The Apple, Mac, iPod, and iPhone Experts

Log In | Sign Up | Newsletter | RSS

search

Mac
iPod
iPhone
More Products
News
Reviews
Help & Tips
Blogs
Shop & Compare
Forums
NEW iPhone App Reviews
Mac OS X
Entertainment & HDTV
Create
Business Center
Mobile Mac
Digital Photo
Mac IT
Storage & Backup
Games
Security

Magazine
Subscribe & Get a Bonus CD
Customer Service

Macworld
Mac
Software
Utilities
Oct 31, 2007 12:00 am
109 Comments
+ 113 Recommendations

Browse All

Digg

ShareThis

First Look: Trojan Horse warning: What you

need to know
How to detectand removethe OSX.RSPlug.A Trojan Horse
by Rob Griffiths, Macworld.com
As you may have read, a new piece of OS X malware has been discovered. Intego has named this
malware the OSX.RSPlug.A Trojan Horse. Note that this malware is not a virusit cant self-propagate
from one machine to another. It is, however, definitely malicious, and its packaged in a well-designed
trojan horse wrapper.

People who read this also read:

Your machine could be infected if youve recently gone looking for some, um, less-than-flattering
pictures of Britney Spears. Thinking youve found what youre looking for, you click a video to watch it,
only to see a message stating that your machine lacks the necessary codec. A disk image will then start
downloading, and (depending on the settings on your machine) may then mount and launch an installer
which asks for your admin password.
Rule #1: Do not install software from untrusted sources, especially if that software comes as an installer
package and requests your administrators password! However, if you do proceed to run the installer,
heres what will happen:
Sorry, but you wont be able to watch those videos, as no codec was installed.
Your DNS will be changed to point to malicious DNS machines. What this means is that even if you
type
www.apple.com

in your browsers URL area, you may be taken there, to a phishing clone of that site, or to another site
completelysuch as a porn site. Where you wind up depends solely on how the malicious DNS
machines are configured. If you consider ebay.com or paypal.com, for instance, the consequences may
be dire.
A cron job (scheduled task) will run every minute to restore the malicious DNS info, in case you
change it.
This is really bad. Really. And even though its targeted at porn surfers today, the malware could easily
be associated with anything else, like a new viral video site, or a site that purports to show commercials
from the upcoming Super Bowl. Because this thing may spread to other such sites, we spent some time
investigating the trojanno, not its source sites!to determine the best way to tell if youve been
infected, as well as how to remove the software if you do find it on your machine.

How to detect the trojan horse

What makes this trojan sneaky (for OS X 10.4 users, at least) is that theres no visible way to see that the
DNS information has been changed. So how can you tell if youve been infected? If youre a
VirusBarrier user and you have your definitions updated as of today, VirusBarrier will both find and
remove the trojan horse.

If youre running OS X 10.5, open your Network System Preferences pane and select your active
interface (AirPort, Ethernet), then click Advanced. On the Advanced screen, click on the DNS tab. The
leftmost box contains your DNS servers, and all the entries should be in black. If the trojan has been
installed on your machine, youll see the phantom DNS in gray, listed above your normal DNS
information, as seen in the image at rightthe first two entries are the evil DNS, the last is the normal
DNS.
Note: There are other situations where the DNS info may be grayit appears that if your DNS is
provided by another machine, for instance, then your legitimate DNS information will be in gray, not
black. So while this may be an indicator, keep reading for the best way to be certain if your machine is
infected.
The easiest way to tell if youve been infected is to go to the top-level /Library -> Internet Plug-Ins
folder, and look for a file named plugins.settings . If you find one there, chances are, youre infected.
However, since the names used by the malware authors may change, its best to check a couple of other
spots as well.
The other thing to check is for the presence of the root cron job. To do this, open Terminal (in
/Applications -> Utilities) and type this command:
sudo crontab -l

Enter your admin password when asked, and Terminal will then display any cron tasks for root.
Typically this will be blank. If you see this output, though, it means youve got the malware:
* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

If you really want to be sure, you can run scutil in Terminal (its an interface to configd, an OS X
system utility). Type scutil and press Return, then type this command at the prompt, followed by
another Return: show State:/Network/Global/DNS . The output will look something like this:
<dictionary> {
ServerAddresses : <array> {
0 : 123.12.34.56
1 : 234.65.43.21
}
}

Those are all the DNS servers your machine knows about. (You can type exit to get out of scutil and
back to Terminal.) Look at that list and compare it to what you see in the Network preferences panel
make sure you click into the two-line DNS Servers box there and use your down arrow key, just in case
there are more servers listed than you can see. The two lists should be the same. If you see servers in the
output from scutil that you dont see in the GUI, then the trojan has probably been installed.

How to remove the trojan horse

If youre infected, whats the easiest way to get rid of the trojan horse? As noted above, VirusBarrier will
do the job, using todays virus definitions. However, you can do it yourself, if you wish, though it will
require a tiny bit of Terminal work. Heres what you need to doand yes, I infected my own machine
and tested this (on OS X 10.5, but OS X 10.4 should be identical) to make sure it works.
In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings.
Empty the trash. This deletes the tool that sets the rogue DNS Server information.
In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the
root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l;
you should see the message crontab: no crontab for root.
Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can
see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box,
then click Apply.
Reboot your Mac.
After you reboot, you can confirm youre free of the trojan horse (in OS X 10.5) by opening the
Advanced pane of the Network System Preferences panel and looking at the DNS tabyou shouldnt
see any gray entries. In Tiger, to really prove that youre free of the infestation, use the scutil command
detailed above, as thats the only way to see all the DNS Servers your machine knows about.
As always, the best way to avoid these things is to not install software from untrusted sources
especially if it comes as an installer package and requests your administrators password! But if you do
get infected, at least youll know how to confirm you have an issue, and remove the troublesome
software.
[ EDITORS NOTE: This article has been updated to reflect other causes of gray DNS entries, as well as
a better method of detecting the presence of the malware. ]
[ Senior editor Rob Griffiths doles out how-to help at the Mac OS X Hints blog. ]
Recommend? 127 YES 14 NO
109 Comments
Digg

Email
Print
Ads by Google
Malware Trojan Remover
Download Free Trojan & Malware Scan Recommended & Used By The Experts
www.PCTools.com
IDrive for Mac
Secure, fast and reliable online backup for Mac $4.95/Month!
www.idrive.com
Spyware Trojan Remover
Award-winning Spyware Trojan Killer Blocks Popups & more. Download now.
www.STOPzilla.com

"First Look: Trojan Horse warning: What you need to know"

Comments
View entire thread
says:

Re: Trojan Horse warning: What you need to know

Ouch!
Prepare yourselves for the inevitable barrage of Mac security bashers.
Happily this is not a functioning Virus. Unfortunately that won't matter to most bashers.
Of course any form of Malware on the Mac is big news. This situation would have barely been a blip
among the tens of thousands of incidents on the Windows security radar.
Amazing.
Cheers!
---RASTER
Reply to this comment | Wed Oct 31 14:41:55 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
Thanks, Rob, for this good information. Won't it be nice when Apple makes GUI equivalents of the
UNIX/GNU shell utilities and sys-admin tools?
This is one area where Windows is truly way ahead.
Reply to this comment | Wed Oct 31 14:49:04 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
I would not call this a VIRUS since it does not self-propagate. Nor would I call Trojan since it is more
along the lines of a MALICIOUS APPLICATION that has to be manually installed by the user and
WITH the user's permission (OS prompts verification for installation).
The delivery is a social engineering SCAM.
I could do the same thing with a Malicious application if I could convince the user to INSTALL IT.
Rule #1: Do not install software from untrusted sources, especially if that software comes as an installer
package and requests your administrators password!
As for security, before people start some MAC vs PC war.
OSX prompts the user before installing and asks for verification (inputing system password).
XP can install transparently in the background WITHOUT the users knowledge.
No OS can protect anyone 100% from social engineering.
Reply to this comment | Wed Oct 31 14:59:52 PDT 2007
says:
Re: Trojan Horse warning: What you need to know

I never called it a virus. In fact, I went out of my way to state that it is not a virus. It is a trojan horse,
however, because ... well, the very event that defines the phrase was nothing more than a huge social
engineering hack: a bunch of people convinced some other people to accept this large wooden horse as a
gift. But they didn't get a gift. They got a whole bunch of warriors.
This program is a trojan horse: it presents itself as one thing, gets you to accept it on those grounds, and
turns out to be something completely different.
-rob.
Reply to this comment | Wed Oct 31 15:04:40 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
It's classed as a trojan because it pretends to be an installer for a codec when it's not.
Reply to this comment | Wed Oct 31 15:05:25 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
I am confused by one thing. I followed your instructions (I have Leopard) and in my DNS area I only
have two DNS servers listed neither are black ... both are grey. I just bought this computer on Monday,
so I rather doubt I have a trojan horse, but thought I would touch base here to be positive. and no, I have
not gone to any site or downloaded anything weird. :-)
Trisha
Reply to this comment | Wed Oct 31 15:06:15 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
[indent]Quote:

quotemangler]
I never called it a virus. In fact, I went out of my way to state that it is not a virus. It is a trojan horse: it
presents itself as one thing, gets you to accept it on those grounds, and turns out to be something
completely different.
-rob
/quotemangler]
[/indent]
Precisely.
Whether the payload is a virus or a worm, or some other type of destructive malware isn't germane.
Follow Rule #1.
Simple, eh?

burt
Reply to this comment | Wed Oct 31 15:10:02 PDT 2007
says:
Grey text is not uncommon
Running Leopard here...on a university campus network (Ethernet) where DHCP automatically assigns
everything, although we have to enter in a search domain as required for Entourage to work properly
with Exchange Server.
In my Network preference pane (advanced), the DNS info is all in grey...but legit...so that's not always a
sure-fire way to determine if the rogue application was running (I can't call it a Trojan Horse).
Reply to this comment | Wed Oct 31 15:12:02 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
Rob,
is there any other way the DNS could appear in grey?
I have ONE DNS and I used terminal (just in case) to check for that thing - no I actually haven't been
looking at porn lately and never since I installed 10.5 - and don't have it.
What's also weird is that I have a "Search Domain" too. SAVETIBET. Go figure... I have no idea
whatsoever what that is.
Tnx
Jon
Reply to this comment | Wed Oct 31 15:13:09 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
It appears there is another way, which I didn't catch here in my testing: if your DNS is being provided by
another machine.
So, to update the article, the best way to tell if you have the malware would be to run the 'sudo crontab l' command (and look in the Internet Plug-Ins folder). I'll work on an update to the article. Thanks for
catching this.
-rob.
Reply to this comment | Wed Oct 31 15:16:57 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
The fact of the matter is that it still requires USER INPUT to deploy.
1. 1 Tip: Don't browse shady websites (porn, warez, etc.)

Reply to this comment | Wed Oct 31 15:18:33 PDT 2007

says:
Re: Grey text is not uncommon
I think the instructions are incorrect also.
I am at work, and all the DNS is greyed out. I will check it when I am at home. I doubt I have visited
anyplace that could have given me the trojan horse and I would have remembered allowing an install of
such nature.
Reply to this comment | Wed Oct 31 15:27:44 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
Great reporting, Rob!
And here I was thinking the other day that it'd be great if Macworld had a weekly/biweekly/monthly
security feature...but this works just as well! Looks like a pretty low-level threat to many Mac users that
practice basic smart computing, but education and continuing education is the best medicine/vaccine
against stuff like malevolent "cron jobs" -- there's just something evil about that phrase. Maybe it's what
"cron" sounds so close to that bothers me... [img]/forums/ubbthreads/images/graemlins/wink.gif[/img]
Reply to this comment | Wed Oct 31 15:37:36 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
[indent]Quote:

