HOME > VIRUS ALERTS


VIRUS ALERTS

Mac OS Trojan OSX/RSPlug

Original issue date: November 05, 2007

It has been observed that a trojan named OSX/Plug affecting Mac OS is circulating in the wild. It arrives on the victim users system by exploiting browser vulnerabilities or by any other social engineering technique.

The trojan is affecting Mac operating systems purporting itself as a MacCodec installer to help the user view videos. Instead of installing real codec on the system, it creates a script which changes the DNS server to point to malicious websites/C&C server. The trojan then sends system information like hostname, CPU type and the user identifier (UID) to some remote IP addresses suspected as C&C server.

Aliases : OSX/RSPlug-A [Sophos], OSX/Puper [McAfee], OSX.RSPlug.A [ Symantec ]

Upon execution, the Trojan :

  • Copies itself as the following files
    Library/Internet Plug-Ins/plugins.settings
    /Library/Internet Plug-Ins/sendreq
  • Creates clean file below
    /Library/Internet Plug-Ins/Mozillaplug.plugins
  • Changes hosts' DNS servers to one of the following sets of IP addresses
    85.255.115.58, 85.255.112.159
    85.255.115.21, 85.255.112.151
    85.255.115.116, 85.255.112.222
    85.255.113.106, 85.255.112.85
  • Creates new cronjob that gets executed every minute. The cron job executes a file called plugins.settings to makes sure that the DNS servers stay as those above and that the cronjob is not removed.
    /Library/Internet Plug-Ins/plugin.settings
  • Sends the CPU type, the User Identifier (UID), and the hostname to C&C server at IP address 85.255.121.37

In view of rapid propagation of the malware, Mac OS users are advised to implement the following countermeasures:

  • Delete executables/scripts with the abovementioned names.
  • Block DNS traffic to and from your network to any malicious IP addresses mentioned above.
  • Exercise caution while installing any program from the website.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Keep up-to-date on patches and fixes on the operating system.

References

http://www.symantec.com/security_response/writeup.jsp?docid=2007-110101-2320-99&tabid=2

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003