Archive for January, 2008

Pay-Per-Install A Malware Retail Business

Organize cyber-criminals introduces a new retail business Pay-Per-Install. This business primarily entice webmaster to join the gang and promises to pay 350$ for every 1000 install.

Like any other business, there’s always a competition. Another pay-per-install retailer claims to be the best partner.

The deal behind this is you have to register or sign up for an account. Then, they will reply with your login credentials and link to your installer. The email content will look like this.

Hey John,

Thank you for registering TheInstalls Affiliate program.
We doing the best to help You make more money with us.
You can start right away, everything ready!

Below your login details and URL for EXE:
URL to login:
Login: john
Password: w5yJY6fSgp
EXE (exe generation will take about 30-40 mins):

Remember we offer payments on request for webmasters making more then 10000 installs per day. No shave, no hold, no bullshits, just a lot of MONEY 🙂

Have a nice day, Dear Partner!
— TheInstalls team

**Please note that names and password were modified to prevent accidental installation of the malware.**

After logging-in to your account, they will introduce an affiliates bundling promo tools that will help maximize your profit.

This business is a “one stop shop” of malwares that includes backdoor, trojan, spyware and worm. You just need to install this tool and they will serve everything for you including sites, content and all other affiliated binaries. Scary!

So now, the webmaster’s websites serving this pest will just need to logged-in to his account to check and monitor the count of installs and earnings.

Counting malware infection is now a $$ business!

These binaries are not yet detected by most Security softwares. VirusTotal returned 20% detection out of 32 scanners and searching keyword “pay-per-install” in google will give you 20,000 results. There must be a serious business out there.

As of the moment, this business carries binaries that works only in Windows platform. But remember, it is possible that this pest will also include binary for Mac just like Zlob codec crosses over and produced Trojan DNSChanger.

Snoop, Sneak, Sniff

Mac users are more likely affected by tracking threats than malware.

Why? Let’s start by defining what is a tracking threat.

Tracking threat are software or application that snoop user’s activity, sneak password and sniff out private information. Software or applications such as keyloggers and sniffers are considered as tracking threats and they are vastly available over the internet.

This type of software/application are also classified as grayware. Graywares are not considered as malwares and they are not even dangerous by itself. However, just like a kitchen knife, if it falls to a wrong guy it will definitely poses threat to the user and to other people as well.

Let’s take a look on LogKext.

Downloaded file: (107,080 bytes)

LogKext is the only kernel-based freeware keylogger for Mac OS X. It is controlled by a command-line client called logKextClient.

LogKext.pkg is the installer that contains eight different packages. During the installation process, the user is required to enter the administrator or root user password to authenticate.

Below are the packages and its descriptions.

logkextclient.pkg – This package contains logKextClient, which is in Mac universal binary format. This binary file is the interactive client of LogKext, which also manages the output logfile, encryption controls and daemon preferences.

logkextdaemon.pkg – This package contains logKextDaemon, which is in Mac universal binary format. This binary is a daemon program that runs in background and manages the keylogging activity.

logkextkeymap.pkg – This package contains property list file, logKextKeymap.plist. The list includes identifiable keys such as numbers, letters (upper and lower case) and characters.

logkextkeygen.pkg – This package contains a logKextKeyGen, which is in Mac universal binary format. This binary is responsible for recording or logging keyboard typed information.

Logkext-1.pkg – This package contains another package named LogKext.kext, which contains a binary file LogKext. LogKext is the main program responsible for intercepting keyboard events by using IOHIDSystem and IOHIKeyboard classes in the kernel.

logkextReadme.pkg – This package contains LogKext Readme.html, which includes install and uninstall guide, release notes and frequently asked questions.

logkextuninstall.pkg – This package contains LogKextUninstall.command, which is a terminal shell script that stops logKext from running and removes it’s related files.

The packages were installed in this order:


The following files were created:

LogKext Readme.html
/Library/Application Support/logKext/logKextDaemon
/Library/Application Support/logKext/logKextKeyGen
/Library/Application Support/logKext/logKextKeymap.plist

This program can monitors and record user’s keystrokes including username, password, PII, private conversations, typed-in urls and more.

So, imagine if this piece of software went to the wrong hands ?

