Trojan Horse warning: What you need to know

Rob Griffiths
22 November, 2007
View more articles fromthe author
AAA
News

As mentioned in the lead news item, a new piece of OS X malware has been discovered. Intego has named this malware the OSX.RSPlug.A Trojan Horse. Note that this malware is not a virus — it can’t self-propagate from one machine to another. It is, however, definitely malicious, and it’s packaged in a well-designed trojan horse wrapper.

Your machine could be infected if you’ve recently gone looking for some, um, less-than-flattering pictures of Britney Spears. Thinking you’ve found what you’re looking for, you click a video to watch it, only to see a message stating that your machine lacks the necessary codec. A disk image will then start downloading, and (depending on the settings on your machine) may then mount and launch an installer, which asks for your admin password.

Rule #1: Do not install software from untrusted sources. Especially if that software comes as an installer package and requests your administrator’s password! However, if you do proceed to run the installer, here’s what will happen:

• Sorry, but you won’t be able to watch those videos, as no codec was installed.
• Your DNS will be changed to point to malicious DNS machines. What this means is that even if you type www.apple.com in your browser’s URL area, you may be taken there, to a phishing “clone” of that site, or to another site completely. Where you wind up depends solely on how the malicious DNS machines are configured. If you consider ebay.com or paypal.com, for instance, the consequences may be dire.

A cron job (scheduled task) will run every minute to restore the malicious DNS info, in case you change it.

This is really bad. Really. And even though it’s targeted at porn surfers today, the malware could easily be associated with anything else, like a new viral video site, or a site that purports to show highlights from Australian Idol. Because this thing may spread to other such sites, we spent some time investigating the Trojan — no, not its source sites! — to determine the best way to tell if you’ve been infected, as well as how to remove the software if you do find it on your machine.

How to detect the trojan horse. What makes this trojan sneaky (for OS X 10.4 users, at least) is that there’s no visible way to see that the DNS information has been changed. So how can you tell if you’ve been infected? If you’re a VirusBarrier user and you have your definitions updated, VirusBarrier will both find and remove the trojan horse. Similarly, Sophos has issued a statement saying its Antivirus product detects and removes this Trojan horse.

If you’re running OS X 10.5, open your Network System Preferences pane and select your active interface (AirPort, Ethernet), then click Advanced. On the Advanced screen, click on the DNS tab. The leftmost box contains your DNS servers, and all the entries should be in black. If the trojan has been installed on your machine, you’ll see the phantom DNS in grey, listed above your normal DNS information.

Note: There are other situations where the DNS info may be grey — it appears that if your DNS is provided by another machine, for instance, then your legitimate DNS information will be in grey, not black. So while this may be an indicator, keep reading for the best way to be certain if your machine is infected.

The easiest way to tell if you’ve been infected is to go to the top-level /Library/Internet Plug-Ins folder, and look for a file named plugins.settings. If you find one there, chances are, you’re infected. However, since the names used by the malware authors may change, it’s best to check a couple of other spots as well.

The other thing to check is for the presence of the root cron job. To do this, open Terminal (in /Applications/Utilities) and type sudo crontab -l
Enter your admin password when asked, and Terminal will then display any cron tasks for root. Typically this will be blank. If you see this output, though, it means you’ve got the malware:

* * * * * “/Library/Internet Plug-Ins/plugins.settings”>/dev/null 2>&1

If you really want to be sure, you can run scutil in Terminal (it’s an interface to configd, an OS X system utility). Type scutil and press Return, then type show State:/Network/Global/DNS at the prompt, followed by another Return. The output will look something like this:

<dictionary> {
ServerAddresses : <array> {
0 : 123.12.34.56
1 : 234.65.43.21
}
}

Those are all the DNS servers your machine knows about. (You can type exit to get out of scutil and back to Terminal.) Look at that list and compare it to what you see in the Network preferences panel — make sure you click into the two-line DNS Servers box there and use your down arrow key, just in case there are more servers listed than you can see. The two lists should be the same. If you see servers in the output from scutil that you don’t see in the GUI, then the trojan has probably been installed.

How to remove the trojan horse. If you’re infected, what’s the easiest way to get rid of the trojan horse? As noted above, some antivirus software will do the job, using the latest virus definitions. However, you can do it yourself, if you wish, though it will require a tiny bit of Terminal work. Here’s what you need to do — and yes, I infected my own machine and tested this (on OS X 10.5, but OS X 10.4 should be identical) to make sure it works.

  1. In the Finder, navigate to /Library/Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.
  2. In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message “crontab: no crontab for root.”
  3. Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorise them. Retype those same values in the box, then click Apply.
  4. Reboot your Mac. After you reboot, you can confirm you’re free of the trojan horse (in OS X 10.5) by opening the Advanced pane of the Network System Preferences panel and looking at the DNS tab — you shouldn’t see any grey entries. In Tiger, to really prove that you’re free of the infestation, use the scutil command detailed above, as that’s the only way to see all the DNS Servers your machine knows about.

As always, the best way to avoid these things is to not install software from untrusted sources — especially if it comes as an installer package and requests your administrator’s password! But if you do get infected, at least you’ll know how to confirm you have an issue, and remove the troublesome software.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us