We will soon add detection for a new Mac Trojan, nicely described by Jose Nazario of Arbor Networks. It will be detected as OSX/Jahlav-A. The Trojan comes as a key generator application MacAccess in a standard DMG disk image file, usually downloaded from a malicious website very similar to the websites hosting variants of OSX/RSPlug Trojans.
The difference is that this time the malware does not simply redirect the DNS settings to a rogue DNS server but connects to an IP address located in Netherlands to download additional piece of code and execute it.
Two identical files inside the DMG file, preinstall and preupgrade, are standard Unix shell scripts that contain additional uuencodede payloads. When decoded, the first layer is another shell script that sets up a cron job to run the file AdobeFlash in “/Library/Internet Plug-Ins” directory. This file is a copy of the initial preinstall/preupgrade scripts.
Initially, I thought that the downloading functionality can be used to recruit the infected Mac into a botnet, but the downloaded code functionality is identical to previous OSX/RSPlug variants. The additional piece of code is another uuencoded and slightly obfuscated shell script that eventually changes the local DNS settings to point to a couple of rogue DNS servers located in Ukraine, using IP addresses 220.127.116.11 and 18.104.22.168.
The new sample is one of several we have been seeing lately and shows that the Zlob gang is still very interested in infecting Macs.