Subscribe

Apple Trojan discovered


Johannesburg, 21 Nov 2008

A “new” Trojan horse for the Apple Mac OS X operating system has been the topic of discussion in the security community for the last few days.

The Trojan horse is closely related to the OSX/RSPlug Trojan horse for Mac OS X that has been distributed in the wild since November 2007, says Brett Myroff, CEO of regional Sophos distributor, Sophos South Africa.

As with RSPlug, this most recent Trojan horse is being spread in an unoriginal way. Users visit a Web site expecting to see a video of something pornographic, and are told they have to install a 'missing Video ActiveX object' before it can be viewed. “The downloaded software, however, is in reality a piece of Mac OS X malware,” says Myroff.

“Apple Mac malware is still relatively unusual compared to the thousands of new Windows-based samples we see every day - so, it's not a surprise to see people talking about this. But this is not exactly new malware.”

Sophos has been detecting this malware as Troj/RKOSX-A since 29 August 2008.

Stop spying

Also in the news this week, a Florida-based software company, CyberSpy Software, has been ordered by a US district court to stop selling its RemoteSpy keylogging spyware program.

According to the Federal Trade Commission (FTC), CyberSpy gave customers detailed instructions on “how to disguise their spying program as an innocuous file, such as a photo, attached to an e-mail”.

It is claimed when innocent Internet users clicked on the disguised file, the spyware would install itself silently onto the victims' computer, monitoring every keystroke, e-mail and instant message, and making a record of every Web site visited.

Data gathered by RemoteSpy was uploaded to a server run by the CyberSpy company, and made available to customers via a password-protected Web site.

“CyberSpy is not the only company to work in this apparent 'grey' area between legitimate and illegitimate software. These products typically promote themselves as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, rather than more traditional identity theft - but it's clear they can be used with a wide variety of motives,” Myroff says.

The FTC will try to prove that because the RemoteSpy software was installed onto computers without the informed consent of the PC's owner, and used to secretly steal personal data, it was in breach of the law. If the FTC is successful in its fight against CyberSpy, it could send a warning shot to other vendors selling “legitimate” spyware, he says.

Hospitals get infected

Three hospitals in London have also been infected by a variant of the Mytob worm.

According to the BBC, St Bartholomew's (also known as Barts) in the City, the Royal London Hospital, in Whitechapel and The London Chest Hospital, in Bethnal Green, have been forced to shut down their entire computer systems as a result of the infection.

A statement on the Barts Web site has attempted to reassure the public and patients that the attack is being dealt with and that no one is in any danger.

“The Mytob worm spreads via e-mail, planting a backdoor Trojan horse, which can be used by remote hackers to gain access and control over a victim's computer. The computer can then be spied on (to steal confidential information), or used to send spam or launch denial of service attacks,” explains Myroff.

This week's line-up of low to medium prevalence threats include Mal/VidHtml-B, a malicious script that attempts to redirect to a malicious executable file. The script is often found in a page pretending to be YouTube or another video site. The malicious executable often pretends to be related to a video codec or a Flash update.

Mal/VidHtml-C, another malicious script demonstrating the same behaviour, has also been detected.

Trojans affecting Windows users this week include Troj/Agent-IHM and Troj/Bdoor-AQS, a backdoor Trojan known to be delivered via an exploited Microsoft Excel file. It installs itself in the registry.

Troj/CryptBox-A has also been noted. When run, it will decrypt and inject other components stored in the resource section and drops more malware.

Share

Editorial contacts