Thursday, June 25, 2009

From Porn and Warez to Game Sites

The Malware Research Team found a new variant of the Trojan.OSX.RSPlug threat masquerading as a gaming software. Previous versions of this threat were mostly found on sleazy porn, and warez sites. Malware writers responsible for this threat took a different route this time targeting unsuspecting gamers.

The new variant which PC Tools iAntivirus detects as Trojan.OSX.RSPlug.k were discovered in this website:


The threat is disguised as a DMG (Mac Disk Image) file of a game whose file name is as follows:


Clicking on the link pointing to the said malicious file will download it onto the unsuspecting user's computer and is automatically executed.

Like most RSPlug variants, this one also displays the MacCinema installation window:


This threat pretends to install a legitimate program on the user's computer, but silently runs malicious BASH scripts that are packaged in the DMG file in the background. Moreover, these scripts are found to be encoded in UUencode using the SED command.

Here's a screen capture of one of the said BASH scripts:


These scripts are further encoded (in three layers), and further decoding the script will reveal a PERL script with a HTTP GET request for another PERL script called generator.pl:


Like the previous variants, the PERL script that is being retrieved via the HTTP GET request also changes the user's DNS server using SCUTIL commands resulting into the user being redirected to phishing or malicious sites.

PC Tools iAntivirus recommends its users to Smart Update to our latest database for full protection against this threat.