DNS malware roots Macs


Aug 2, 2007
Chris, sorry if I posted in the wrong place, But I figured this could possibly affect iPhone users too through sites like seeqpod and other quicktime sites.
A new Trojan horse malware called OSX.RSPlug.A specifically targets Mac users, according to security firm Intego.
The Trojan is a form of DNSChanger that changes the Mac's Domain Name Server (DNS) address. According to Intego, the Trojan has been found on several pornographic websites. When trying to view a movie, the user is told that "Quicktime Player is unable to play movie file. Please click here to download new version of codec."
When the user clicks the link a disk image (.dmg) is downloaded to the desktop. When the user installs the software, they are actually installing the Trojan, not a free video codec. The Trojan is installed with full root privileges, which means it has access to all files and commands on the system.
When the malicious DNS server is active, it hijacks some web requests, leading users to phishing sites (for sites such as eBay, PayPal and some banks) or to pages displaying ads for other pornographic sites, according to Intego.
The Trojan also installs a root crontab which checks every minute to ensure that its DNS server is still active, the company said. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.
Intego said that using Mac OS X 10.4, there is no way to see the changed DNS server in the operating system's interface. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually.


New Member
Aug 6, 2007
Ouch, that's really an annoyance if you happen to catch this bug. Good thing its delivery method is limited, and so obvious.