OSX.RSPlug.A Trojan Horse on Porn Sites Eventually Cause Redirect to Malicious DNS Servers

OSX.RSPlug.A — a trojan horse on some porn sites — falsely claims to install a video codec necessary for viewing free pornographic videos on Macs, but when users click on the still images to view the content they are directed to a web page that falsely requires a new version of a codec to play the movie file with QuickTime. Safari users who have checked the “Open ‘Safe’ Files After Downloading” option in General Preferences will see a disk image which is downloaded to Mac automatically, and the installer application will automatically launch.

Proceeding with the installation, which includes entering the administrator password, installs the trojan horse and grants the malicious software full root privileges. No codec is actually installed and users who return to the website get another download request.

The OSX.RSPlug.A Trojan is a form of DNSChanger, using the scutil command to change the Mac’s DNS server — a service that translates hostnames like macnn.com to their numerical IP addresses. Using a malicious DNS server, the Mac hijacks some Web requests for phishing or to generate revenue from pornographic advertisements.

Under Mac OS X 10.4 Tiger there is no way to see the changed DNS server in the operating system’s graphical user interface, although in Mac OS X 10.5 Leopard users can see the change in the Advanced Network preferences; the added DNS servers are dimmed and cannot be removed manually.

Intego reports all versions of Mac OS X include the scutil command, suggesting that all versions are vulnerable to the new trojan.

Intego Security Memo (10/31/2007):
OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to Redirect to Malicious DNS Servers