Jon Baer

Recently, more malware targeting OS X has been released. This is exciting stuff, and one such sample is RSPlug. The overall premise of RSPlug’s operation isn’t very sexy, as in the end it’s just a malicious script that an unsuspecting user is tricked into running on their computer. There is no exploit or internal propagation. For the curious, the end result, for the version being analyzed in this post, is that DNS entries are overwritten with the presumed intent to perform redirects and/or man in the middle attacks against victims. That said, what we are more interested in here are some of the fairly cool script fu that is used to obfuscate the scripts.