INTEGO SECURITY MEMO - December 2, 2008

December 6, 2008 in Technology (F)

[] London, UK - Intego, the Macintosh security specialist, today released a Security Memo. A new variant of the RSPlug Trojan horse has been found on several pornographic web sites. (See Intego's Internet Security Memo of October 31, 2007 (1) for more on this Trojan horse.) This new variant is similar to the RSPlug.D Trojan horse (2), in that its installer is a downloader, which contacts a remote server to download the files it installs. This means that, in the future, the downloader may be able to install other payloads than the one it currently installs.

Exploit: OSX.RSPlug.E Trojan Horse
Discovered: December 2, 2008
Risk: Medium

This new variant, like the initial RSPlug.A Trojan horse, has been found on pornographic web sites. As with the RSPlug.D Trojan horse, when a user visits an infected site, and attempts to view a video, they are alerted that there is a "Video ActiveX Object Error" and is told that their "Browser cannot play this video file." The alert instructs the user to download the "missing Video ActiveX Object". If the user clicks OK, a disk image downloads. Depending on the user's browser settings, this disk image may mount and launch automatically commencing installation. If the user clicks Cancel when the Video ActiveX Object alert displays, however, they receive another alert saying, "Please install new version of Video ActiveX Object." This alert only allows the user to click OK, returning them to the first alert. The only way to get rid of these alerts is either to download the infected disk image, or quit the browser.

This new version, however, has some interesting differences with the previous versions. The samples Intego has seen, named FlashPlayer.v3.348.dmg and FlashPlayer.v..dmg, contain code that refers to Intego. The actual malware code is encoded (using a standard routine called uuencode), and when it is decoded, a line of code is present saying: "begin 666 intego". This tells the system to create a file with read and write permissions (the 666 is a shortcut for Unix permissions, not anything to do with the "number of the beast"), and to create a file, containing the malicious code, named "intego". Intego wants to point out that the company obviously has nothing to do with the creation of this malware, and that the choice of this file name is a provocation from the creator of this malware.

Means of protection: The best way to protect against this exploit is to run Intego VirusBarrier X5. VirusBarrier X5's virus definitions dated December 2, 2008 detect more specifically this downloader. Intego VirusBarrier X5 eradicates the malicious code and prevents the Trojan horse from being installed. Intego recommends that users never download and install software from untrusted sources or questionable web sites. Users should be especially careful if such alert loops appear and disk images are downloaded; users should delete any unknown disk image that they find in their Downloads folder. We invite any users who find suspicious disk images to send them to Intego's Virus Monitoring Center.

Intego develops and sells desktop Internet security and privacy software for Macintosh. Intego provides the widest range of software to protect users and their Macs from the dangers of the Internet. Intego's multilingual software and support repeatedly receives awards from Mac magazines, and protects more than one million users in over 60 countries. Intego has headquarters in the USA, France and Japan.


Print this page | PDF | TXT | Read other releases by this member.
Intego | Security | Alert | Trojan | Hacker | Memo