Archive

Archive for the ‘OS X’ Category

‘Olyx’ connection to Fake Apple Stores?

An interesting observation from a colleague, check out the digital certificate information of ‘Wolyx’ the Windows backdoor packaged with ‘Olyx’  below:

Issued By:      WoSign Code Signing Authority
Issued To:      CN, Yunnan, Kunming, Kunming Wuhua District YanXing Technology Sales Department, WoSign Class 3 Code Signing, Kunming Wuhua District YanXing Technology Sales Department
Effective On:   11/03/2009 00:00 
Expired On:     11/02/2012 23:59

The place where the revoked digital certificate was issued to was Kunming, Yunnan China.

In the news, you’ll notice that this is the same city of the fake Apple stores.  

China officials find 5 fake Apple stores in 1 city

BEIJING

A Chinese city government website says local trade officials have found five fake Apple stores in a southwestern city.

The Kunming government website says authorities in the city in Yunnan province took action against two of the stores, which were found to be operating without a business license.

[Read http://www.businessweek.com/ap/financialnews/D9OME9280.htm]

Officials close 2 of 5 fake Apple stores

KUNMING – Officials looking into the illegal sale of Apple gadgets say they are waiting for the electronics company to respond before they decide whether to close three more possibly unlicensed stores. [Read http://www.chinadaily.com.cn/usa/us/2011-07/26/content_12980613.htm]
Coincidence?

Backdoor ‘Olyx’

In my last blog post, I’ve discussed the early features of RAT ‘Blackhole’. Although, it was then in its early stage, I find this type of offensive development interesting due to the fact that they emerge and distribute as a hacking tool, with functional backdoor client-server mechanism.

Last month, we have spotted a new piece of malware, a backdoor server called ‘Olyx’. The file is a Mach-O binary and the traces of the working directory suggest that the Mac user name is ‘yxl’. So, this is where the name ‘Olyx’ came.

Backdoor ‘Olyx’ was spotted in a package called ‘PortalCurrent events-2009 July 5.rar”, where the content suggest that it was extracted from Wikipedia community portal current events 2009 July 5 page.  If you will visit the Wikipedia current events 2009 July 5 page, and compare the screenshot below, you’ll find it very similar.

However, the extracted page includes a folder which contains photos of the 2011 June 15th protest in Athens, Greece and alongside the two malicious binary executable:

There’s another folder called ‘Photo-Current events 2009 July 5’, which contains 21 (disturbing) photos.

Q: So, the question now is, what happened on ‘2009 July 5’ ?

The World Uyghur Congress website describes it,

On 5 July 2009, Uyghurs in Urumqi, the capital of East Turkestan, staged a peaceful protest which was suppressed by Chinese security forces and subsequently led to ethnic unrest in the city that left hundreds of people dead.

Q: Ok, that was 2 years ago right?

Yes, and in a press released titled “Worldwide Uyghur Protests on Second Anniversary of 5 July 2009″ describes the present,

On July 5, 2011 and in the days surrounding July 5th, the WUC called the Uyghurs in exile and their supporters around the globe to stage demonstrations and other actions to commemorate the second anniversary of one of the saddest and most tragic days in the history of the Uyghur people and of East Turkestan and to ensure that the world does not forget about the devastating plight of the Uyghur people.

So, there’s a call for an organized demonstration to remind the whole world of the 2009 event, and in support for Uyghur’s human rights and freedom.

Q: What’s the protest? This Facebook invitation page explains,

Approaching the second anniversary of these events, and despite international calls, no independent investigation into the incident has been allowed by the Chinese authorities and the number of people killed, detained, imprisoned, executed and disappeared remains unclear.

The activities surrounding this protest clearly took place in the cyberspace, resulting to attacks as described in press released titled  World Uyghur Congress (WUC) Victim of DDoS Cyber Attacks,

Approaching the second anniversary of the 5 July 2009 events, the World Uyghur Congress (WUC) has again been the victim of cyber attacks.

So, how do you think Backdoor ‘Olyx’ fits in this picture?

The discovery of this threat should remind Mac users to carefully consider security and the real-life consequences of getting pwned. Remember, this type of threats are on the mission, and this is not cybercriminal that monetize infection nor steals money.

RAT ‘BlackHole’

‘BlackHole’ is the latest remote administration tool (RAT) and is available both in Windows and Mac.

Hacktool such RAT employs client-server program that communicates to its victim’s machine through its trojan server. The server application is installed on the victim while the client application is on the managing side.

The version suggest that ‘BlackHole’ is currently in its early stage. However, the author seems to start showcasing the following functionalities:

  • Remote execution of shell commands.
  • Opens webpage using user’s default browser.
  • Sends a message which is displayed on the victims screen.
  • Creates a text file.
  • It is capable to perform shutdown, restart and sleep operation.
  • It is capable to request for admin privileges.

Also, it is also capable to block users screen with this message: please refer this image.

Be wary of possible backdoor infection. Report suspicious application, especially if it is communicating to unknown or unfamiliar remote server.

Note: While checking the client-server capability, I just thought that it would be useful to capture a video for reference. (recommended screen 720pHD)

EuroSoft 2011

The EuroSoft spamming is up and kicking through email and in any writable pages in the web.

Around this time last year, I’ve spotted this activity through Skype but the difference this year is that the spam trend uses shortened URL. Safari recognises some of the website and displays warning message “Suspected phishing site”, however not everything just like this site “http://best-mac-software.com/”.

So be careful and pay attention, you’ll never know you are already dealing with a typosquatted and fraudulent websites.

