Threat Encyclopedia

OSX_RSPLUG.B

Malware type: Trojan

Aliases: ARC:UDIF, ARC:[disk image (Apple_HFS : 2)]:HFS+, ARC:[disk image (Apple_HFS : 2)/Archive.pax.gz]:GZIP, ARC:[disk image (Apple_HFS : 2)/Archive.pax.gz/Archive.pax]:CPIO, ARC:[disk image (Apple_HFS : 2)/Archive.pax.gz/Archive.pax/. /Mozillaplug.plugin/Contents /MacOS/VerifiedDownloadPlugin]:Fat (Kaspersky), OSX.RSPlug.A (Symantec),

In the wild: Yes

Destructive: No

Language: English

Platform: Mac OSX

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Low

Description: 

This malware may arrive on a system as a file downloaded unknowingly by a user when visiting malicious Web sites. The said Web site encourages users to download software needed to play the video on the said site.

It arrives as a .DMG file, which is a MAC OS X mountable Disk Image file. It contains a .PKG file, which contains component files.

Upon execution, it displays a MacVideo installation GUI. It then asks for user credentials. Once the installer finished installing, it adds files on the system.

While the installer is running, this malware executes the BASH scripts which are identical. These scripts are obfuscated by SED command and contain UUEncoded data.

When the PERL script is executed, it connects to several servers to send HTTP GET requests together with the infected machines hostname to download another script file.

The said file contains another UUEncoded data and some SED codes. Upon execution, this script modifies the DNS settings to several malicious DNS servers using SCUTIL GET and SET commands.

As a result, users may be redirected to phishing sites or sites where other malware can be downloaded.

For additional information about this threat, see:

Description created: Mar. 25, 2009 5:14:38 AM GMT -0800


TECHNICAL DETAILS


File type: Other

Memory resident:  No

Size of malware: 23,092 Bytes

Initial samples received on: Mar 23, 2009

Payload 1: Downloads files

Payload 2: Drops files

Details:

This malware may arrive on a system as a file downloaded unknowingly by a user when visiting malicious Web sites. The said Web site encourages users to download software needed to play the video on the said site.

It arrives as a .DMG file, which is a Mac OS X mountable Disk Image file. It contains a .PKG file, which contains component files.

Some of these files are the following malicious files:

  • Preinstall
  • Preupgrade
  • Archive.pax.gz

Upon execution, it displays the following MacVideo installation GUI:

It then asks for user credentials:

Once the installer finished installing, the following files are added on the system:

  • /Library/Internet Plug-Ins/AdobeFlash
  • /Library/Internet Plug-Ins/Mozillaplug.plugin

In the background, while the installer is running, this malware executes the following BASH scripts which are identical:

  • Install.pkg\Contents\resources\preinstall
  • Install.pkg\Contents\resources\preupgrade

These scripts are obfuscated by SED command and contain UUEncoded data:

The said scripts then drop the file i386 in the root directory, which contains another UUEncoded data and some SED codes. Upon execution, this file decrypts itself and executes the command CRONTAB to setup a cron job and run the dropped file, /Library/Internet Plug-Ins/AdobeFlash. The said file contains almost the same data with preinstall and preupgrade scripts. It also executes an embedded PERL script. It then deletes itself after execution.

When the PERL script is executed, it connects to the following servers to send HTTP GET requests together with the infected machine's hostname to download another script file:

  • {BLOCKED}.{BLOCKED}.64.78
  • {BLOCKED}.{BLOCKED}.2.109

The downloaded script is then saved in \TMP directory.

The said file contains another UUEncoded data and some SED codes. Upon execution, this script modifies the DNS settings to the following malicious DNS servers using SCUTIL GET and SET commands:

  • {BLOCKED}.{BLOCKED}.112.220
  • {BLOCKED}.{BLOCKED}.112.195

As a result, users may be redirected to phishing sites or sites where other malware can be downloaded.

This malware runs on Mac OS X.

Analysis By: Karl Dominguez

Updated By: Jasper Manuel


SOLUTION


Minimum scan engine version needed: 8.700


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

 Step 1: Search and delete this file  [learn how]

*Note: There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

 Step 2: Scan your computer with your Trend Micro product to delete files detected as OSX_RSPLUG.B  

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on