Mac OS X RSPlug Trojan horse: in pictures

Filed Under: Apple, Malware

The security headlines are full today with news of a new piece of malicious code for the Mac OS X platform. 

The OSX/RSPlug-A Trojan horse changes DNS server entries on Apple Macintosh computers to direct surfers unwittingly to other websites.  This could be for the purposes of phishing, identity theft or simply to drive traffic to alternative websites.

In testing, we've found that DNS  servers are changed to point to ones located in Belarus. So now, when you ask for www.example.com you are relying on these Belarus servers to direct your internet traffic.  In other words, you are "pwned"! ("owned" for those of us who don't speak dude-speak.)

Macintosh malware like RSPlug makes the headlines because it is so rare. A Trojan horse like this for Windows would never generate as many column inches because they are encountered every day. Nevertheless it obviously makes sense for Mac users to ensure that they are informed of the risks, and be sensible online so they do not become a victim.

So, how do you get infected?

Well, it is reported that Mac web forums have been spammed with messages promoting pornographic videos.  Visiting these links takes users to a website which tells you that you are not running the correct version of Quicktime, and that you will need to install a codec (called "Ultracodec") to view the hardcore material.

rsplug05.png

Computer users are encouraged to install a codec to allow them to watch a video on a website. On Macintoshes this is delivered as a DMG (Disk Image) file.  If you access the website from a Windows computer it will serve up a version of the Zlob Trojan horse in the form of an EXE (executable) file.

We've seen this done many times before on Windows computers with Zlob, so for the purposes of this blog entry we're going to focus on what happens on the Macintosh.

rsplug09.png

As part of its subterfuge the fake Codec program presents a license agreement, which the user has to agree to before installation.

rsplug11.png

If the user agrees to the license agreement, they next need to give permission for the program to install itself, by entering their username and password. This is a security feature of Mac OS X (Windows Vista has something similar called User Access Control), and without your permission the program will be unable to alter your DNS settings.

rsplug12.png

Once permission has been granted, the Trojan horse can install itself.  And while the Trojan is installing itself a Perl script is silently running in the background, making an HTTP request to another server based in Belarus telling the hackers your computer name, the OS version you are using and that you are a Mac victim.

Of course, Sophos has updated its customers with protection against this Trojan horse.

What's important to realise, however, is that this Trojan doesn't exploit a vulnerability in OS X, Leopard, Tiger, or any Apple code. This Trojan exploits the vulnerability within the person sitting in front of the keyboard. It's the Mac user who has given permission for the code to run and allowing their computer to be infected.

This is not a red alert, but it is a wake-up call to Mac users that they can be vulnerable to the same kind of social engineering tricks as their Windows cousins. The truth is that there is very little Macintosh malware compared to Windows, but clearly criminal hacker gangs are no longer shy of targeting the platform.

(Credit where credit's due: Thanks to the researchers at the Australian branch of SophosLabs for providing information which assisted with this article)

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.