AAPL Stock: 110.78 ( + 0.4 )

Printed from

Trojan horse targets Mac OS X

updated 01:25 pm EDT, Wed October 31, 2007

New trojan targets Macs

A new trojan horse designed specifically for Mac OS X systems has been discovered on several pornography websites that can hijack Web traffic, according to security firm Intego. Affected systems are used to hijack some Web requests that lead users to other phishing sites, or simply display ads for other pornographic websites to generate ad revenue. Phishing attacks may lead users to believe they are surfing to eBay, Paypal, or various banks when in fact they are accessing specially-crafted mockups designed to retrieve usernames and passwords for those sites. The trojan, titled OSX.RSPlug.A, is rated as a critical risk by Intego, and is known to affect Mac OS X 10.4 Tiger as well as Mac OS X 10.5 Leopard. Intego is testing prior versions of Mac OS X, but believes them to be vulnerable as well.

The trojan claims to install a video codec necessary for viewing free pornographic videos on Macs, but when users click on the still images to view the content they are directed to a Web page stating that they must download a new version of a codec to play the movie file with QuickTime. Safari users who have checked the "Open 'Safe' Files After Downloading" option in General Preferences will find that the disk image which is downloaded to their Mac automatically mounts, and the installer application will automatically launch.

Proceeding with the installation installs the trojan horse, and requires users to enter their administrator password which grants the malicious software full root privileges. No codec is installed and users who return to the website simply receive another download request.

The trojan itself is a form of DNSChanger, using the scutil command to change the Mac's DNS server -- a service that translates hostnames like to their numerical IP addresses. Using a poisoned DNS server, the Mac hijacks some Web requests for phishing or to generate revenue from pornographic advertisements.

What's more, under Mac OS X 10.4 Tiger there is no way to see the changed DNS server in the operating system's graphical user interface, although in Mac OS X 10.5 Leopard users can see the change in the Advanced Network preferences; the added DNS servers are dimmed and cannot be removed manually.

Intego says all versions of Mac OS X include the scutil command, suggesting that all versions are vulnerable to the new trojan.

by MacNN Staff





  1. sgirard

    Joined: Dec 1969



    From the Intego page:

    "Means of protection: The best way to protect against this exploit is to run Intego VirusBarrier X4 with its virus definitions dated October 31,2007. Intego VirusBarrier X4 eradicates the malicious code and prevents the Trojan horse from being installed. Intego recommends that users never download and install software from untrusted sources or questionable web sites."

    What's in it for them? (You don't have to answer that).

  1. afaby

    Joined: Dec 1969



    Turn off the Safari option to automatically open "safe" files to avoid this instead of buying Intego's software. They have a history of exaggerating threats to sell software.

  1. MacZealot36

    Joined: Dec 1969


    Social Engineering

    This type of social engineering cant be fixed by any patch. If you give a person the keys to your house you shouldnt wonder what happened when they break in while your gone and steal all of your stuff.

    Sounds like it may have been created by this virus company. Funny how they seem to already have a fix available..

    More fud if you ask me.

  1. gudin

    Joined: Dec 1969


    or. . .

    or, don't continue with the installation.

    It'd be nice to know how one could remove the effects of this in the event it happens also. (I mean, other than buy their software)

  1. MacnTX

    Joined: Dec 1969



    What a joke. Seeing as how this won't install without user intervention, it's hardly a serious threat.

  1. davoud

    Joined: Dec 1969


    Show of Hands?

    Show of hands -- how many Mac users get their Apple software updates from p*** sites? I've been getting mine from Apple via the "Software Update" utility. Am I doing something wrong... :--)

  1. roblively

    Joined: Dec 1969


    Checking DNS on 10.4

    The statement from Intego that:

    "Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI."

    is not entirely true either. You can use Network Utility to do a lookup and the result will show the DNS used. You can at least verify that DNS is one your ISP supplies. Clearly this doesn't provide all the DNS entries but it does give you the one currently being used which invalidates the statement above.

  1. horvatic

    Joined: Dec 1969


    Trying to spin up busines

    There trying to spin up business again. They have done this several times already in the past. All of there supposed threats they have found have all been proven FALSE!

  1. rtbarry

    Joined: Dec 1969


    sheesh... it a bad thing that i've been getting my OS updates from

  1. JTh

    Joined: Dec 1969


    One good thing

    Good or bad intentions, this comes up at a good time, with the Mac market share growing quickly. Windows users need to know that while there's virtually no risk of just casual surfing, OS X won't stop you from doing stupid things either.

    I do have an issue with using the term "in the wild". A very limited set of websites, to me, is not the same as "in the wild".

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented