Utility software

First Look: Trojan Horse warning: What you need to know

As you may have read, a new piece of OS X malware has been discovered. Intego has named this malware the OSX.RSPlug.A Trojan Horse. Note that this malware is not a virus—it can’t self-propagate from one machine to another. It is, however, definitely malicious, and it’s packaged in a well-designed trojan horse wrapper.

Your machine could be infected if you’ve recently gone looking for some, um, less-than-flattering pictures of Britney Spears. Thinking you’ve found what you’re looking for, you click a video to watch it, only to see a message stating that your machine lacks the necessary codec. A disk image will then start downloading, and (depending on the settings on your machine) may then mount and launch an installer which asks for your admin password.

Rule #1: Do not install software from untrusted sources, especially if that software comes as an installer package and requests your administrator’s password! However, if you do proceed to run the installer, here’s what will happen:

  • Sorry, but you won’t be able to watch those videos, as no codec was installed.
  • Your DNS will be changed to point to malicious DNS machines. What this means is that even if you type
    www.apple.com
    in your browser’s URL area, you may be taken there, to a phishing “clone” of that site, or to another site completely—such as a porn site. Where you wind up depends solely on how the malicious DNS machines are configured. If you consider ebay.com or paypal.com, for instance, the consequences may be dire.
  • A cron job (scheduled task) will run every minute to restore the malicious DNS info, in case you change it.
  • This is really bad. Really. And even though it’s targeted at porn surfers today, the malware could easily be associated with anything else, like a new viral video site, or a site that purports to show commercials from the upcoming Super Bowl. Because this thing may spread to other such sites, we spent some time investigating the trojan—no, not its source sites!—to determine the best way to tell if you’ve been infected, as well as how to remove the software if you do find it on your machine.

    How to detect the trojan horse

    What makes this trojan sneaky (for OS X 10.4 users, at least) is that there’s no visible way to see that the DNS information has been changed. So how can you tell if you’ve been infected? If you’re a VirusBarrier user and you have your definitions updated as of today, VirusBarrier will both find and remove the trojan horse.

    If you’re running OS X 10.5, open your Network System Preferences pane and select your active interface (AirPort, Ethernet), then click Advanced. On the Advanced screen, click on the DNS tab. The leftmost box contains your DNS servers, and all the entries should be in black. If the trojan has been installed on your machine, you’ll see the phantom DNS in gray, listed above your normal DNS information, as seen in the image at right—the first two entries are the evil DNS, the last is the normal DNS.

    Note: There are other situations where the DNS info may be gray—it appears that if your DNS is provided by another machine, for instance, then your legitimate DNS information will be in gray, not black. So while this may be an indicator, keep reading for the best way to be certain if your machine is infected.

    The easiest way to tell if you’ve been infected is to go to the top-level /Library -> Internet Plug-Ins folder, and look for a file named plugins.settings . If you find one there, chances are, you’re infected. However, since the names used by the malware authors may change, it’s best to check a couple of other spots as well.

    The other thing to check is for the presence of the root cron job. To do this, open Terminal (in /Applications -> Utilities) and type this command:

    sudo crontab -l

    Enter your admin password when asked, and Terminal will then display any cron tasks for root. Typically this will be blank. If you see this output, though, it means you’ve got the malware:

    * * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

    If you really want to be sure, you can run scutil in Terminal (it’s an interface to configd, an OS X system utility). Type scutil and press Return, then type this command at the prompt, followed by another Return: show State:/Network/Global/DNS. The output will look something like this:

    	<dictionary> {
    
    ServerAddresses : <array> {
    0 : 123.12.34.56
    1 : 234.65.43.21
    }
    }

    Those are all the DNS servers your machine knows about. (You can type exit to get out of scutil and back to Terminal.) Look at that list and compare it to what you see in the Network preferences panel—make sure you click into the two-line DNS Servers box there and use your down arrow key, just in case there are more servers listed than you can see. The two lists should be the same. If you see servers in the output from scutil that you don’t see in the GUI, then the trojan has probably been installed.

    How to remove the trojan horse

    If you’re infected, what’s the easiest way to get rid of the trojan horse? As noted above, VirusBarrier will do the job, using today’s virus definitions. However, you can do it yourself, if you wish, though it will require a tiny bit of Terminal work. Here’s what you need to do—and yes, I infected my own machine and tested this (on OS X 10.5, but OS X 10.4 should be identical) to make sure it works.

  • In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.
  • In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message “crontab: no crontab for root.”
  • Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.
  • Reboot your Mac.
  • After you reboot, you can confirm you’re free of the trojan horse (in OS X 10.5) by opening the Advanced pane of the Network System Preferences panel and looking at the DNS tab—you shouldn’t see any gray entries. In Tiger, to really prove that you’re free of the infestation, use the scutil command detailed above, as that’s the only way to see all the DNS Servers your machine knows about.

    As always, the best way to avoid these things is to not install software from untrusted sources—especially if it comes as an installer package and requests your administrator’s password! But if you do get infected, at least you’ll know how to confirm you have an issue, and remove the troublesome software.

    [ EDITOR’S NOTE: This article has been updated to reflect other causes of gray DNS entries, as well as a better method of detecting the presence of the malware. ]

    [ Senior editor Rob Griffiths doles out how-to help at the Mac OS X Hints blog. ]

    Subscribe to the Help Desk Newsletter

    Comments