All is not well for Apple, in a week when it should be flag waving the release of Mac OS X 10.5 'Leopard' the firm finds itself, and its users, under attack instead. The culprit being a new Trojan which, once installed, changes the Mac's domain name system server. This kind of DNSChanger Trojan is nearly always criminally motivated, and that would certainly seem to be so in this case, which of course means that the people behind it calculated the potential profit was valuable enough to develop the malware.

That has to be a worry for Mac users.

The OSX.RSPlug.A Trojan is distributed in a common fashion, being distributed exclusively as far as I can tell on pornography websites and forums which link to them. The rather familiar scam of 'view a free dirty video' is used to get the unsuspecting Mac user to click on an image to start the streaming video process. Instead it just displays a standard QuickTime cannot play this movie message and prompts the user to download a new version of the codec which will be able to bring on the porn. Or so the user thinks, what they actually get is an executable .dmg file. The user has to enter their admin password in order to proceed with the 'codec' installation and then, hey presto, the DNSChanger is installed and running with full user privileges.

Just as predictably, the DNS is changed to point towards porn and phishing sites. Leopard users have a slight advantage over that vast majority who will still be running Tiger in as far as they will at least be able to see the changes to the DNS server by using the advanced network preferences as Intego reports that the changed servers appear dimmed.

One of the things that Mac users pride themselves on is having a system which is inherently safer than Windows when it comes to this kind of malware attack. While that situation has not changed, this is like a needle in a thousand haystacks compared to the number of security problems that Windows users are potentially exposed to, it does represent something of security milestone for Apple, and for all the wrong reasons. Indeed, the Trojan itself is actually a variant of the Windows Trojan.DNSChanger.

Sure, at the moment you have to be pretty desperate for that porn video in order to get yourself infect. But that will change, the bad guys will figure out how to make the infection process much more straightforward. It has happened with Vista and it looks like it will certainly now happen with OS X.

Apple can no longer rest on its laurels and let Microsoft take the security flack, it has now become a legitimate platform for attack…

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

When you say "the DNS is changed to point towards porn and phishing sites", do you mean that (for example) the locally stored DNS entry for could be repointed to a fake version of this site?

John A 1,896

The concept of a Trojan horse is simple: fool the user into thinking that it is a legitimate program so that he or she will enter the administrator password. Once the software is running with administrator privileges, there is no security measure that can stop it from doing its magic. And Trojans affect ALL operating systems, not just Mac or Windows. The only failsafe protection against Trojans is to only download software from trusted sites. Oh yes, and stay away from porn.