All is not well for Apple, in a week when it should be flag waving the release of Mac OS X 10.5 'Leopard' the firm finds itself, and its users, under attack instead. The culprit being a new Trojan which, once installed, changes the Mac's domain name system server. This kind of DNSChanger Trojan is nearly always criminally motivated, and that would certainly seem to be so in this case, which of course means that the people behind it calculated the potential profit was valuable enough to develop the malware.

That has to be a worry for Mac users.

The OSX.RSPlug.A Trojan is distributed in a common fashion, being distributed exclusively as far as I can tell on pornography websites and forums which link to them. The rather familiar scam of 'view a free dirty video' is used to get the unsuspecting Mac user to click on an image to start the streaming video process. Instead it just displays a standard QuickTime cannot play this movie message and prompts the user to download a new version of the codec which will be able to bring on the porn. Or so the user thinks, what they actually get is an executable .dmg file. The user has to enter their admin password in order to proceed with the 'codec' installation and then, hey presto, the DNSChanger is installed and running with full user privileges.

Just as predictably, the DNS is changed to point towards porn and phishing sites. Leopard users have a slight advantage over that vast majority who will still be running Tiger in as far as they will at least be able to see the changes to the DNS server by using the advanced network preferences as Intego reports that the changed servers appear dimmed.

One of the things that Mac users pride themselves on is having a system which is inherently safer than Windows when it comes to this kind of malware attack. While that situation has not changed, this is like a needle in a thousand haystacks compared to the number of security problems that Windows users are potentially exposed to, it does represent something of security milestone for Apple, and for all the wrong reasons. Indeed, the Trojan itself is actually a variant of the Windows Trojan.DNSChanger.

Sure, at the moment you have to be pretty desperate for that porn video in order to get yourself infect. But that will change, the bad guys will figure out how to make the infection process much more straightforward. It has happened with Vista and it looks like it will certainly now happen with OS X.

Apple can no longer rest on its laurels and let Microsoft take the security flack, it has now become a legitimate platform for attack…

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

9 Years
Discussion Span
Last Post by John A

When you say "the DNS is changed to point towards porn and phishing sites", do you mean that (for example) the locally stored DNS entry for www.hsbc.co.uk could be repointed to a fake version of this site?


The concept of a Trojan horse is simple: fool the user into thinking that it is a legitimate program so that he or she will enter the administrator password. Once the software is running with administrator privileges, there is no security measure that can stop it from doing its magic. And Trojans affect ALL operating systems, not just Mac or Windows. The only failsafe protection against Trojans is to only download software from trusted sites. Oh yes, and stay away from porn.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.