Thursday, December 11, 2008

Trojan OSX.RSPlug DNS Confusion Solution

Earlier in the year I posted an article questioning whether Apple had patched Mac OS X Server versions 4 and 5 to prevent the actions of Trojan OSX.RSPlug.A, which hijacks a Mac's DNS server settings in order to divert users to Phishing sites. Misinformation galore was available on the Internet, and of course there was no one in the Mac community I could find with any kind of clear discussion of the issue. If there were such folks around I would send you to them for better information than I can provide.

Thankfully this past week, during my investigation of Clamav's effectiveness against Mac malware, Adam Engst was kind enough to get me in touch with Rich Mogull. Rich provided me with a very helpful answer, quoted below:
Hi Derek,

Yes- that family of trojans makes DNS changes on your system, but not because of any vulnerability or problems with the OS X implementation of DNS. The trojan only works if you manually install it and enter you administrative password. It then changes settings just as you can do yourself under normal circumstances. On occasion, these trojans (and others) may be able to take advantage of other vulnerabilities on the Mac to make changes without an administrative password, or install itself automatically due to a browser weakness, but there are currently no known open vulnerabilities like these being used by bad guys. Right now, you still need to install it and manually enter your admin password- there's not much Apple can do to prevent that.
As a result, I chopped out my early Trojan OSX.RSPlug.A article and corrected a related sentence in my recent article "Update: The State Of Trojan OSX.RSPlug..." in order to remove my own confusion.

The confusion on the Internet regarding Apple Security Update 005 came from the fact that it repaired a very old DNS technology vulnerability. The fact that DNS was involved in both this vulnerability and the RSPlug Trojan was coincidental. I have never covered the DNS technology vulnerability here, called DNS cache poisoning, as it has not been of serious consequence to Mac users. If you are interested, coverage of the problem at the SANS Institute is adequate and provides references.

No comments:

Post a Comment