Yes, it's true! There is a new malware for OS X. It's not a virus, because it can't self-propagate from one machine to another but it sure is tricky.
This malware, named OSX.RSPlug.A Trojan Horse, is "hidden" in video files on the web (what are the most searched video files on the web about? ;) ) and when you try to open that file it will ask you to download a needed codec. You will see a disk image being downloaded and after you mount it and install it you'll be asked for the administrator password so that the codec is "correctly" installed on the system.
What will happen next? You won't see any video, because there is no video and no codec was installed. Your DNS will be changed to point to malicious machines, and as you type www.[your_home_banking_website].com, you will be redirected to a clone of the site, ready to get your username and password and send it to who knows... This is just an example, now it's up to you to imagine all the possible scenarios and up to the malicious machine's configuration. But that's not all... also a cron job (scheduled task) will run every minute to restore those DNS configurations, just in case you find and change them.
Now the most important part, how to detect this little bastard? Just take a look at your DNS settings, check to see if the entries are correct. Also go to /Library -> Internet Plug-Ins folder and check to see if there is any plugin.settings file. If it's there, you are probably infected. But beware, chances are that the file name may change. So if in doubt check also for the presence of a root cron job. Just open a terminal and type
You're infected. And finally one more (effective) way to detect this trojan is to run
Now what? It's not like it's the end of the world... (unless you have used home banking, or paypal or other websites alike while infected).
To remove the trojan just delete the file plugin.settings (be sure to delete it from garbage too :P), then do a
OS X malware is lame, and it also takes lame users to insert the admin password to untrusted software install.
This malware, named OSX.RSPlug.A Trojan Horse, is "hidden" in video files on the web (what are the most searched video files on the web about? ;) ) and when you try to open that file it will ask you to download a needed codec. You will see a disk image being downloaded and after you mount it and install it you'll be asked for the administrator password so that the codec is "correctly" installed on the system.
What will happen next? You won't see any video, because there is no video and no codec was installed. Your DNS will be changed to point to malicious machines, and as you type www.[your_home_banking_website].com, you will be redirected to a clone of the site, ready to get your username and password and send it to who knows... This is just an example, now it's up to you to imagine all the possible scenarios and up to the malicious machine's configuration. But that's not all... also a cron job (scheduled task) will run every minute to restore those DNS configurations, just in case you find and change them.
Now the most important part, how to detect this little bastard? Just take a look at your DNS settings, check to see if the entries are correct. Also go to /Library -> Internet Plug-Ins folder and check to see if there is any plugin.settings file. If it's there, you are probably infected. But beware, chances are that the file name may change. So if in doubt check also for the presence of a root cron job. Just open a terminal and type
sudo crontab -l and if the output looks like this:* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>You're infected. And finally one more (effective) way to detect this trojan is to run
scutil in a terminal. After entering scutil just type show State:/Network/Global/DNS and it will output all your DNS entries being used in OS X. If you find any DNS IP unkown, then once again... you're infected!Now what? It's not like it's the end of the world... (unless you have used home banking, or paypal or other websites alike while infected).
To remove the trojan just delete the file plugin.settings (be sure to delete it from garbage too :P), then do a
sudo crontab -r to remove all the cron jobs for root and finally retype the DNS you need in the Network System Preferences. How simple is that?OS X malware is lame, and it also takes lame users to insert the admin password to untrusted software install.
No comments:
Post a Comment