As you may have read , a new bit of OS Xmalwarehas been discovered . Intego has named this malware the OSX.RSPlug . A Trojan Horse . Note that this malware is not a computer virus — it ca n’t ego - propagate from one automobile to another . It is , however , definitely malicious , and it ’s packaged in a well - designedtrojan horsewrapper .
Your machine could be infect if you ’ve recently gone look for some , um , less - than - flattering pictures of Britney Spears . Thinking you ’ve find oneself what you ’re looking for , you click a video to look out it , only to see a message stating that your motorcar lacks the necessary codec . A disk picture will then start up downloading , and ( depend on the configurations on your automobile ) may then mount and plunge an installer which asks for your admin password .
Rule # 1 : Donotinstall software program from untrusted source , especially if that software system come up as an installer package and requests your administrator ’s word ! However , if you do proceed to unravel the installer , here ’s what will happen :
This is really defective . Really . And even though it ’s targeted at porn surfer today , the malware could easily be colligate with anything else , like a new viral picture site , or a web site that propose to show commercial from the approaching Super Bowl . Because this matter may diffuse to other such sites , we spent some time investigating the trojan — no , not its generator sites!—to specify the best mode to secernate if you ’ve been infect , as well as how to remove the software if you do ascertain it on your machine .
How to detect the trojan horse
What make this trojan sneaky ( for OS X 10.4 users , at least ) is that there ’s no visible way to see that the DNS information has been change . So how can you tell if you ’ve been infected ? If you ’re aVirusBarrieruser and you have your definition updated as of today , VirusBarrier will both come up and remove the trojan horse .
If you ’re running OS X 10.5 , unfold your web System Preferences pane and choose your active interface ( AirPort , Ethernet ) , then clack Advanced . On the Advanced screen , select the DNS tab . The leftmost corner take your DNS server , and all the entry should be in black . If the trojan has been set up on your machine , you ’ll see the phantom DNS in gray , lean above your normal DNS information , as seen in the look-alike at decently — the first two entries are the evil DNS , the last is the normal DNS .
Note : There are other situations where the DNS info may be gray — it appear that if your DNS is provided by another automobile , for instance , then your lawful DNS information will be in gray , not shameful . So while this may be an indicator , keep reading for the good way to be sure if your machine is infect .
The easiest way to tell if you ’ve been infect is to go to the top - level /Library - > Internet Plug - Ins folder , and look for a file namedplugins.options . If you find one there , chances are , you ’re taint . However , since the names used by the malware generator may change , it ’s good to check a couple of other spots as well .
The other matter to check is for the presence of the root word cron job . To do this , opened Terminal ( in /Applications - > Utilities ) and typecast this command :
Enter your admin password when enquire , and Terminal will then display any cron tasks for root . Typically this will be blank . If you see this output , though , it intend you ’ve got the malware :
If you really want to be sure , you’re able to runscutilin Terminal ( it ’s an port toconfigd , an OS X system utility ) . Typescutiland insistence Return , then type this command at the prompt , followed by another Return : show State:/internet / Global / DNS . The output will look something like this :
Those are all the DNS servers your machine eff about . ( you may typeexitto get out ofscutiland back to Terminal . ) Look at that list and compare it to what you see in the connection preferences panel — verify you click into the two - line DNS Servers loge there and use your down pointer key , just in lawsuit there are more servers listed than you could see . The two lists should be the same . If you see servers in the output fromscutilthat you do n’t see in the GUI , then the trojan horse has probably been install .
How to remove the trojan horse
If you ’re infected , what ’s the easy way to get rid of the trojan horse horse ? As take note above , VirusBarrier will do the job , using today ’s virus definition . However , you could do it yourself , if you bid , though it will ask a midget bit of Terminal work . Here ’s what you need to do — and yes , I infected my own auto and tested this ( on O X 10.5 , but OS X 10.4 should be identical ) to make indisputable it works .
After you reboot , you could reassert you ’re devoid of the trojan cavalry ( in o X 10.5 ) by opening the Advanced pane of the connection System Preferences panel and looking at the DNS tab — you should n’t see any gray entries . In Tiger , to really prove that you ’re gratis of the plague , utilize thescutilcommand detail above , as that ’s the only way to see all the DNS Servers your simple machine knows about .
As always , the dependable way to avoid these things is to not install software from untrusted source — especially if it comes as an installer package and request your decision maker ’s watchword ! But if you do get infected , at least you ’ll know how to confirm you have an subject , and remove the troublesome software program .
[ EDITOR ’S musical note : This clause has been update to reflect other causes of gray DNS entries , as well as a better method acting of detecting the presence of the malware . ]
[ Senior editor Rob Griffiths doles out how - to help at the Mac OS X Hints blog . ]
