New RSPlug Trojan Horse Variant: New Code, New Theater of Operations

Posted on March 17th, 2009 by

It seems like it was just yesterday that we wrote about a new variant of the RSPlug Trojan horse. And already there's another: RSPlug.G, which, unlike the last one, no longer calls out Intego, but rather one of our competitors.

What's different, though, with the latest version is the scope of attack. No longer is this Trojan horse limited to porn sites, but is now "available" from dozens of websites that claim to offer cracks and serial numbers for popular software.

Intego has spotted a slew of websites, most of them which are linked to each other, which claim to offer downloads of keygens (used on Windows to create serial numbers), cracks (to allow applications to be used), and serial numbers. The names of the disk images that Mac users download - some of these links also offer similar Trojan horses for Windows users - are things such as serial.Avid.Xpress.Pro.5.8.dmg.

When these disk images are mounted and opened, one finds an install.pkg, a package file, which, when double-clicked, opens Apple's Installer application. Installer shows that it is going to install MacCinema - which clearly has nothing to do with cracks or serial numbers.

As always, we advise Mac users to stay away from pirated software and from websites that claim to provide it. Intego VirusBarrier X5 spotted this variant right away using its behavioral analysis, and Intego has updated the program's virus definitions as well. So stay safe; don't look for pirated software and your chances of getting infected are much lower.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}