Mac OS X RSPlug Trojan horse: in pictures

Image (1) rsplug05.png for post 21290

The security headlines are full today with news of a new piece of malicious code for the Mac OS X platform. 

The OSX/RSPlug-A Trojan horse changes DNS server entries on Apple Macintosh computers to direct surfers unwittingly to other websites.  This could be for the purposes of phishing, identity theft or simply to drive traffic to alternative websites.

In testing, we’ve found that DNS  servers are changed to point to ones located in Belarus. So now, when you ask for you are relying on these Belarus servers to direct your internet traffic.  In other words, you are “pwned”! (“owned” for those of us who don’t speak dude-speak.)

Macintosh malware like RSPlug makes the headlines because it is so rare. A Trojan horse like this for Windows would never generate as many column inches because they are encountered every day. Nevertheless it obviously makes sense for Mac users to ensure that they are informed of the risks, and be sensible online so they do not become a victim.

So, how do you get infected?

Well, it is reported that Mac web forums have been spammed with messages promoting pornographic videos.  Visiting these links takes users to a website which tells you that you are not running the correct version of Quicktime, and that you will need to install a codec (called “Ultracodec”) to view the hardcore material.


Computer users are encouraged to install a codec to allow them to watch a video on a website. On Macintoshes this is delivered as a DMG (Disk Image) file.  If you access the website from a Windows computer it will serve up a version of the Zlob Trojan horse in the form of an EXE (executable) file.

We’ve seen this done many times before on Windows computers with Zlob, so for the purposes of this blog entry we’re going to focus on what happens on the Macintosh.


As part of its subterfuge the fake Codec program presents a license agreement, which the user has to agree to before installation.


If the user agrees to the license agreement, they next need to give permission for the program to install itself, by entering their username and password. This is a security feature of Mac OS X (Windows Vista has something similar called User Access Control), and without your permission the program will be unable to alter your DNS settings.


Once permission has been granted, the Trojan horse can install itself.  And while the Trojan is installing itself a Perl script is silently running in the background, making an HTTP request to another server based in Belarus telling the hackers your computer name, the OS version you are using and that you are a Mac victim.

Of course, Sophos has updated its customers with protection against this Trojan horse.

What’s important to realise, however, is that this Trojan doesn’t exploit a vulnerability in OS X, Leopard, Tiger, or any Apple code. This Trojan exploits the vulnerability within the person sitting in front of the keyboard. It’s the Mac user who has given permission for the code to run and allowing their computer to be infected.

This is not a red alert, but it is a wake-up call to Mac users that they can be vulnerable to the same kind of social engineering tricks as their Windows cousins. The truth is that there is very little Macintosh malware compared to Windows, but clearly criminal hacker gangs are no longer shy of targeting the platform.

(Credit where credit’s due: Thanks to the researchers at the Australian branch of SophosLabs for providing information which assisted with this article)