

December 6th, 2007 at 9:19 pm

I can’t find the plugins.settings file. I surely looked in /Library/Internet Plug-ins instead of ~/Library/Internet Plug-ins. And the grayed-out DNS IP addresses are still there!

(subscribed to comments) Add karma

Dennis said on

December 29th, 2007 at 5:16 pm

Posted this on the Macworld thread…. think It might be of some help to people here:

Phew…… showed my first trojan horse the door….. Thank you for the great how-to!
Glad I recently conquered my Terminal-shyness, otherwise this would really have been a sweaty-hands-affair.

One thing puzzles me though.
sudo crontab -l got this result:
* * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1
Which is weird… I guess… it’s got a different name, even more misleading, maybe this links to the other one? Deleted (copied ofcourse) the Quicktime.xpt file also, just in case.
Can anyone shed some light on this one? I still have the file if you’re interested.

+Edit: I’ve now figured out that the two files are practically identical, bar some quotes here and there around the $0 (reason?) so if you have the file QuickTime.xpt, REMOVE IT!!!!+
+Cunning, because there also is a flashplayer.xpt file…. which is different, so genuine I guess.+

By the way: My trojan came in this disguise:
- codecmpg4291.dmg
- opens into disk named: 193 (and still I was not suspicious…. doofus)
- install.pkg inside
- Opens up into MacVideo installer (nope…. although that’s a lot of non -consistent names there, still I wasn’t suspicious…. Macs don’t have Viruses and Trojans you know…. yeah… right)
- Prompts for admin password (yep… I’m ignorant)

The DNS-servers showing up in Little-snitch (lookupd) and via scutil were:
0 : 85.255.113.134
1 : 85.255.112.140
Both from: UkrTeleGroup Ltd. Country : Ukraine (UA) (via cyberabuse)
My macbookpro normally gets its DNS servers through my Airport Base-station which is my router… so that can’t be right.
And I’m in Holland, not Ukraine….
I’ve not mailed the abuse to the Ukrainian ISP, ofcourse.

+Edit: During the installation process the installer phones home: 64.28.184.6+
+The Malware distributor seems to be Cernel.net AKA Esthost,+
+See this Webserver forum entry: http://www.webservertalk.com/archive154-2005-12-1316937.html+

Ok…hope this slightly different naming might help others, maybe googling.

My macbookpro is getting it’s DNS from 10.0.1.1 again, so I think I’m ok.
and I swear I’ll never surf for porn again! (yeah right)

Thnx and Grtz
Dennis

(subscribed to comments) Add karma