Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

The Year in Mac Security 2009 An Annual Report from Intego

January 2010 by Intego Security Alert

The year in malware began in January 2009,
shortly after Apple announced new software at the
Macworld Expo in San Francisco. The company’s
iWork ‘09 suite of productivity software was updated
in January, and no sooner had it been released than
malware writers took advantage of it. The iServices
Trojan Horse1 was provided as an additional
installation package inside an installer for iWork
found on BitTorrent trackers and other sites containing
links to pirated software.

This was all the more interesting as the iWork disk
image was more than 450 MB; hardly something that
one would download casually. Yet it was effective; in
just a short time, Intego found that more than 20,000
people had downloaded the infected disk image. The
iServices Trojan opened a backdoor on infected Macs,
and it connected to remote servers to download new
code. It was actively used as part of a botnet that was
involved in distributed denial of service attacks and
more.

Shortly thereafter, given the success of the first
version of the iServices Trojan, the same cybercriminals
planted the next version of their malware
with copies of Adobe Photoshop CS4 for Mac found
on BitTorrent trackers2. The actual Photoshop installer
was clean, but the Trojan horse was found in a crack
application used to serialize the software. Functioning
in a similar manner as the first version, the iServices.B
Trojan horse allowed remote users to perform actions
on infected Macs.

The RSPlug Trojan horse, which Intego first
discovered in October 2007, was as virulent as ever.
Variants to the RSPlug were found throughout the
year, often masquerading as a video codec, including
one in February3, two in June4 5, and two in July6 7.
One of the new variants, in March8 2009, was
written especially to taunt Intego. In December 2008,
one variant had already done this, containing code
which said “begin 666 intego.” This tells the system to
create a file with read and write permissions (the 666 is
a shortcut for Unix permissions, not anything to do
with the “number of the beast”), and to create a file,
containing malicious code, named “intego”. The new
version contained the following code:
niagasekirtsogetni 666 nigeb

To see the integrality:


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts