RSPlug

RSPlug
Common name	RSPlug
Technical name	OSX.RSPlug Trojan
Aliases	OSX.RSPlug (Intego); OSX/RSPlug (Sophos); OSX/DNSChanger (F-Secure); OSX/Puper (McAfee); OSX.RSPlug (Symantec); Trojan.OSX.RSPlug (PC Tools);
Family	DNSChanger
Type	Trojan Horse
Isolation	November 9, 2011

The RSPlug Trojan horse, a form of DNSChanger, is malware targeting the Mac OS X operating system. The first incarnation of the trojan, OSX.RSPlug.A, was discovered on October 30, 2007 by Mac security researchers at Intego.^[1]

Variants edit

Several variants of the RSPlug trojan were found primarily on pornographic sites disguised as video codecs, and some variants were spotted on sites offering game downloads. When OSX.RSPlug.A was installed, the system's DNS settings were changed to redirect web browsing to phishing web sites, or to web pages displaying ads for other pornographic web sites.^[2]

There is also a version of the OSX.RSPlug Trojan which targets the Windows platform, and it was this version that led a technical manager at F-Secure to suggest that the group behind the DNS-changing Mac Trojan is the same group behind the Zlob trojan.^[3] However, Intego noted that those behind the RSPlug Trojan horse stopped their activities before those controlling Windows malware, and that it is likely that these were not the same people.^[4]

Isolation edit

As part of Operation Ghost Click, in November 2009 the FBI brought down "a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry."^[4] The FBI estimated that more than four million computers in over 100 countries were infected by DNSChanger. One variant of DNSChanger was the RSPlug Trojan horse, which spawned a number of other variants^[quantify] and infected many^[quantify] Macs.^{[citation needed]}

References edit

^ "Mac OS malware targets porn surfers". CNET. Retrieved 2009-11-16.
^ INTEGO SECURITY ALERT - October 31, 2007, Intego, 2007-10-31, retrieved 2010-07-24
^ "Multiplying Mac Trojan not epidemic yet". CNET. Retrieved 2009-11-16.
^ ^a ^b FBI Shuts Down DNSChanger Ring, The Mac Security Blog, 2011-11-10, retrieved 2011-01-20

[CNetRsPlug-1] "Mac OS malware targets porn surfers". CNET. Retrieved 2009-11-16.

[2] INTEGO SECURITY ALERT - October 31, 2007, Intego, 2007-10-31, retrieved 2010-07-24

[CNetZlob-3] "Multiplying Mac Trojan not epidemic yet". CNET. Retrieved 2009-11-16.

[FBIshutdown-4] FBI Shuts Down DNSChanger Ring, The Mac Security Blog, 2011-11-10, retrieved 2011-01-20

[1]

[2]

[3]

[4]

RSPlug

Contents

Variants edit

Isolation edit

See also edit

References edit