Log in

No account? Create an account

Previous Entry | Next Entry

The Russians are at it again

Mac users, we had a three-month respite. The Russian Zlob gang, which last September lost its servers that were distributing the Mac DNSchanger malware when the corrupt hosting company EST Hosts went dark, are back after Macs again.

Just discovered a server being used to spread Mac malware from

*** WARNING *** WARNING *** WARNING *** This link is live as of the time of this writing. The payload, named get7003.dmg, contains a new version of the Mac DNSchanger, aka OSX.RSplug.A, OSX.RSplugin.A, or OSX/Zlob, computer malware.

The malicious server brakeplayer.net is brand new and is hosted in Latvia, on an ISP called "zlkon.lv".

whois brakeplayer.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Status: ok
Updated Date: 26-dec-2008
Creation Date: 15-dec-2008
Expiration Date: 15-dec-2009
Name servers:

Registrar: Regtime Ltd.
Creation date: 2008-12-15
Expiration date: 2009-12-15

Nikolaj Selivestrov
Email: paul.aspen111@gmail.com
Organization: Private person
Address: ul. kosmonavtov, 132-13
City: Moskva
State: Moskovskaya
ZIP: 129301
Country: RU
Phone: +7.4957854978

I've also noticed an uptick in the number of hacked Web sites hosted by iPower Web lately. As I've talked about extensively here, here, here, and here, iPower is basically a mess. For more than a year now, hackers have been walking all over their servers, planting virus redirectors in sites that are hosted by iPower or their subsidiaries.

For a while, the number of attacks against iPower dropped to next to nothing, and I thought that they'd fixed their security problem. Now, Im not so sure--now, I think that iPower is as compromised as it always has been, but the hackers toned down the attacks when they started getting attention. Can't prove it, but my hunch is there's a long-standing zero-day exploit in vDeck, iPower Web's home-grown Web control panel software.

I think we're going to be seeing more Mac malware in the near future.


( 9 comments — Leave a comment )
Dec. 28th, 2008 01:59 am (UTC)
those dickheads from brakeplayer.net added a malware drm download to this torrent.

Dec. 28th, 2008 02:13 am (UTC)
Good to know -

Thank you for the heads up. Just to clarify, though, you'd have to install this, for the DNSChanger to activate, correct?

Edited at 2008-12-28 02:13 am (UTC)
Dec. 28th, 2008 02:19 am (UTC)
Fortunately, yes. Unlike the Windows version of this malware, the Mac version requires that you run the installer and then enter your administration password.
Dec. 28th, 2008 02:21 am (UTC)
Mind if I copy/paste this on my Journal?
Dec. 28th, 2008 02:23 am (UTC)
Not at all! :)
(Deleted comment)
Dec. 28th, 2008 03:04 am (UTC)
Claims to be a video CODEC. Shows up on sites that display a fake movie player--sometimes porn, sometimes other stuff--that pops up a bogus error message and drops the .dmg file. Checks the browser user agent; drops an .exe if you're on a Windows machine and the .dmg if you're on a Mac.
Dec. 28th, 2008 04:36 am (UTC)
I'm relatively new to Mac's, but, I understand not installing dodgey software. Thanks for the info.

Is there anything else to watch out for in the OS-X world, given that we don't fiddle with anti-virus software that much?
Dec. 28th, 2008 04:50 am (UTC)
Right now, this particular bit of malware is the only OS X malware in circulation. Keep n eye out for this one and you're okay. :)
Dec. 28th, 2008 05:23 am (UTC)
I wonder if the timing has anything to do with the number of brand new computers going online in the last few days.
I have noticed the usual post xmas surge of spam.
( 9 comments — Leave a comment )