Last December, we reported on a variant of the RSPlug Trojan horse that was taunting Intego through certain bits of code and the name of a file it created. Well, the hackers are at it again. A new variant of this Trojan horse – RSPlug.F – is running wild, with a large number of versions being found on web sites. This time, the “installer” is called MacCinema, and, like the December model, it is again taunting Intego. This time, it contains the following code:
niagasekirtsogetni 666 nigeb
If you look in a mirror, you can see that it says “begin 666 IntegoStrikesAgain”. This tells the system to create a file with read and write permissions (the 666 is a shortcut for Unix permissions, not anything to do with the “number of the beast”), and to create a file, containing the malicious code, named “integostrikesagain”. While the code is backwards in the Trojan horse, it merely reads it backwards to be able to execute it. It seems that the hackers must have thought that Intego’s researchers would be fooled by backwards code. Well, VirusBarrier X5’s behavioral analysis spotted it right away. Better luck next time, guys…