No worms in an Apple ...
- Thread starter rh1944
- Start date
OP
rh1944
Suspended / Banned
- Messages
- 5,971
- Edit My Images
- Yes
The URL worked for me on Windows. I typed http://www.SPAM/5zv85k which Firefox converted into the above url
The two figures did not come across but the text read
"25 November 2008 17:20 GMT
New spin on OSX/RSPlug Mac malware
We will soon add detection for a new Mac Trojan, nicely described by Jose Nazario of Arbor Networks. It will be detected as OSX/Jahlav-A. The Trojan comes as a key generator application MacAccess in a standard DMG disk image file, usually downloaded from a malicious website very similar to the websites hosting variants of OSX/RSPlug Trojans.
picture-2.JPG
The difference is that this time the malware does not simply redirect the DNS settings to a rogue DNS server but connects to an IP address located in Netherlands to download additional piece of code and execute it.
Two identical files inside the DMG file, preinstall and preupgrade, are standard Unix shell scripts that contain additional uuencodede payloads. When decoded, the first layer is another shell script that sets up a cron job to run the file AdobeFlash in /Library/Internet Plug-Ins directory. This file is a copy of the initial preinstall/preupgrade scripts.
picture-6.JPG
Initially, I thought that the downloading functionality can be used to recruit the infected Mac into a botnet, but the downloaded code functionality is identical to previous OSX/RSPlug variants. The additional piece of code is another uuencoded and slightly obfuscated shell script that eventually changes the local DNS settings to point to a couple of rogue DNS servers located in Ukraine, using IP addresses 85.255.112.6 and 85.255.112.127.
The new sample is one of several we have been seeing lately and shows that the Zlob gang is still very interested in infecting Macs.
Vanja Svajcer, SophosLabs, UK"
The two figures did not come across but the text read
"25 November 2008 17:20 GMT
New spin on OSX/RSPlug Mac malware
We will soon add detection for a new Mac Trojan, nicely described by Jose Nazario of Arbor Networks. It will be detected as OSX/Jahlav-A. The Trojan comes as a key generator application MacAccess in a standard DMG disk image file, usually downloaded from a malicious website very similar to the websites hosting variants of OSX/RSPlug Trojans.
picture-2.JPG
The difference is that this time the malware does not simply redirect the DNS settings to a rogue DNS server but connects to an IP address located in Netherlands to download additional piece of code and execute it.
Two identical files inside the DMG file, preinstall and preupgrade, are standard Unix shell scripts that contain additional uuencodede payloads. When decoded, the first layer is another shell script that sets up a cron job to run the file AdobeFlash in /Library/Internet Plug-Ins directory. This file is a copy of the initial preinstall/preupgrade scripts.
picture-6.JPG
Initially, I thought that the downloading functionality can be used to recruit the infected Mac into a botnet, but the downloaded code functionality is identical to previous OSX/RSPlug variants. The additional piece of code is another uuencoded and slightly obfuscated shell script that eventually changes the local DNS settings to point to a couple of rogue DNS servers located in Ukraine, using IP addresses 85.255.112.6 and 85.255.112.127.
The new sample is one of several we have been seeing lately and shows that the Zlob gang is still very interested in infecting Macs.
Vanja Svajcer, SophosLabs, UK"
Mikesphotaes
Suspended / Banned
- Messages
- 7,842
- Name
- Mike
- Edit My Images
- No
First link doesn't work but your 2nd link works OK with Firefox.
Interesting to read about the mac attacks.
Interesting to read about the mac attacks.