I never called it a virus. In fact, I went out of my way to state that it is not a virus. It is a trojan horse,
however, because ... well, the very event that defines the phrase was nothing more than a huge social
engineering hack: a bunch of people convinced some other people to accept this large wooden horse as a
gift. But they didn't get a gift. They got a whole bunch of warriors.
This program is a trojan horse: it presents itself as one thing, gets you to accept it on those grounds, and
turns out to be something completely different.
-rob.
[/indent]
I was loosly refering to the usage of "Trojan Horse" since it is a term people nowadays associate to
Viruses and Worms. The payload for this is neither. It is in the end just a Malicious Application that only
effects the computer it was ran on. When you say Trojan people go into a mind numbing panic and tend
to think the sky is falling.
Aye classic Trojan in the sense but as far as social engineering goes this is more along the line of
someone putting Sugar water in a gasoline container and leaving it on the road.
If someone were to smart enough to pour it in their tank without sniffing it first it would only blow up
their engine but would not effect anyone else on a network or other cars on the road.
If I were to writet an application that trashed permissions on a computer and named it idiot, then posted

a link on a website for download with a description that said "Running this application will make me
smile."
Loosely it could be thought of as a Trojan. But in reality it is just a malicious application that some poor
soul just had to manually install and have to give permission before installing it.
Ah no worries and no need to discuss symantics, in the end it was very good of you to inform the public
and also give a method of fixing the issue if someone found that watching an unknown explicit video
was worth installing an application from a porn site.
[img]/forums/ubbthreads/images/graemlins/shocked.gif[/img]
I guess the lesson learned here is make sure you only seek out quality porn and only download adult
video from iTunes
[img]/forums/ubbthreads/images/graemlins/grin.gif[/img]
Reply to this comment | Wed Oct 31 15:38:24 PDT 2007
There are 95 additional messages in this thread. Click here to read them
Sign in to post a comment. New to Macworld Comments? Register here.

Macworld's Product Guides

Mac Hardware Guide Desktops, Laptops, Servers

See also: iPod Product Guide, iPhone Product Guide

Latest News on Macworld

Sep 21
Easily adding e-mail addresses
Sep 21
FCC chairman calls for formal net neutrality rules
Sep 21
Review: ToyCamera for iPhone
Sep 21
Apple investigates iPhone 3.1 OS battery problems

Sep 21
Cartoon You: Creating easy avatars
Sep 21
The seven most underused Mail features
Sep 21
Adobe unveils Flash Platform Services
See all the latest News

Best Prices on Security Software

Popular
Top User Rated
All Categories

LoJack for Laptops Standard (Mac)Price: $31.99

LoJack for Laptops Premium (Mac)Price: $47.99

See all Security Software
See also: System Utilities Backup Utilities All Utilities
Ads by Google

Name

City

Address 1

State

Address 2

E-mail (optional)

Zip

Canadian Residents | Foreign Residents | Gift Subscriptions | Customer Service | Privacy Policy

More from Macworld

Review: GridIron Flow 1.0

Mac News Briefs: Tidy Up updated for Snow Leopard, iTunes 9

LittleSnapper shines at screenshot management

PCW Network
MacUser
Mac OS X Hints
iPhone Central
PC World
PCW Business Center
About Macworld
Advertise
Macworld Expo
MacMania
Terms of Service Agreement
Privacy Policy
Resources
Press Releases
Contact Us
RSS Feeds
Magazine Customer Service
Community Standards
Visit other IDG sites: Select One
1994-2009 Mac Publishing, LLC. Site design by Jason Brightman.