New spin on OSX/RSPlug Mac malware

Filed Under: Apple, Malware, SophosLabs

We will soon add detection for a new Mac Trojan, nicely described by Jose Nazario of Arbor Networks. It will be detected as OSX/Jahlav-A. The Trojan comes as a key generator application MacAccess in a standard DMG disk image file, usually downloaded from a malicious website very similar to the websites hosting variants of OSX/RSPlug Trojans.

picture-2.JPG

The difference is that this time the malware does not simply redirect the DNS settings to a rogue DNS server but connects to an IP address located in Netherlands to download additional piece of code and execute it.

Two identical files inside the DMG file, preinstall and preupgrade, are standard Unix shell scripts that contain additional uuencodede payloads. When decoded, the first layer is another shell script that sets up a cron job to run the file AdobeFlash in "/Library/Internet Plug-Ins" directory. This file is a copy of the initial preinstall/preupgrade scripts.

picture-6.JPG

Initially, I thought that the downloading functionality can be used to recruit the infected Mac into a botnet, but the downloaded code functionality is identical to previous OSX/RSPlug variants. The additional piece of code is another uuencoded and slightly obfuscated shell script that eventually changes the local DNS settings to point to a couple of rogue DNS servers located in Ukraine, using IP addresses 85.255.112.6 and 85.255.112.127.

The new sample is one of several we have been seeing lately and shows that the Zlob gang is still very interested in infecting Macs.

You might like

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.