Archive

Archive for July, 2011

‘Olyx’ connection to Fake Apple Stores?

An interesting observation from a colleague, check out the digital certificate information of ‘Wolyx’ the Windows backdoor packaged with ‘Olyx’  below:

Issued By:      WoSign Code Signing Authority
Issued To:      CN, Yunnan, Kunming, Kunming Wuhua District YanXing Technology Sales Department, WoSign Class 3 Code Signing, Kunming Wuhua District YanXing Technology Sales Department
Effective On:   11/03/2009 00:00 
Expired On:     11/02/2012 23:59

The place where the revoked digital certificate was issued to was Kunming, Yunnan China.

In the news, you’ll notice that this is the same city of the fake Apple stores.  

China officials find 5 fake Apple stores in 1 city

BEIJING

A Chinese city government website says local trade officials have found five fake Apple stores in a southwestern city.

The Kunming government website says authorities in the city in Yunnan province took action against two of the stores, which were found to be operating without a business license.

[Read http://www.businessweek.com/ap/financialnews/D9OME9280.htm]

Officials close 2 of 5 fake Apple stores

KUNMING – Officials looking into the illegal sale of Apple gadgets say they are waiting for the electronics company to respond before they decide whether to close three more possibly unlicensed stores. [Read http://www.chinadaily.com.cn/usa/us/2011-07/26/content_12980613.htm]
Coincidence?

Backdoor ‘Olyx’

In my last blog post, I’ve discussed the early features of RAT ‘Blackhole’. Although, it was then in its early stage, I find this type of offensive development interesting due to the fact that they emerge and distribute as a hacking tool, with functional backdoor client-server mechanism.

Last month, we have spotted a new piece of malware, a backdoor server called ‘Olyx’. The file is a Mach-O binary and the traces of the working directory suggest that the Mac user name is ‘yxl’. So, this is where the name ‘Olyx’ came.

Backdoor ‘Olyx’ was spotted in a package called ‘PortalCurrent events-2009 July 5.rar”, where the content suggest that it was extracted from Wikipedia community portal current events 2009 July 5 page.  If you will visit the Wikipedia current events 2009 July 5 page, and compare the screenshot below, you’ll find it very similar.

However, the extracted page includes a folder which contains photos of the 2011 June 15th protest in Athens, Greece and alongside the two malicious binary executable:

There’s another folder called ‘Photo-Current events 2009 July 5’, which contains 21 (disturbing) photos.

Q: So, the question now is, what happened on ‘2009 July 5’ ?

The World Uyghur Congress website describes it,

On 5 July 2009, Uyghurs in Urumqi, the capital of East Turkestan, staged a peaceful protest which was suppressed by Chinese security forces and subsequently led to ethnic unrest in the city that left hundreds of people dead.

Q: Ok, that was 2 years ago right?

Yes, and in a press released titled “Worldwide Uyghur Protests on Second Anniversary of 5 July 2009″ describes the present,

On July 5, 2011 and in the days surrounding July 5th, the WUC called the Uyghurs in exile and their supporters around the globe to stage demonstrations and other actions to commemorate the second anniversary of one of the saddest and most tragic days in the history of the Uyghur people and of East Turkestan and to ensure that the world does not forget about the devastating plight of the Uyghur people.

So, there’s a call for an organized demonstration to remind the whole world of the 2009 event, and in support for Uyghur’s human rights and freedom.

Q: What’s the protest? This Facebook invitation page explains,

Approaching the second anniversary of these events, and despite international calls, no independent investigation into the incident has been allowed by the Chinese authorities and the number of people killed, detained, imprisoned, executed and disappeared remains unclear.

The activities surrounding this protest clearly took place in the cyberspace, resulting to attacks as described in press released titled  World Uyghur Congress (WUC) Victim of DDoS Cyber Attacks,

Approaching the second anniversary of the 5 July 2009 events, the World Uyghur Congress (WUC) has again been the victim of cyber attacks.

So, how do you think Backdoor ‘Olyx’ fits in this picture?

The discovery of this threat should remind Mac users to carefully consider security and the real-life consequences of getting pwned. Remember, this type of threats are on the mission, and this is not cybercriminal that monetize infection nor steals money.