Sophos protects against RSPlug Trojan horse for Mac OS X

Sophos Press Release

Malware tries to change DNS server settings on Apple Macintosh computers

Sophos customers are protected against a newly discovered Trojan horse that targets users of the Apple Mac OS X platform.

The OSX/RSPlug-A Trojan horse is the latest in a very short list of malware that has been designed to specifically target the Mac OS X operating system.

The Trojan horse poses as a codec to help users view pornographic videos, but in fact changes DNS server entries to direct surfers unwittingly to other websites. This could be for the purposes of phishing, identity theft or simply to drive traffic to alternative websites.

Mac users can infect themselves by downloading and running a fake codec

Mac users can infect themselves by downloading and running a fake codec.

"What's important to realise is that this Trojan doesn't exploit a vulnerability in OS X, Leopard, Tiger, or any Apple code. This Trojan exploits the vulnerability within the person sitting in front of the keyboard. It's the Mac user who is giving permission for the code to run and allowing their computer to be infected," said Graham Cluley, senior technology consultant for Sophos. "This is not a red alert, but it is a wake-up call to Mac users that they can be vulnerable to the same kind of social engineering tricks as their Windows cousins. The truth is that there is very little Macintosh malware compared to Windows, but clearly criminal hacker gangs are no longer shy of targeting the platform."

Sophos experts are urging Macintosh users to keep the threat in proportion.

"Mac malware like RSPlug makes the headlines because it is so rare," continued Cluley. "A Trojan horse like this for Windows would be unlikely to generate as many column inches because they are encountered every day. Nevertheless it obviously makes sense for Mac users to ensure that they are protected."

Sophos has been providing protection against the RSPlug Trojan horse since 01:12 GMT on 1 November 2007, and customers have been automatically updated.

In February 2006, in the wake of the discovery of the first Mac OS X worm, Sophos released research that showed 79% of computer users believed Apple Macintoshes would be targeted more in the future. However, over half of those polled said they did not believe the problem would be as great as for Microsoft Windows.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at