dns hijack, mac os x, malware, OSX.RSPlug.A, removal, trojan horse
On Friday I saw a Trojan Horse on an OS X (snow leopard) system in the wild. It was the first time I ever saw an infected Mac. Interesting, in the same way seeing a poisonous snake is interesting. Windows malware is common and is everywhere. This was different.
The infected Mac had a DNS hijack trojan. It changed the DNS server addresses to 18.104.22.168 and 22.214.171.124 A whois showed these to be shared hosts in the Ukraine. Going into the DNS settings (system preferences > networking > advanced > dns) and changing these to the desired dns servers did not “stick”, that is they would change back to the wrong ones by the trojan process. When web surfing, sometimes the Mac behaved normally and sometime it would go to seemingly random web sites.
A bit of google research turned up references to a trojan horse called OSX.RSPlug.A This cannot replicate itself, it was installed in error by the user who thought he was installing an updated codec. He was on a “questionable” site … ok he was trying to see a pornographic video and the site said he needed to install a codec update to see it. So here we have the crux of the matter, it was a user error that got this trojan on his mac. Self inflicted.
I found the removal solution at Macworld.com here: http://www.macworld.com/article/60823/2007/10/trojanhorse.html To prove the system has this trojan, use the terminal app and enter
sudo crontab -l
the last character is a lower case letter l, not the digit 1. cron is the unix/linux program that runs tasks or jobs at a specific time or interval. crontab is the program which lets you create, view, change, delete these scheduled tasks. If you see something like
* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1
you have this malware. This says cron will run the script named plugins.settings on a regular basis. To cancel this, in terminal enter
sudo crontab -r
then delete the plugins.settings file. I found it in ~/Library/Internet Plug-Ins directory, not in /Library/Internet Plug-Ins. Do a search to see where it is and delete them all.
This worked, the infected Mac was cured.