As Numaan points out on the SophosLabs blog, a “new” Trojan horse for the Apple Mac OS X operating system has been discussed in the security community for the last few days.
For instance,
- Trend Micro: New Malware Threatens Mac Users
- Intego: Intego Issues Security Memo about New Variant of RSPlug Trojan Horse
- SecuriTeam: OS X malware family has a new member: OSX.Lamzev.A
The Trojan horse is closely related to the OSX/RSPlug Trojan horse for Mac OS X that we have seen being distributed in the wild since November 2007.
As with RSPlug, this most recent Trojan horse is being spread in an unoriginal way. Joe User visits a website expecting to see a video of something pornographic, but is told that they have to install a ‘missing Video ActiveX object’ before it can be viewed. The downloaded software, however, is in reality a piece of Mac OS X malware.
Of course, Apple Mac malware is still relatively unusual compared to the thousands of new Windows-based samples we see every day – so it’s not a surprise to see people talking about this. But what did surprise us in the labs was that this “new” piece of Apple Mac malware was ..err.. news.
Sophos has been detecting this malware for customers as Troj/RKOSX-A since 29 August 2008.
Following all the new interest, we’re going to have to go back to our analysis and add “Lamzev” as an alias in case our customers are searching for it. It’s a shame the other vendors didn’t scan the file with our Mac anti-virus product before deciding on their own name for this “new” piece of malware.
Correction: Read my correction to this story.