«
»

New VARIANT of Mac Jahlav Trojan

July 20th, 2009

I found a new Mac Trojan this morning from the following domains:

simplexdoom.com

paxxtiger.com

detailedus.com

Only 3 vendors on VirusTotal are detecting it: F-Secure, Kaspersky and Sophos.

vt7

I am part of the Mac_Exchange list so I will share this one with them as well as our regular partners.

Jerome Segura

Malware ID: f7c4e75ee56bdac710675daa5fd9ed0d.zip

UPDATE:

S!Ri commented on that post, and he makes some fair points:

This not new. DNS.Changer is old.

On Windows system, creators are using Nullsoft installer + stubs. It’s just a shell used to bypass virus control. It’s is why all Antivirus are late. They have to found a new signature each time. Once they have one, it’s too late there is a new domain and the shell have change again…

Try to unpack the Nullsoft packer to get the infection:

http://www.virustotal.com/analisis/1…cfd-1248123897

http://www.threatexpert.com/report.a…2720d8d387b723

MacOS dropper is also using this kind of shell trick. Don’t try to use a hash to identify the infection, some bits are modified on the server. You’ll get a new hash. Virus Total won’t find the hash in the database and will submit it to its scanner test, makes you think the file is new…

ParetoLogic, a Microsoft Certified Partner

 

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site
Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 
Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries.

© 2010 ParetoLogic Inc.