It is more scary when you thought you have downloaded and installed a clean application, but with undocumented details there’s more hidden or unexplainable features that could work in background.

Let’s take a look on Keylogger X.

Downloaded file: KeyloggerX.dmg.sit (768,805 bytes)

Inside this image are the following files:

Disclaimer.rtf – This document informs the user that “You are held resposible for your actions”. Check the full disclaimer here.

Keylogger X – This is the binary file in Prefered Executable Format File (signature start with “Joy!peffpwpc”).

Read Me.rtf – This document describes this program as “Keylogger X is designed to run on OSX. The logged file is saved in the users preference folder called “User Preferences”. “

Ok, let’s run and check this program. Oops, there’s nothing on your screen, you cannot even search for “User Preferences” folder. Where? Nobody knows!

Is it running in background ?

Upon checking the code, this program imports 3 containers with over 900 imported symbols that includes multimedia and networking.
From the data section, you will find more interesting strings.

Congratulations! You just installed a “more efficient keylogger”.

The behavior of this program is not acceptable and absolutely real threat to users.

Let’s Go Retro with Macro

Macro viruses started in late of 1990’s and since then it never stopped. There are thousands of threats found in MS Office for Windows and they exist from documents like Word, Excel, PowerPoint, Access, Visio and Project. The impact of these threats varies from very destructive behaviour like deleting files to annoying scary jokes.
Although today, these threats are not that aggressive as we have seen 10 years ago but they still exist. It is important to understand the possibility that one day this threat may affects Mac users as well.

What is Macro ?

It is a symbol, name or key that represents a list of commands, actions or keystrokes. It is used to automate repetitive task. It is commonly seen in documents like Word, Excel, PowerPoint and even Outlook.

How Macro is created?

There are two ways:

(1) Macro Recorder

Macro recorder can create simple macros by recording user’s action or keystrokes and associate it to a shortcut keys. So, the user can easily play back the recorded macro as often as needed.

Example, I want to display the words “Useful Macro” in Word document whenever I type shortcut key Control+R. This can be done by simply recording it. Check the screenshot here.

By default this is stored in, which means the recorded macro could work to every single document opened.

(2) Visual Basic Editor (VBE)

Advance macros uses Visual Basic for Applications programming.

For further discussion, you can check your favorite search engine with the following keywords: VBA, Visual Basic for Applications programming, Macros with VBE

What makes Macro a threat ?

Old macro viruses uses commands such as AutoExec, AutoNew, AutoOpen, AutoClose and AutoExit. These are auto macros that has the ability to auto execute. However, recent malicious documents are not limited to these commands.

How would you know if the document has macros ?

MS Office displays this warning below if the document you are trying to open has macros.
You can simply “Disable Macros” and continue working with the document.

By default, MS Office macro security setting is enabled. You can manually turn on and off this setting on Application menu, click Preferences and Security or by pressing the shortcut key “Command+,”.

You can also view the macro code from Visual Basic Editor by pressing “Alt+F11”.

Below are screenshots of real malicious macros in Word, Excel and PowerPoint.

Obviously, these malicious macros works on Windows but imagine if those codes were meant to work on Mac.

In summary, malicious macros are cross-platform threats. They could work and damage both Mac and Windows pc users. Awareness of these threats are very important in protecting our daily computing lives.

A Deeper Look On MacSweeper

Do you think Macsweeper is not a rogue application? Ok, let’s take a deeper look and see what it does.

File Size

MacSweeperSetup.dmg 1.5 MB (1,600,201 bytes) 2.6 MB (2,563,303 bytes)


Like other rogue application, MacSweeper uses a deceptive sales and marketing technique to get into users’ system. It does not have the capability to propagate or spread by itself, but it arrives as an Ads where it redirects users to this bogus webpage.

Behind this page is a SWF flash file and javascripts that records the traffic and clicks.

After the fake display of scanning process, this bogus website displays an Alert box.

The buttons “Ignore” and “Remove” are useless since it will continue to display another message box, and this time the user has no other option but to click “OK”. Check the screenshot here.

Clicking “Ok” triggers the downloading of MacSweeperSetup.dmg. Inside this DMG file is the rogue application –

MacSweeper does not require root admin password to execute and it remains in Download folder unless the user manually drag it to another location.


