Trojan Horse Targets Anti-Virus Maker Intego

By

post-2124-image-70ac9b7ab24587d7dbda51e10b152562-jpg

Another wrinkle in the spy-vs-spy Mac security game appeared Wednesday when a Mac Trojan Horse attempted to disguise itself by naming a file “intego,” a reference to company.

Intego said the OSX.RSPlug.E trojan horse carries a medium-level risk for Mac users, making it the fifth version of the malware first discovered in 2007. In November, the developers outlined RSPlug.D, a trojan horse which downloaded a malicious file.

Like the most recent version, OSX.RSPlug.E entices Mac users with pornographic sites that insist a “missing Video ActiveX Object” must be downloaded in order to view a video. The infected download then contacts a malicious remote server.

Unlike previous versions of the Trojan, two .dmg archives: FlashPlayer.v3.348.dmg or FlashPlayer.v.dmg, create an encoded file named “intego” with read and write permission.


In a statement, Intego said the reference “is a provocation from the creator of this malware.”

Intego has “certainly never heard of [such naming] on the Mac side,” spokesman Peter James told Cult of Mac.

James said Eastern European malware writers created the Trojan horse, judging by the Web site domains the malicious code contacts. Unlike in the U.S., former Iron Curtain countries don’t have the resources to track down the cyber criminals.

“They’re taunting us because we keep finding these variants. This could be a test” to determine how Intego’s security products identify suspected malware, James said.

The spokesman called Apple’s recent takedown of a tech note advising adoption of antivirus measures “irresponsible on Apple’s part.”

“A tech person wrote the note, and a marketing person quashed it,” James told Cult of Mac. “It’s a typical flip-flop.”

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.

8 responses to “Trojan Horse Targets Anti-Virus Maker Intego”

  1. JohnO says:

    No company has deserved it more.
    The chicken littles of the computer world.

  2. Chris says:

    Eh?

    > The spokesman [for Intego] called Apple’s recent takedown of a tech note
    > advising adoption of antivirus measures “irresponsible on Apple’s part.”

    and

    > Although Windows-based malware is more mature, Intego has “certainly
    > never heard of it on the Mac side,” spokesman Peter James told Cult of Mac.

    Some confusion there, maybe?

  3. Tom says:

    Umm, so what does the “intego” file try to do – how does the trojan work?
    So the user downloads, and then is tricked into installing the contents of the fake Flash images, and file called ‘intego’ is created which has read/write permission on it — then what? How does this then create a security hole?

  4. illhelpyou says:

    –>Tom, the trojan has scripts that allow it to communicate with remote servers from which it downloads more malware