Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Subscribe

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Security Vulnerability

Intego: OSX.RSPlug.D Trojan Horse – New Variant of RSPlug Trojan Horse

November 2008 by Intego Security Alert

Exploit: OSX.RSPlug.D Trojan Horse

Discovered: November 18, 2008

Risk: Medium

Description: A new variant of the RSPlug Trojan horse has been found on several
pornographic web sites. (See Intego’s Internet Security Memo of
October 31, 20071 for
more on this Trojan horse.) While this new variant currently performs the same actions
as the RSPlug.A Trojan horse, its installer is different: it is a downloader, and it contacts
a remote server to download the files it installs. This means that, in the future, the
downloader may be able to install other payloads than the one it currently installs.
This new variant, like the initial RSPlug.A Trojan horse, has been found on
pornographic web sites. When visiting such a site, a user is alerted that there is a “Video
ActiveX Object Error” and is told that their “Browser cannot play this video file.” The
alert instructs the user to download the “missing Video ActiveX Object”. If the user
clicks OK, a disk image called cleanlive.dmg downloads (this name may be different in
the future; with the first version of the RSPlug Trojan horse, a number of different
names were found). Depending on the user’s browser settings, this disk image may
mount and launch automatically commencing installation. If the user clicks Cancel
when the Video ActiveX Object alert displays, however, they receive another alert
saying, “Please install new version of Video ActiveX Object.” This alert only allows the
user to click OK, returning them to the first alert. The only way to get rid of these alerts
is either to download the infected disk image, or quit the browser.
Means of protection: The best way to protect against this exploit is to run Intego
VirusBarrier X5; the program’s behavioral analysis feature detects the activity of this
Trojan horse. VirusBarrier X5’s virus definitions dated November 18, 2008 detect more
specifically this downloader. Intego VirusBarrier X5 eradicates the malicious code and
prevents the Trojan horse from being installed. Intego recommends that users never
download and install software from untrusted sources or questionable web sites. Users
should be especially careful if such alert loops appear and disk images are downloaded;
users should delete any unknown disk image that they find in their Downloads folder.
We invite any users who find suspicious disk images to send them to Intego’s Virus
Monitoring Center at sample@virusbarrier.com


See previous articles

    

See next articles


Security Vulnerability

All our news in english

Alle unsere News auf deutsch

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts

 
News Files Cyber Security Security Vulnerability Malware Update Diary Guide & Podcast TRAINING Jobs CONTACTS Contact About Mentions légales identifier ADMIN

Global Security Mag Copyright 2011