• About
  • Contact

Dagny's Desk

Dagny's Desk

Tag Archives: removal

Malware on Mac OS X

17 Saturday Jul 2010

Posted by Dagny Gromer in apple mac, Computers, Software

≈ 4 Comments

Tags

dns hijack, mac os x, malware, OSX.RSPlug.A, removal, trojan horse

On Friday I saw a Trojan Horse on an OS X (snow leopard) system in the wild. It was the first time I ever saw an infected Mac. Interesting, in the same way seeing a poisonous snake is interesting. Windows malware is common and is everywhere. This was different.

The infected Mac had a DNS hijack trojan. It changed the DNS server addresses to 85.255.116.150 and 85.255.112.148  A whois showed these to be shared hosts in the Ukraine. Going into the DNS settings (system preferences > networking > advanced > dns) and changing these to the desired dns servers did not “stick”, that is they would change back to the wrong ones by the trojan process. When web surfing, sometimes the Mac behaved normally and sometime it would go to seemingly random web sites.

A bit of google research turned up references to a trojan horse called OSX.RSPlug.A This cannot replicate itself, it was installed in error by the user who thought he was installing an updated codec. He was on a “questionable” site … ok he was trying to see a pornographic video and the site said he needed to install a codec update to see it. So here we have the crux of the matter, it was a user error that got this trojan on his mac. Self inflicted.

I found the removal solution at Macworld.com  here:  http://www.macworld.com/article/60823/2007/10/trojanhorse.html To prove the system has this trojan, use the terminal app and enter

sudo crontab -l

the last character is a lower case letter l, not the digit 1. cron is the unix/linux program that runs tasks or jobs at a specific time or interval. crontab is the program which lets you create, view, change, delete these scheduled tasks. If you see something like

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

you have this malware. This says cron will run the script named plugins.settings on a regular basis. To cancel this,  in terminal enter

sudo crontab -r

then delete the plugins.settings file.  I found it in ~/Library/Internet Plug-Ins directory, not in /Library/Internet Plug-Ins. Do a search to see where it is and delete them all.

This worked, the infected Mac was cured.

Pages

  • About
  • Contact

Recent Posts

  • Cormorants
  • Dog pile
  • NYPD adding 600 to patrol subways
  • Introducing Penny
  • Winter swimmer

Recent Comments

Dagny Gromer on Fall color in Prescott, A…
Colorful Sisters on Fall color in Prescott, A…
Dagny Gromer on macOS 10.13 High Sierra and Da…
JayClay on macOS 10.13 High Sierra and Da…
You can Buy an Entir… on Cleator AZ
RSS  Subscribe

Flickr Photos

juvenile_bald_eagle_in_flight-20210302-106cormorant_landing-20210224-100cormorant_in_flight-20210224-100
More Photos
March 2021
S M T W T F S
 123456
78910111213
14151617181920
21222324252627
28293031  
« Feb    

Archives

Posts by Category

Dagny on Twitter

My Tweets

Create a free website or blog at WordPress.com.

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy