Like any other business, there’s always a competition. Another pay-per-install retailer claims to be the best partner.
So now, the webmaster’s websites serving this pest will just need to logged-in to his account to check and monitor the count of installs and earnings.
As of the moment, this business carries binaries that works only in Windows platform. But remember, it is possible that this pest will also include binary for Mac just like Zlob codec crosses over and produced Trojan DNSChanger.
Mac users are more likely affected by tracking threats than malware.
Why? Let’s start by defining what is a tracking threat.
Tracking threat are software or application that snoop user’s activity, sneak password and sniff out private information. Software or applications such as keyloggers and sniffers are considered as tracking threats and they are vastly available over the internet.
This type of software/application are also classified as grayware. Graywares are not considered as malwares and they are not even dangerous by itself. However, just like a kitchen knife, if it falls to a wrong guy it will definitely poses threat to the user and to other people as well.
LogKext is the only kernel-based freeware keylogger for Mac OS X. It is controlled by a command-line client called logKextClient.
Below are the packages and its descriptions.
logkextdaemon.pkg – This package contains logKextDaemon, which is in Mac universal binary format. This binary is a daemon program that runs in background and manages the keylogging activity.
logkextkeymap.pkg – This package contains property list file, logKextKeymap.plist. The list includes identifiable keys such as numbers, letters (upper and lower case) and characters.
Logkext-1.pkg – This package contains another package named LogKext.kext, which contains a binary file LogKext. LogKext is the main program responsible for intercepting keyboard events by using IOHIDSystem and IOHIKeyboard classes in the kernel.
logkextReadme.pkg – This package contains LogKext Readme.html, which includes install and uninstall guide, release notes and frequently asked questions.
logkextuninstall.pkg – This package contains LogKextUninstall.command, which is a terminal shell script that stops logKext from running and removes it’s related files.
The packages were installed in this order:
The following files were created:
This program can monitors and record user’s keystrokes including username, password, PII, private conversations, typed-in urls and more.
So, imagine if this piece of software went to the wrong hands ?
It is more scary when you thought you have downloaded and installed a clean application, but with undocumented details there’s more hidden or unexplainable features that could work in background.
Downloaded file: KeyloggerX.dmg.sit (768,805 bytes)
Inside this image are the following files:
Disclaimer.rtf – This document informs the user that “You are held resposible for your actions”. Check the full disclaimer here.
Keylogger X – This is the binary file in Prefered Executable Format File (signature start with “Joy!peffpwpc”).
Read Me.rtf – This document describes this program as “Keylogger X is designed to run on OSX. The logged file is saved in the users preference folder called “User Preferences”. “
Ok, let’s run and check this program. Oops, there’s nothing on your screen, you cannot even search for “User Preferences” folder. Where? Nobody knows!
Is it running in background ?
The behavior of this program is not acceptable and absolutely real threat to users.
What is Macro ?
How Macro is created?
There are two ways:
Example, I want to display the words “Useful Macro” in Word document whenever I type shortcut key Control+R. This can be done by simply recording it. Check the screenshot here.
By default this is stored in Normal.dot, which means the recorded macro could work to every single document opened.
Advance macros uses Visual Basic for Applications programming.
For further discussion, you can check your favorite search engine with the following keywords: VBA, Visual Basic for Applications programming, Macros with VBE
What makes Macro a threat ?
How would you know if the document has macros ?
Below are screenshots of real malicious macros in Word, Excel and PowerPoint.
In summary, malicious macros are cross-platform threats. They could work and damage both Mac and Windows pc users. Awareness of these threats are very important in protecting our daily computing lives.
Do you think Macsweeper is not a rogue application? Ok, let’s take a deeper look and see what it does.
MacSweeperSetup.dmg 1.5 MB (1,600,201 bytes)
MacSweeper.app 2.6 MB (2,563,303 bytes)
Clicking “Ok” triggers the downloading of MacSweeperSetup.dmg. Inside this DMG file is the rogue application – MacSweeper.app.
MacSweeper does not require root admin password to execute and it remains in Download folder unless the user manually drag it to another location.
Lookup information of http://www.macsweeper.com:
http://www.macsweeper.com. A 184.108.40.206
ns1.vici.au NS 220.127.116.11
ns2.vici.au NS 18.104.22.168
alt1.aspmx.l.google.com MX 22.214.171.124
alt2.aspmx.l.google.com MX 126.96.36.199
aspmx.l.google.com MX 188.8.131.52
Cleanator is a rogue application that works in Windows platform.
Behaviour & Analysis
Most of the files inside MacSweeper.app are images file (in PNG file format). Let’s check the other files …
Database.plist contains 6390 cookie data that looks like this:
TODO.txt contains list of things to do that includes its current limitation, bugs and features. Interesting info from this text file is this:
“18. When update in process arert of new version can come, and fuck everithing”
You may check the complete list here.
Info.plist contains the following strings:
Package Type: APPL
file -f /private/tmp/com.MacSweeper.found.tmp -kn | grep ‘universal binary’ | sed -e ‘s/: *Mach.*//g’ > /private/tmp/com.MacSweeper.found2.tmp;
lipo “%@” -thin %@ -output “%@.lipo”&& mv -f “%@.lipo” “%@”;
During the scanning process, it drops the following temporary files:
It then uses these files to display the scan result. This application does not scan for unwanted files, instead it is giving you list of legitimate information installed in your system.
And it does not end here, few minutes after displaying the scan result, it will display a bugging screen as shown below:
From the code, this application unlocks more feature and displays the message below once the user input a valid serial code.
Thank You! You made me a bit hapier 🙂
Definitely, this application is not just a rogue but also a junkware.
The vulnerabilities that was addressed includes following:
(1) Memory corruption in QuickTime’s handling of Sorenson 3 video files.
(2) Memory corruption in QuickTime’s handling of Macintosh Resource records in movie files.
(3) Memory corruption in QuickTime’s parsing of Image Descriptor (IDSC) atoms.
(4) Buffer overflow in processing a compressed PICT image.
Thus, Quicktime users are advised not to play streaming media that uses rstp protocol (rstp:\\) until a fix is made available.
There is a zero day flaw found in Microsoft Excel and this vulnerability affects the following version:
Microsoft Office Excel 2003 Service Pack 2
Microsoft Office Excel Viewer 2003
Microsoft Office Excel 2002
Microsoft Office Excel 2000
Microsoft Excel 2004 for Mac
What causes this threat ?
When a user opens a specially crafted Excel file and that has a malformed header information, the system encounters unspecified error, which can be exploited by malicious users and could lead to execution of arbitrary code.
According to Microsoft, there is an active attacks that currently exploits this vulnerabiltity. Thus, users are advised not to open untrusted Excel file.
Beware! First rogue application in Mac is here.
There are two images or looks that links to this rogue application.
(1) The screenshot shown above is the image displayed when you visit this url: