Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How to find and remove the OSX.RSPlug.A malware System
As reported in many places, including Macworld, there's a new OS X malware in the wild, first reported by Intego, who named it OSX.RSPlug.A (where do they get these names?).

I spent some time this morning looking at this malware, and wrote this article explaining how to find out if you've been infected, and how to remove the programs if you have. If you want all the details, you can read the article. If you just want to know how to remove the malware, here's the simple process:
  1. In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.
  2. In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message crontab: no crontab for root.
  3. Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.
  4. Reboot your Mac.
The only people who should be infected today are those who have broken the number one rule of internet computing: don't download and install programs (especially those that are (a) package installers that (b) request your admin password) from untrusted sources. However, because this particular trick could be used on any sort of potentially popular site, I thought I'd share the simple how-to, as well as the links above for more details.

As OS X grows in popularity, I expect that this type of thing will become more commonplace.
    •    
  • Currently 3.29 / 5
  You rated: 3 / 5 (7 votes cast)
 
[53,982 views]  

How to find and remove the OSX.RSPlug.A malware | 15 comments | Create New Account
Click here to return to the 'How to find and remove the OSX.RSPlug.A malware' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to find and remove the OSX.RSPlug.A malware
Authored by: macavenger on Oct 31, '07 12:32:25PM
type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings
...as well as any other, potentially legitimate, root cron jobs. Granted, most programs use other methods for scheduling (LaunchDaemons or the like), and the default OS X install has no root crontab, but this is still a potential issue that one should be aware of. For most people though, this command should be safe.

---
Aluminum iMac 20" 2.4 GHz/3GB/300GB HD

[ Reply to This | # ]

How to find and remove the OSX.RSPlug.A malware
Authored by: variante9 on Oct 31, '07 12:54:00PM

poor info. in the moment it looks like the firewall panic.

Note: if you are using a router the DNS servers are dimmed out, too.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: robg on Oct 31, '07 12:58:47PM

We adjusted the article to clarify the gray DNS entries, as well as add a simpler method of detecting the malware.

As for root crontabs, I have yet to find a program that installs any on its own. Yes, experienced macosxhints readers may have them installed, but they will have put them there themselves.

For other "typical" OS X users, though, the root crontab is going to be empty. For the audience, I feel it's the best advice -- there really shouldn't be any root crontabs running on a system that the user didn't place there themselves.

If someone can provide a real-world example of a third-party app that installs its own root crontab, I would like to know about it -- and no, geeky Unix utilities and the like don't count. :)

-rob.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: macavenger on Oct 31, '07 01:19:20PM

Yeah, agreed. And ruling out geeky unix type things, I can't say I know of anything that does use the crontab. I just thought it might be worth pointing out that you are actually deleting everything :)

---
Aluminum iMac 20" 2.4 GHz/3GB/300GB HD



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: garythemacguy on Nov 01, '07 05:40:28AM

Intel iMac, Mac OS X 10.4.10 - McAfee VirusScan v8.5 (formerly known as Virex).

I have the "VirusScan Schedule Editor" component set to do a DAT eUpdate every working day (I work for a university). Your "sudo crontab -l" produces the following output:

# Virex Schedule Editor Task 09282007101331946
32 10 * * 1,2,3,4,5 /usr/local/vscanx/VShieldScheduleLauncher -i 09282007101331946 >/dev/null 2>&1

Although I'm actually in IT support, I hadn't specifically known that it used cron to achieve its results.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: knujon on Nov 01, '07 10:29:13AM

Symantec Antivirus 10 (Corporate Edition) installs this root crontab:

#SqzS VERSION = 1.0.0
#SYMANTEC SCHEDULER CRON ENTRIES. THESE ENTRIES ARE AUTOMATICALLY GENERATED
#PLEASE DO NOT EDIT.
# Enc=1 Name="Update Virus Protection" EvType1=1 EvType2=0 Sched=2
0 17 * * 5 "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" 1 "/Applications/Symantec Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUdf -liveupdatequiet YES -liveupdateautoquit YES"
#SqzS END SYMANTEC CRON ENTRIES



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: leono on Oct 31, '07 01:03:08PM
Removing the root crontab altogether (with no review) is a pretty bad idea. You can see what's in the crontab with sudo crontab -l. I have no idea what the malware's crontab entry looks like, but maybe someone can reply and post it here?

If the malware's entry is the only line listed, it is safe to remove the crontab with sudo crontab -r. You can also edit the root crontab in the default editor (vi in Tiger) with sudo crontab -e. If you needed to delete a single line (the malware's) from a multiline file, you would

  1. Use the arrow keys to navigate to the line in question
  2. Type dd to delete the line
  3. Type :wq and press Return to Write the file and Quit
Hope this saves someone's bacon. I'd imagine that most people who have entries in the root crontab know what they're doing enough to not delete it in one shot, but you never know...

[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: robg on Oct 31, '07 01:43:12PM

Good advice, agreed ... though I still can't come up with a single app that installs a root crontab under 10.4 or 10.5.

-rob.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: hdms on Oct 31, '07 03:03:19PM

I had a look at my cron jobs using CronniX and opened Crontab for System.

In it was the system-level Macworld hint on scheduling repairing permissions, and also entries for the System Prefpane 'Deja Vu' backup utilty.

CronniX is perhaps the more user-friendly way to see and manage cron jobs.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: macavenger on Oct 31, '07 01:18:25PM

Yeah, agreed. And ruling out geeky unix type things, I can't say I know of anything that does use the crontab. I just thought it might be worth pointing out that you are actually deleting everything :)

---
Aluminum iMac 20" 2.4 GHz/3GB/300GB HD



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: mike3k on Oct 31, '07 02:21:00PM

Root's crontab may be present for some legitimate applications. A few anti-theft products use root's crontab in pre-10.4 systems since the preferred method using launchd isn't available.

The best thing to do is 'sudo crontab -l' to see what the crontab contains, and then 'sudo crontab -e' to edit it and remove any offending lines.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: hdms on Oct 31, '07 03:06:24PM

CronniX provides a GUI to crontab that might be easier for those not confident with Terminal



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: jabberwocky on Nov 01, '07 11:10:06AM

Could someone clarify the 3rd step a little more please, the items that will be seen in the Box will now only be the non offending DNS Servers at this time when we copy them or will both be seen? Or are the ones that we are suppose to enter from the scutil commands.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: fchanMSI on Feb 12, '08 11:19:17AM

On line 3 this may change depending on your ISP or network. At work I have my own DNS servers but they don't work at home for security reasons. Each time you change ISP or network you DNS may change. You can use opendns for DNS if you are suspicious of unknown DNS servers and there DNS servers IP addresses are here:
208.67.222.222 and 208.67.220.220

You can check opendns.com for more information about them.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: codymae on May 02, '08 09:21:31PM

having followed the instructions to the letter, I believe I have gotten rid of the trojan that was hiding in my iMac. (Please DON'T say anything about being stupid and downloading the thing in the first place - the person who did it has been BANNED from the computer for a month.)

However, I have had strange problems with my printer and my internet connection all day since doing it. Is this just coincidence, or could there be some connections?

thanks for any input...

Codymae



[ Reply to This | # ]