I originally posted this at http://www.318.com/TechJournal
Monday, October 29th, 2007 – Intego issued a security alert about a new Trojan Horse called OSX.RSPlug.A targeting the Mac. OSX.RSPlug.A changes the DNS (Domain Name Server) address that infected systems use to access web sites and installs a new task on infected systems to change the DNS server again if the end user changes it back to what it was before. This is similar to many attacks against the Windows Hosts files. However, if anyone is going to get this worm they have to authenticate as an administrative user for their system to get infected.
OSX.RSPlug.A has been found on some pornographic Web sites and when an user is trying to view a movie, they are told that “Quicktime Player is unable to play movie file. Please click here to download new version of codec.†If the user clicks the link a disk image (.dmg) is downloaded to the desktop. When the software is used, the user is actually installing the Trojan as root, giving it access to the full computer. When the malicious DNS server is active, it hijacks some web requests, leading users to phishing web sites or to web pages displaying ads for other pornographic web sites, according to Intego.
For more information, see the original security alert from Intego at:
http://www.intego.com/news/ism0705.asp