Dealt With a Real Life Mac Trojan Horse Tonight

We all know that Macs are more secure than Windows PCs by virtue of the design of the operating system. That said, the only computer that cannot be compromised is the one that's powered off, disconnected from any networks, and locked away in a box. Case in point: tonight I helped a colleague with a Mac that was infected with the OSX.RSPlug.A Trojan Horse.

A Trojan Horse is different from a virus. Unlike viruses, Trojans aren't self-replicating, and require some user intervention to install. They frequently are designed so that they trick and unsuspecting user into installing them. For example, going to a website and being prompted to download a video codec from the site to play content.

It started off with this email:

"My brothers DNS on his mac keeps going to 85.225.113.131 for his DNS setting regardless of what is his his DHCP server."

Googling that IP address didn't turn up anything. However, Googling for "mac dns trojan" came up with this gem, which described the symptoms perfectly. Doing a little more searching, this time for "remove mac dns trojan" led me to this.

Lessons to be learned:

1. Macs are generally very secure. That doesn't mean they are perfectly secure.
2. Only install software from trusted sites. If you're surfing the web and a site prompts you to install something, take a moment to seriously consider whether you really need to do so, especially if it prompts you for your administrative password.