Lookup information of A NS NS

The screenshot shows that,, and are sharing same name server IP address.

Cleanator is a rogue application that works in Windows platform.

Behaviour & Analysis

Most of the files inside are images file (in PNG file format). Let’s check the other files …

PkgInfo contains strings “APPL????”

Database.plist contains 6390 cookie data that looks like this:


TODO.txt contains list of things to do that includes its current limitation, bugs and features. Interesting info from this text file is this:

“18. When update in process arert of new version can come, and fuck everithing”

You may check the complete list here.

Info.plist contains the following strings:

Identifier: com.KIVViSoftware.MacSweeper
Package Type: APPL
Executable: MacSweeper

The file MacSweeper inside MacOS folder is a binary file in universal binary format. Which means, this could work both in PPC and x86.

From the screenshot above, you will think that this application has scanned unwanted files from your system. However in background, MacSweeper executes the following shell command:

find “%@” ! -empty -and -type f > /private/tmp/com.MacSweeper.found.tmp;
file -f /private/tmp/com.MacSweeper.found.tmp -kn | grep ‘universal binary’ | sed -e ‘s/: *Mach.*//g’ > /private/tmp/com.MacSweeper.found2.tmp;

lipo “%@” -thin %@ -output “%@.lipo”&& mv -f “%@.lipo” “%@”;

During the scanning process, it drops the following temporary files:


It then uses these files to display the scan result. This application does not scan for unwanted files, instead it is giving you list of legitimate information installed in your system.

And it does not end here, few minutes after displaying the scan result, it will display a bugging screen as shown below:

What! privacy violation with your own legitimate files ? Absolutely, not right.

From the code, this application unlocks more feature and displays the message below once the user input a valid serial code.

Thank You! You made me a bit hapier 🙂

Definitely, this application is not just a rogue but also a junkware.

QuickTime 7.4 Fixes Multiple Vulnerabilities

Apple recently released QuickTime 7.4 which includes fixes for multiple vulnerabilities. This new version addresses four issues that affects Mac OS X 10.2.9 or later, Windows Vista and XP SP2.

The vulnerabilities that was addressed includes following:

(1) Memory corruption in QuickTime’s handling of Sorenson 3 video files.

(2) Memory corruption in QuickTime’s handling of Macintosh Resource records in movie files.

(3) Memory corruption in QuickTime’s parsing of Image Descriptor (IDSC) atoms.

(4) Buffer overflow in processing a compressed PICT image.

However, the recent buffer overflow found in “QuickTime RSTP response” still remains unpatched.

Thus, Quicktime users are advised not to play streaming media that uses rstp protocol (rstp:\\) until a fix is made available.

Categories: Vulnerability Tags:

Zero Day Exploit: MS Excel Allows Remote Code Execution

There is a zero day flaw found in Microsoft Excel and this vulnerability affects the following version:

Microsoft Office Excel 2003 Service Pack 2
Microsoft Office Excel Viewer 2003
Microsoft Office Excel 2002

Microsoft Office Excel 2000
Microsoft Excel 2004 for Mac

What causes this threat ?

When a user opens a specially crafted Excel file and that has a malformed header information, the system encounters unspecified error, which can be exploited by malicious users and could lead to execution of arbitrary code.

According to Microsoft, there is an active attacks that currently exploits this vulnerabiltity. Thus, users are advised not to open untrusted Excel file.

MacSweeper First Rogue Application in Mac

Beware! First rogue application in Mac is here.

This rogue application displays a fake information, pretending that it is scans the user’s system. It then displays a fake Alert, showing that bad cookies and files were detected.

Once the user click “Remove”, it will download MacSweeperSetup.dmg and install – the rogue application.

There are two images or looks that links to this rogue application.

(1) The screenshot shown above is the image displayed when you visit this url:

(2) The screenshot shown below is the image displayed when you get linked or redirected (Ex. you have been linked from Google.) to this url:

*** This links to rogue site; Use at your own risk! ***

As of this writing, no security scanners detects it.

MacSweeper does not need root admin password to execute the application. In fact it is just a portable application and no installation required. Here’s the screenshot below: