Threat Encyclopedia

OSX_RSPLUG.E

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Mac OS X

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Threat Diagram shown below.

OSX_RSPLUG.E Behavior Diagram

Malware Overview

This Trojan may be downloaded unknowingly by a user when visiting malicious websites. The said websites encourage users to download software needed to play the video on the said site.

It arrives as .DMG file, which is a MAC OS X mountable disk image file. It contains a .PKG file which contains component files.

When executed, it displays the following graphical user interface installation window:

OSX_RSPLUG.E GUI Screenshot

It then asks for user credentials.

While the said application is being installed in the background, it also executes scripts obfuscated by the SED command and UUEncode. The said script drops a file that sets up a cron job to run one of its component files. The script also executes a PERL script that allows this malware to connect to servers to download another script. Once the downloaded script is executed, settings of certain DNS servers are modified. As a result, users may be redirected to phishing sites or sites where other malware can be downloaded.

For additional information about this threat, see:

Description created: Jun. 15, 2009 12:08:40 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  No

Size of malware: 24,282 Bytes

Initial samples received on: Mar 23, 2009

Payload 1: Downloads files

Details:

This Trojan may be downloaded from the following remote site(s):

  • http://{BLOCKED}exoteak.com/download/4e4c554750513d3de68d8c9820090602/QuickTime.dmg

It may be downloaded unknowingly by a user when visiting malicious Web site(s).

It arrives as .DMG file, which is a MAC OS X mountable disk image file. It contains a .PKG file which contains component files that may have the following names:

  • Preinstall - also detected as OSX_RSPLUG.E
  • Preupgrade - also detected as OSX_RSPLUG.E

Once this installer is executed, it displays the following graphical user interface installation window:

OSX_RSPLUG.E GUI Screenshot

After installation, the following files can be found present on the affected system:

  • /cron.inst
  • /i386
  • /Library/Internet Plug-Ins/Mozillaplug.plugin
  • /Library/Internet Plug-Ins/AdobeFlash

Note that while the installation is in progress, in the background, this malware executes the following scripts:

  • Install.pkg\Contents\Resources\preinstall
  • Install.pkg\Contents\Resources\preupgrade

These scripts are found to be obfuscated by the SED command and UUEncoded. If decrypted, the code contains the following:

OSX_RSPLUG.E Script Code Screenshot 1

The said script copies itself into the /Library/Internet Plug-Ins/AdobeFlash folder and then creates a cron job that enables the malware to execute periodically every five minutes.

It also contains a chain of scripts that is embedded on itself. Below is a screenshot of this script:

OSX_RSPLUG.E Script Code Screenshot 2

Below is a screenshot of a PERL script that sends a HTTP GET request to download another PERL script.

OSX_RSPLUG.E Script Code Screenshot 3

The script is saved as the following:

  • \TMP\213.163.64.82/cgi-bin/generator.pl

Trend Micro already detects as OSX_DNSCHNGR.E.

This PERL script is also found to contain obfuscated data using UUEncode and SED. The following screenshot shows the codes when decrypted:

OSX_RSPLUG.E Script Code Screenshot 4

Once executed, this script connects to the following IP addresses as a DNS primary server using the SCUTIL GET and SET commands:

  • {BLOCKED}.{BLOCKED}.112.16
  • {BLOCKED}.{BLOCKED}.112.180

As a result, users may be redirected to phishing sites or sites where other malware can be downloaded. Note that the IP addresses may change depending on the downloaded script.

It runs on Max OS X.

Analysis By: Karl Dominguez

Revision History:

First pattern file version: 6.400.05
First pattern file release date: Aug 27, 2009

SOLUTION


Minimum scan engine version needed: 8.700

Pattern file needed: 6.528.03

Pattern release date: Oct 10, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

 Step 1: Search and delete these files

  • /cron.inst
  • /i386
  • /Library/Internet Plug-Ins/Mozillaplug.plugin
  • /Library/Internet Plug-Ins/AdobeFlash

Step 2: Retore default DNS server definitions [learn how]

 Step 3: Scan your computer with your Trend Micro product to delete files detected as OSX_RSPLUG.E

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on