The RSPlug Trojan horse, a form of DNSChanger, is malware targeting the Mac OS X operating system. The first incarnation of the trojan, OSX.RSPlug.A, was discovered on October 30, 2007 by the Mac security experts at Intego. Several variants of the RSPlug trojan were found primarily on pornographic sites disguised as video codecs, and some variants were spotted on sites offering game downloads. When OSX.RSPlug.A was installed, the system’s DNS settings were changed to redirect web browsing to phishing web sites, or to web pages displaying ads for other pornographic web sites.
There is also a version of the OSX.RSPlug Trojan which targets the Windows platform, and it was this version that led a technical manager at F-Secure to suggest that the group behind the DNS-changing Mac Trojan is the same group behind the Zlob trojan. However, Intego noted that those behind the RSPlug Trojan horse stopped their activities before those controlling Windows malware, and that it is likely that these were not the same people.
As part of Operation Ghost Click, in November 2009 the FBI brought down “a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry.” The FBI estimated that more than four million computers in over 100 countries were infected by DNSChanger. One variant of DNSChanger was the RSPlug Trojan horse, which spawned a number of other variants and infected many Macs.