Archive

Archive for the ‘Emerging Threats’ Category

Backdoor ‘Olyx’

In my last blog post, I’ve discussed the early features of RAT ‘Blackhole’. Although, it was then in its early stage, I find this type of offensive development interesting due to the fact that they emerge and distribute as a hacking tool, with functional backdoor client-server mechanism.

Last month, we have spotted a new piece of malware, a backdoor server called ‘Olyx’. The file is a Mach-O binary and the traces of the working directory suggest that the Mac user name is ‘yxl’. So, this is where the name ‘Olyx’ came.

Backdoor ‘Olyx’ was spotted in a package called ‘PortalCurrent events-2009 July 5.rar”, where the content suggest that it was extracted from Wikipedia community portal current events 2009 July 5 page.  If you will visit the Wikipedia current events 2009 July 5 page, and compare the screenshot below, you’ll find it very similar.

However, the extracted page includes a folder which contains photos of the 2011 June 15th protest in Athens, Greece and alongside the two malicious binary executable:

There’s another folder called ‘Photo-Current events 2009 July 5’, which contains 21 (disturbing) photos.

Q: So, the question now is, what happened on ‘2009 July 5’ ?

The World Uyghur Congress website describes it,

On 5 July 2009, Uyghurs in Urumqi, the capital of East Turkestan, staged a peaceful protest which was suppressed by Chinese security forces and subsequently led to ethnic unrest in the city that left hundreds of people dead.

Q: Ok, that was 2 years ago right?

Yes, and in a press released titled “Worldwide Uyghur Protests on Second Anniversary of 5 July 2009″ describes the present,

On July 5, 2011 and in the days surrounding July 5th, the WUC called the Uyghurs in exile and their supporters around the globe to stage demonstrations and other actions to commemorate the second anniversary of one of the saddest and most tragic days in the history of the Uyghur people and of East Turkestan and to ensure that the world does not forget about the devastating plight of the Uyghur people.

So, there’s a call for an organized demonstration to remind the whole world of the 2009 event, and in support for Uyghur’s human rights and freedom.

Q: What’s the protest? This Facebook invitation page explains,

Approaching the second anniversary of these events, and despite international calls, no independent investigation into the incident has been allowed by the Chinese authorities and the number of people killed, detained, imprisoned, executed and disappeared remains unclear.

The activities surrounding this protest clearly took place in the cyberspace, resulting to attacks as described in press released titled  World Uyghur Congress (WUC) Victim of DDoS Cyber Attacks,

Approaching the second anniversary of the 5 July 2009 events, the World Uyghur Congress (WUC) has again been the victim of cyber attacks.

So, how do you think Backdoor ‘Olyx’ fits in this picture?

The discovery of this threat should remind Mac users to carefully consider security and the real-life consequences of getting pwned. Remember, this type of threats are on the mission, and this is not cybercriminal that monetize infection nor steals money.

RAT ‘BlackHole’

‘BlackHole’ is the latest remote administration tool (RAT) and is available both in Windows and Mac.

Hacktool such RAT employs client-server program that communicates to its victim’s machine through its trojan server. The server application is installed on the victim while the client application is on the managing side.

The version suggest that ‘BlackHole’ is currently in its early stage. However, the author seems to start showcasing the following functionalities:

  • Remote execution of shell commands.
  • Opens webpage using user’s default browser.
  • Sends a message which is displayed on the victims screen.
  • Creates a text file.
  • It is capable to perform shutdown, restart and sleep operation.
  • It is capable to request for admin privileges.

Also, it is also capable to block users screen with this message: please refer this image.

Be wary of possible backdoor infection. Report suspicious application, especially if it is communicating to unknown or unfamiliar remote server.

Note: While checking the client-server capability, I just thought that it would be useful to capture a video for reference. (recommended screen 720pHD)

How to Remove Starfield

1) Kill the running process.

Using spotlight, type-in Activity Monitor and filter by searching starfieldUpdate and click Quit Process. Then, search offSyncService and click Quit Process.

If using Terminal, you may run the following command:

 

killall -9 offSyncService
killall -9 starfieldUpdate


2) Delete Starfield internet plugins and components.

