New Mac Virus Discovered by Sophos

Posted by:
Date: Thursday, March 26th, 2009, 17:51
Category: News

Early this week, security firm Sophos discovered a new Trojan Horse virus which they are calling OSX/RSPlug-F. They even have a video of the virus in action! The virus’ method seems to be a variation of the malware DNSChanger which was detected some time ago.
virusdetected.jpg
As indicated by the blog entry, the virus is activated by browsing to particular web sites and downloading an infected program. Once the user selects the download, the virus is downloaded via a remote download server and OSX/RSPlug-F will try to change your DNS server settings which could lead to your Internet traffic being redirected through malicious servers.
Blogger Graham Cluley’s states, “One of the ways in which the OSX/RSPlug-F Mac Trojan horse is being distributed by hackers is in the form of a poisoned HDTV/DTV program called MacCinema.”
The biggest problem is that being disguised as a useful piece of software, users are that much more likely to give the program authorization to do whatever it wants. Since many programs on OS X request an administrator’s password the first time they are run, users may simply be in the habit of entering their password and hitting ok without a second thought. Another interesting thing about this particular distribution, it affects both Macs AND Windows. If you are using Windows, the web site will conveniently download a Windows executable file instead of the OS X program variant.
To keep up to date on the issue, you can follow the Sophos Analyses page or MacFixit.


Early this week, security firm Sophos discovered a new Trojan Horse virus which they are calling OSX/RSPlug-F. They even have a video of the virus in action! The virus’ method seems to be a variation of the malware DNSChanger which was detected some time ago.
virusdetected.jpg
As indicated by the blog entry, the virus is activated by browsing to particular web sites and downloading an infected program. Once the user selects the download, the virus is downloaded via a remote download server and OSX/RSPlug-F will try to change your DNS server settings which could lead to your Internet traffic being redirected through malicious servers.
Blogger Graham Cluley’s states, “One of the ways in which the OSX/RSPlug-F Mac Trojan horse is being distributed by hackers is in the form of a poisoned HDTV/DTV program called MacCinema.”
The biggest problem is that being disguised as a useful piece of software, users are that much more likely to give the program authorization to do whatever it wants. Since many programs on OS X request an administrator’s password the first time they are run, users may simply be in the habit of entering their password and hitting ok without a second thought. Another interesting thing about this particular distribution, it affects both Macs AND Windows. If you are using Windows, the web site will conveniently download a Windows executable file instead of the OS X program variant.
To keep up to date on the issue, you can follow the Sophos Analyses page or MacFixit.

Recent Posts