Mac malware authors still plugging away
Last week, SophosLabs received several reports of some new Mac malware (Intego and Threat Researcher). So I asked around for samples (sample exchange) and was able to write detection on for OSX/RSPlug-F (and updated it for a minor variant).
Like the last few pieces of Mac malware (OSX/iWorkS-A and OSX/iWorkS-B) OSX/RSPlug-F arrives via hacked/cracked files purporting to be a legitimate application (in this case MacCinema).
When it is installed however this users will see:
The authors of OSX/RSPlug-F have a bizarre set of influences (as mentioned by Intego and Threat Researcher) the file names of the scripts dropped name check various things.
Snippets from the scripts:
niagasekirtsogetni 666 nigeb
yksrepsak 777 nigeb
enialbdivad 777 nigeb
Looks strange until you see the rest of the script and realize that this is uuencoding reversed.
Running the scripts through a simple perl script:
#!/usr/bin/perl
while (<>) {
my $str = $_;
my $rev_str = reverse($str);
print $rev_str;
}
We would get:
begin 666 integostrikesagain
begin 777 kaspersky
begin 777 davidblaine
While anti-malware products often get mentioned in malware this is the first time I have seen an “illusionist”.
Update: This malware has also been seen on websites, posing as a legitimate download. You can read more about this over on Graham Cluley’s blog, or watch the video below:
Apple Mac malware: Caught on camera from Sophos Labs on Vimeo.
Filed under: Macintosh, Malware
Free virus scan - Download the Sophos Threat Detection Test
