Intego’s Virus Monitoring Center has found a new variant of the RSPlug Trojan horse, the first one in more than a month, which we are calling OSX/RSPLug.K. The differences between this and previous versions of the RSPlug Trojan are minor, but there’s a major new twist. This new variant has been spotted on sites offering game downloads.
Previous versions have mostly been found on porn and warez (pirated software) sites, leading some commentators to say that only users involved in illegal activities are likely to get infected. (We’ll skip the argument about whether or not pornography is illegal…) This time, however, users going to web sites that provide game downloads end up downloading an installer that gives them a serious Trojan horse. While some of these games are intended to be pirated copies of low-priced commercial games, others are often found on web sites for free for on-line play.
Clicking a link to go to a game takes the visitor to a page with a download link:
This leads to a download of a disk image whose name contains the name of the game downloaded:
Intego VirusBarrier X5, with the current virus definitions, spotted this variant right away; our proactive analysis allows us to spot a number of characteristics of this Trojan horse easily.
Note that Intego has also spotted this variant on some MP3 blogs, sites that provide pirated music for download; or at least claim to. They actually provide Trojan horses saying they are download utilities. We recommend that Mac users download software only from trusted sites. The spread of this Trojan horse is such that more and more sites will be providing it instead of real software, and it may become increasingly easy to get fooled.