Late last week, Intego Security released a press release detailing a new Trojan web variant, aimed at Mac users. A Trojan, known as OSX.RSPlug.A (or OSX/Puper), is installed on the system by the user, under the guise that it is a video codec, required for playing a free video file. The installer, under the clever name MacCodec, requires administrative access to install (meaning the user has to not only specifically agree to download the file, he/she has to enter in the admin password before it will install), and instead of installing a codec, it runs a script that creates a scheduled task that changes the DNS server, in an attempt to redirect users to malicious phishing sites. Unsurprisingly, this Trojan seems to be almost exclusively targeting porn sites that offer those always-hard-to-resist "Download Sample Now" or "Free movie clip" downloads.
Like clockwork, the pandering , the hysteria and the schadenfreude has already hit the web. Many of these articles fail to adequately underscore a few points that, we at Download Squad, think are pretty important for users to consider:
- This is not the first Trojan to affect the Mac, nor will it be the last.
- This is a fairly simple, some might even say standard Trojan. It works exactly the same as the pre-existing Windows version.
- The user has to agree to download the file AND enter in an administrative password. Granting admin rights to a "codec" you are downloading off of a porn site (and note, the video doesn't download - the DMG for the trojan downloads, the video does not exist) is not something we recommend, regardless of your OS.
- The company that released the first press release, assessing the risk as "critical" - is a company that is trying to parlay this as a way to sell more copies of their Mac Antivirus product. McAfee, Sunbelt and others failed to deem this as anything other than low risk.
As always, users should never grant admin access to a program from an unknown source (especially if it is for a porn site, come on!). We admit, masquerading as a codec is pretty clever, considering QuickTime's lack of compatibility out of the box, with some of the most popular video formats. Luckily, Perian, an open-source, free and SAFE utility exists that quickly and easily provides QuickTime compatibility with a host of formats. Other solutions like VLC and Windows Media Components for QuickTime are also available for free.
Panda Labs has more information about the types of sites this Trojan seems to be stemming from and the types of messages the installer displays.
Reader Comments (Page 1 of 1)
11-06-2007 @ 5:39PM
kojo87 said...
and so it begins. looks like that Mac guy is about to catch PC's cold. too bad he has no immune system.
Reply
11-06-2007 @ 5:45PM
james 42 said...
kojo87, way not to read the post, troll.
Reply
11-06-2007 @ 9:06PM
michael said...
No way! I thought Macs were immune to things like viruses and trojans.
I guess not.
Reply
11-07-2007 @ 1:02AM
Reader said...
As the article says, this is a rather non-threat.
Still, I suppose that's hardly going to stop those bashing Apple and Mac fanboys now.
I'd protest... except IMHO Apple probably had it coming after the more arrogant of their ads. Still feel sorry for honest Mac users, though. Oh, well.
Reply
11-07-2007 @ 7:17AM
TempusFugit said...
It should be noted, however, that most of the Windows threats these days all rely on the user too. They expect the user to download it, open it, confirm it, and then run it and let it keep running. Big threats which break in through exploits are getting much rarer unless you haven't updated for years.
The problem lies with people. Saying it's not a threat because it requires the user is significantly untrue these days. If someone wants to view something and thinks they need to install something to get it to work, they will do. I've even seen people downloading zipped viruses in emails, unzipping them, entering a password to extract the zip which was in the email, running the program, agreeing to let it run, permitting it through the firewall, and then wondering why their computer got infected.
Reply
11-07-2007 @ 9:33AM
nat said...
Quote: " Like clockwork, the pandering , the hysteria and the schadenfreude has already hit the web. Many of these articles fail to adequately underscore a few points that ..."
This is the best article I've read in months. Not for the subject matter or content, but for the resistance to sensationalism so far as to mock other highly credited news sources. Classic.
Keep up the good work dls!
Reply
11-07-2007 @ 10:55PM
Colin said...
@3/michael:
And now you know! Consider yourself properly educated.
The type of person to fall prey to this type of Trojan is going to muck up ANY system they're using:
The warning the Trojan displays looks nothing like an actual QuickTime error. QuickTime is improperly capitalized. QuickTime never displays "Click here to download an updated version of this codec." Though I haven't seen the Trojan in action, I highly doubt it shows the appropriate QuickTime loading screen.
If anything, this simply proves that OS X users should educate themselves in ways of avoiding malware. The Activity Viewer window in Safari is your friend: If a video is actually embedded in the page, it will show up in the Activity Viewer. If you're not using Safari, View Source should suffice.
You shouldn't have "Open files considered safe" turned on in Safari. To a lot of people, the fact that Safari triggers Disk Utility inspires a false sense of confidence.
And common sense never hurts: Ultracodec? Really? I've never heard of that one before.
"If in doubt, Google it to find out."
Reply