Neville Hillyer wrote:
a few sites mentioned the possibility of it using standard login names (eg admin) and trying a range of passwords. This may be credible with Netgear routers as many have been left with their default name/password ie admin/password. I was unable to discover if http was used for this.
Why could this not work on OS X if this works on Windows?
You've found a bit more than I have on this subject, but it all sounds like speculation. I tend to only check the A-V vendor blogs as they tend to give the technical details I need, based on a lab analysis of the malware itself. I have not been able to find any of that.
Although there were several versions of the Mac RSPlug installer, all the sample payloads I could locate were identical in terms of what they did, and none of them were that complex. They simply modified the appropriate file for resolving DNS preferences.
The only other possibility is that something in one of the variant's installer scripts attempted to infect the router, but I have not been able to examine any of the installers to see if that happened.
Your theory sounds credible, just haven't seen the evidence yet. Every time I think it might be a router problem, some other explanation ends up being the problem, with the one exception I mentioned.