Sophos Cloud OptixSince the makers of Zlob branched out into the Mac market [1, 2, 3] we’ve been monitoring a large number of their websites, and today we saw a new wave of malware, variations on the same theme as before.
The links behave differently depending on how you browse to them, with the site hosting the malware looking at the request made by your browser (or more specifically at the user-agent component of the request) and responds accordingly. So if you follow the link from a Apple Macintosh you’ll receive back a file detected as OSX/RSPlug-Gen, a file which would be useless on a Windows platform … which is why following the link from there results in a file detected as Troj/Zlobar-Fam, which is more suited to the system.
This sort of approach means that the malware authors can target a much wider range of users with a single set of links – while the Trojans themselves aren’t cross-platform, the delivery mechanism is.