Using Terminal, you may run the following command:

 

rm -rf ~/Library/Internet\ Plug-Ins/WbeTools64_14.plugin
rm -rf ~/Library/Internet\ Plug-Ins/fileEditTool64_15.plugin
rm -rf ~/Library/Preferences/com.starfield.update.plist
rm -rf ~/Library/Application\ Support/Mozilla/Extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/wbepaste\@starfield
rm -rf ~/Library/Application\ Support/Mozilla/Extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/zoomext\@starfield
rm -rf ~/Library/Application\ Support/Starfield/

 

3) It will require root password to remove the following files.

Using terminal, type in sudo su and authenticate, then continue:

 

rm -rf /Library/LaunchDaemons/com.starfield.backupservice.plist
rm -rf /Library/offsync
rm -rf /Applications/WBE\ Desktop\ Notifier.App
rm -rf /Applications/DesktopTools.App
rm -rf /Applications/Starfield
rm -rf /install.sh

 

This instruction removes all the traces of Starfield.  Stay safe!

**Note: If you find Starfield application useful, you may keep the ‘WBE Desktop Notified.App’ and ‘DesktopTools.App’.

Drag and Drop

This is unfortunate for business, and a worrying attack vector. The Mac App store was easily bypassed and cracked by this simple drag and drop process. Evidently, you’ll find it ‘Installed’ when you open the app.

Please be reminded that ‘deceptive packaging’ takes advantage of legitimate software and application packaging to obscure the possible execution of malicious code;  and, this provides attacker a good opportunity.

iThreats ‘Home’

Welcome 2011!  I’m pleased to share iThreats ‘Home’.This is a library of sources, discussing the latest trends, publication, research work and analysis surrounding Apple security.

Let’s be reminded of the fundamental principle about digital security as introduced by Bruce Schneier that “Security is a process, not a product”. Lack of awareness and complacency can be dangerous. Thus, a greater discussion and awareness is better, it promotes understanding, identification and how response help protect our data, systems and digital life.

This website is made on Mac, so I recommend using Safari + QuickTime (Apple Download). For Mac, iPhone, and iPad users, the website theme provides smooth browsing experience.

Keep an eye for updates!

“PremierOpinion” Spyware Now in Mac OS X

From Intego security advisory today:

——————————————————————————————————–

Malware: OSX/OpinionSpy

Risk: High

Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdateVersionTracker and Softpedia.
——————————————————————————————————–

Who’s PremierOpinion?

PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.

Website: http://www.premieropinion.com/Home.aspx

So, who’s the partner?

“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml

Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]

There are 48 screensaver Mac OS X apps in this source, and there are two different packages.

How to spot “PremierOpinion” Mac OS X Spyware?

1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different7art while the other izpack.icns.

2. IzPack generated installers are in Java Archive (.JAR) file.

3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.

4. Spyware installs software without user’s consent or notification.   It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).

“Package once. Deploy everywhere.”

This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.

Be cautious and stay safe!

——–> Threat Info FYI

File Name: poinstaller

File Type: Mach-O executable i386

File Size: 470,352 bytes

Threat Type: Backdoor, Downloader, Sniffer, Stealer,

Installation Requirement:  root

Remote Activity: Installation of other threats

Remote Download File: Rule14.xml

Remote Download: PermissionResearch.zip

Installation: RunPermissionResearch.sh

Package Name: PermissionResearch.app

File Name: PermissionResearch

File Type: Mach-O executable i386

File Size: 4.1 MB
Resource Package Name: InjectCode.app
File Name: InjectCode
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size: 34,088 bytes
Resource Package Name: macmeterhk.bundle
File Name: macmeterhk
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size:  894,836 bytes

Window Shortcut – LNK File Format

LNK Format

Figure 01 – LNK Top Level File Structure

A computer shortcut (shortcut) is a small file containing a target URI or the name of a target program file that the shortcut represents. [wiki]

Microsoft Windows uses .lnk as the filename extension for shortcuts to local files, and .URL for shortcuts to remote files, like web pages.

Thanks to Jesse Hager for creating the specification document. Please refer this link http://www.wotsit.org/list.asp?al=L and search ‘LNK’ download good reference.

As observed, LNK trojan downloaders takes advantage of Command line string to perform malicious activity.

**Update**

0day on malformed Windows Shell Link (.LNK) Binary referred as CVE-2010-2568 and Microsoft Security Advisory (2286198)

LNK binary file format reference:

LNK_The_Windows_Shortcut_File_Format

MS-SHLLINK