Trojan Horse Targets Anti-Virus Maker Intego

Another wrinkle in the spy-vs-spy Mac security game appeared Wednesday when a Mac Trojan Horse attempted to disguise itself by naming a file “intego,” a reference to Intego, the anti-virus company.

Intego said the OSX.RSPlug.E trojan horse carries a medium-level risk for Mac users, making it the fifth version of the malware first discovered in 2007. In November, the developers outlined RSPlug.D, a trojan horse which downloaded a malicious file.

Like the most recent version, OSX.RSPlug.E entices Mac users with pornographic sites that insist a “missing Video ActiveX Object” must be downloaded in order to view a video. The infected download then contacts a malicious remote server.

Unlike previous versions of the Trojan, two .dmg archives: FlashPlayer.v3.348.dmg or FlashPlayer.v.dmg, create an encoded file named “intego” with read and write permission.

In a statement, Intego said the reference “is a provocation from the creator of this malware.”

Intego has “certainly never heard of [such naming] on the Mac side,” spokesman Peter James told Cult of Mac.

James said Eastern European malware writers created the Trojan horse, judging by the Web site domains the malicious code contacts. Unlike in the U.S., former Iron Curtain countries don’t have the resources to track down the cyber criminals.

“They’re taunting us because we keep finding these variants. This could be a test” to determine how Intego’s security products identify suspected malware, James said.

The spokesman called Apple’s recent takedown of a tech note advising adoption of antivirus measures “irresponsible on Apple’s part.”

“A tech person wrote the note, and a marketing person quashed it,” James told Cult of Mac. “It’s a typical flip-flop.”

Comment »