Two new malware for Mac OS X were recently discovered. Even though there are indeed relatively fewer Mac malware compared with Windows, many Mac users who still believe they are somehow magically immune from attacks may run the risk of encountering any of these two.

One of the newest Mac OS X malware, a Trojan detected as OSX_RSPLUG.C may be unknowingly downloaded by a user while visiting malicious websites. The said websites encourage users to download a software that is needed to play a promised hardcore pornographic video, which is actually a Trojan that renders your computer easy prey to hackers. It arrives as a .DMG file and contains a .PKG file. When executed, it displays the following GUI installation window:

While the said application is being installed in the background, it also executes BASH scripts obfuscated by an SED command. The said scripts drop files that set up a cron job to run a component file. It also executes a PERL script that allows the malware to connect to servers to download and execute other scripts. This modifies the settings of the computer’s DNS servers and redirects users to virtually any site of the cybercriminals’ choice. Users find themselves being led to phishing sites or sites where other malware can be downloaded.

As if one malware is not enough, another malware OSX_RSPLUG.E has also been detected. Just like the first malware, the software that comes with the prompt is also a Trojan that follows pretty much the same routine and has the same payload. The only difference being, apart from being obfuscated by an SED command, the malware’s execution is also obfuscated by a UUEncode program.

Trend Micro’s Smart Protection Network already detects OSX_RSPLUG.C and OSX_RSPLUG.E and provides solutions for their cleanup and removal.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Father’s Day is a tradition meant for us to show our appreciation for fathers. With the fast changing technology however, people, spammers especially, follow the trend and celebrate the occasion in their own way.

Clicking the link in the spam message displays a website that seems to be for the mattress vendor, Tempur-Pedic. It invites users to avail a free Night-Time Renewal kit with DVD.

To do so however, requires the user to enter their first name, last name, and email address. Asking for such information wouldn’t be alarming if the website is the legitimate website for Tempur-pedic, which closer inspection reveals, it is not. The website is a spoofed version of the real website, whose URL is www.tempurpedic.com. The spam run is simply a ploy to harvest email addresses to sell, or send spam messages to.

The spam message and spoof website are already blocked by the Smart Protection Network.

A recent set of spam emails was seen abusing yet another Google search feature:

The URL in the spam email above uses the search feature q=site: in order to direct the user clicking on the link to a Google results page returning the spam site:

What works in the spammers advantage is Google displays the first few lines of the web page, and that may be enough to entice some users to continue and click the link which leads to a site advertising penis enlargement.

It should be noted that spammers heavily used Google’s “I’m feeling lucky” feature late last year on their spam campaigns. However, it remains to be seen whether is new feature abuse will reach the same level of notoriety as “I’m feeling lucky.”

The spam emails are already blocked by the Smart Protection Network.

The World Health Organization (WHO) raised the H1N1 global pandemic alert level to phase 6 on June 11. More than 70 countries have now reported cases of human infection. Many of the cases reportedly had links to travel or were localized outbreaks. The WHO designation of a phase 6 pandemic alert reflects the fact that there are now ongoing community-level outbreaks in multiple parts of world. It should be noted, however, that the WHO’s decision to raise the pandemic alert level to phase 6 is a reflection of the spread of the virus and not of the severity of illness caused by the virus.

As with any other tragic and much-publicized event, cybercriminals again took advantage of the situation by launching a spate of attacks targeting wary, unknowing users.

Some of the most recent attacks include those we have already featured in the following blog posts:

• Yet More Swine Flu Attacks
• Waledac Turns to Cash and Vaccines
• Swine Flu Spam Attempt to Infect Japanese Users
• Swine Flu Outbreak Hits the Web Through Spam

Probably the most nefarious of these attacks were found to be hosted on is-the-boss.com domain. Through SEO poisoning, searches for reports related to the virus yield links that when opened trigger multiple redirections to various sites, which ultimately lead to the download of rogue antivirus software.

The following URLs were also found to start off similar infection chains:

• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1-pandemic.html
• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1-who.html
• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1.html
• hxxp://news04.{BLOCKED}is-the-boss.com/a-h1n1-virus.html

As of this writing, the is-the-boss(dot)com domain is still being used for blackhat SEO campaigns to deliver fake antivirus solutions such as:

• av-scanner.48275.exe detected as TROJ_DLOADR.API
• script.js detected as JS_DLOADR.APO
• a.exe detected as TROJ_DROPPER.NXA, a file downloaded by TROJ_DLOADR.API

The malware TROJ_DLOADR.API and JS_DLOADR.APO attempt to connect to the following URLs, respectively, to download other possibly malicious files:

• hxxp://thenewpic.{BLOCKED}com/item/2a2c{long string}c70a/e4f892d7456/titem.gif
• hxxp://theimagesphoto{BLOCKED}.com/werber/744842b7155/217.gif
• hxxp://super-antiviral-scan{BLOCKED}.com/?id=48275

Fortunately, Trend Micro’s Smart Protection Network already stops this threat from affecting users, as the malicious URLs and files are already blocked and detected, respectively.

It seems like a new spam bot is currently being developed. Few days ago, a fellow researcher posted a pretty good analysis of a relatively simple spam bot, which Trend Micro detects as TROJ_PROXY.AIF.

This spam bot is quite straightforward. On execution, the Trojan (TROJ_PROXY.AIF) issues a DNS query to a single domain in order to obtain an IP address in order to connect to a C&C (Command and Control ). The C&C traffic is in plain text and one can easily identify how the C&C works (Figure 1).

We say the TROJ_PROXY.AIF is simple because, unlike other spam bots like WALEDAC, the former does not have any C&C command encryption or a robust C&C (take down the domain and they’re out of business).

One saving grace of this spam bot however, is its implementation of certain techniques to avoid spam filters. Take a look at a sample spam mail generated by TROJ_PROXY.AIF (Figure 2).

A short glance introduces a simple spam email, but a closer look reveals that there are 5 intended recipients of the spam mail. This is quite uncommon for a spam mail since most spam email out there have a 1-spam-per-target email address format and this technique might actually throw off some spam filters.

Another technique used by this spam bot is it uses a Google group to link to in the email body which acts as a middle-man for the actual spam site advertising penis enlargement pills.

The two techniques mentioned, combined with the usual random lettered words and normal words in the e-mail subject and body give the spam a better chance of passing through Bayesian filters and anti-spam signatures.

Mentionable is that most of the target email addresses are Yahoo! or other webmail users, which then again slightly increases the spam’s chances of passing through since most of these webmails are free services and have slightly lower level of spam protection as compared to corporate networks with a stronger anti-spam product and stringent email policies.

In all, TROJ_PROXY.AIF may be relatively simple now, but it is possible this spam bot is still in the early stages of development and may one day evolve into something more complex.