Mac malware authors still plugging away

Last week, SophosLabs received several reports of some new Mac malware (Intego and Threat Researcher). So I asked around for samples (sample exchange) and was able to write detection on for OSX/RSPlug-F (and updated it for a minor variant).

Like the last few pieces of Mac malware (OSX/iWorkS-A and OSX/iWorkS-B) OSX/RSPlug-F arrives via hacked/cracked files purporting to be a legitimate application (in this case MacCinema).

When it is installed however this users will see:

The authors of OSX/RSPlug-F have a bizarre set of influences (as mentioned by Intego and Threat Researcher) the file names of the scripts dropped name check various things.

Snippets from the scripts:


niagasekirtsogetni 666 nigeb
yksrepsak 777 nigeb
enialbdivad 777 nigeb

Looks strange until you see the rest of the script and realize that this is uuencoding reversed.

Running the scripts through a simple perl script:


#!/usr/bin/perl

while () {
my $str = $_;
my $rev_str = reverse($str);
print $rev_str;
}

We would get:


begin 666 integostrikesagain
begin 777 kaspersky
begin 777 davidblaine

While anti-malware products often get mentioned in malware this is the first time I have seen an “illusionist”.

Update: This malware has also been seen on websites, posing as a legitimate download. You can read more about this over on Graham Cluley’s blog, or watch the video below: