Just discovered a server being used to spread Mac malware from
*** WARNING *** WARNING *** WARNING *** This link is live as of the time of this writing. The payload, named get7003.dmg, contains a new version of the Mac DNSchanger, aka OSX.RSplug.A, OSX.RSplugin.A, or OSX/Zlob, computer malware.
The malicious server brakeplayer.net is brand new and is hosted in Latvia, on an ISP called "zlkon.lv".
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: BRAKEPLAYER.NET
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.BRAKEPLAYER.NET
Name Server: NS2.BRAKEPLAYER.NET
Updated Date: 26-dec-2008
Creation Date: 15-dec-2008
Expiration Date: 15-dec-2009
Registrar: Regtime Ltd.
Creation date: 2008-12-15
Expiration date: 2009-12-15
Organization: Private person
Address: ul. kosmonavtov, 132-13
I've also noticed an uptick in the number of hacked Web sites hosted by iPower Web lately. As I've talked about extensively here, here, here, and here, iPower is basically a mess. For more than a year now, hackers have been walking all over their servers, planting virus redirectors in sites that are hosted by iPower or their subsidiaries.
For a while, the number of attacks against iPower dropped to next to nothing, and I thought that they'd fixed their security problem. Now, Im not so sure--now, I think that iPower is as compromised as it always has been, but the hackers toned down the attacks when they started getting attention. Can't prove it, but my hunch is there's a long-standing zero-day exploit in vDeck, iPower Web's home-grown Web control panel software.
I think we're going to be seeing more Mac malware in the near future.