Annoying ads coming from an iPad/iPhone app

I’ve recently encountered lots of annoying Ads in my iPhone and iPad. My initial impression is what an ‘Ad serving app’!  But, this is the result when you allow or agree to receive push notifications as shown below.

Here are some useful tips on how to deal with it. This instruction should stop the problem, otherwise the app causing your trouble is absolutely suspicious and you should report it for investigation.

How do I stop annoying Ads coming from an iPad/iPhone app?

1) Tap ‘Settings’ and look for ‘Notification’
2) It will display all application with Notification ‘turned on’, then tap the application that is bugging you with Ads.
3) Turn “OFF” Alerts, Badges and Sounds.

If the problem persist, you may want to consider to delete it.

How to delete application in iPad/iPhone?

1) Tap the target app, hold and wait until it starts to wiggle.
2) You’ll notice “X” button in the top right corner, which means you may tap it to delete.

How to Remove Starfield

1) Kill the running process.

Using spotlight, type-in Activity Monitor and filter by searching starfieldUpdate and click Quit Process. Then, search offSyncService and click Quit Process.

If using Terminal, you may run the following command:

 

killall -9 offSyncService
killall -9 starfieldUpdate


2) Delete Starfield internet plugins and components.

Using Terminal, you may run the following command:

 

rm -rf ~/Library/Internet\ Plug-Ins/WbeTools64_14.plugin
rm -rf ~/Library/Internet\ Plug-Ins/fileEditTool64_15.plugin
rm -rf ~/Library/Preferences/com.starfield.update.plist
rm -rf ~/Library/Application\ Support/Mozilla/Extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/wbepaste\@starfield
rm -rf ~/Library/Application\ Support/Mozilla/Extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}/zoomext\@starfield
rm -rf ~/Library/Application\ Support/Starfield/

 

3) It will require root password to remove the following files.

Using terminal, type in sudo su and authenticate, then continue:

 

rm -rf /Library/LaunchDaemons/com.starfield.backupservice.plist
rm -rf /Library/offsync
rm -rf /Applications/WBE\ Desktop\ Notifier.App
rm -rf /Applications/DesktopTools.App
rm -rf /Applications/Starfield
rm -rf /install.sh

 

This instruction removes all the traces of Starfield.  Stay safe!

**Note: If you find Starfield application useful, you may keep the ‘WBE Desktop Notified.App’ and ‘DesktopTools.App’.

Analysis of OSX Starfield

When you download an application or installer from legitimate website, you establish a level of trust expecting not to be tricked or deceived.

Distribution:

The installer is distributed by Starfield a technology and research branch of Go Daddy Group. If you are Go Daddy user, when you logged-in, this tool is available in the tool section as:

1)  Desktop Notified Installer

2) It is also offered as “Web-Based Email Tools plugin” promising that this tool will enable image paste.

It’s possible that this installer will be distributed elsewhere.

When you download the installer, you’ll notice two things:

1) It is telling you “Double-click to Install”

2) It is not the installer itself, instead it is a shortcut link.

Why?

It is a social engineering trick. It attempts to trigger user’s immediate impulse to respond based from a command or instruction.

Let’s check ACL using terminal:

 

$ ls -al /Volumes/install

total 8

 

drwxr-xr-x  7 test  staff  306 23 Dec 03:50 .
drwxrwxrwt@ 6 root  admin  204 12 Jan 23:42 ..
drwxr-xr-x  2 test  staff   68 23 Dec 03:50 .Trashes
lrwxr-xr-x  1 test  staff   20 23 Dec 03:49 Double-click to Install -> StarfieldInstall.app
drwxr-xr-x@ 3 test  staff  102 23 Dec 03:49 StarfieldInstall.app

 

The application is basically hidden. Obviously, It discourages user to inspect the package. Back in the terminal, let’s run this command to unhide:

 

$ defaults write com.apple.finder AppleShowAllFiles TRUE
$ killall Finder

Installation: What happens when you ‘double click’ it?  You’ll notice that it requires root privilege.

In this stage, it is already too late because even if you decide to discard or cancel the authorization, the tricky ‘StarfieldInstall.app’ has already installed itself as follows:

1)  It creates a ‘Starfield’ folder in the Application directory.  In this folder, you’ll find a copy of itself and an update component.

/Application/Starfield/StarfieldInstall.app

/Application/Starfield/starfieldupdate.app

2) It is set to run at login by adding ‘starfieldupdate’ in the Login Items.

3) It is always running in the background.

 

$ lsof -c Starfield
COMMAND   PID USER   FD     TYPE     DEVICE  SIZE/OFF    NODE NAME
Starfield 221 test  cwd      DIR       14,2      1394       2 /
Starfield 221 test  txt      REG       14,2     93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate
Starfield 221 test  txt      REG       14,2   1064960 2655251 /private/var/folders/ur/urE9xwfCE+a922ltbYjezk+++TU/-Caches-/com.apple.LaunchServices-025504.csstore
Starfield 221 test  txt      REG       14,2   1054960   25052 /usr/lib/dyld
Starfield 221 test  txt      REG       14,2 206983168 2609511 /private/var/db/dyld/dyld_shared_cache_i386
Starfield 221 test    0r     CHR        3,2       0t0     297 /dev/null
Starfield 221 test    1     PIPE 0x079a7640     16384         ->0x079a76a4
Starfield 221 test    2     PIPE 0x079a7640     16384         ->0x079a76a4
Starfield 221 test    3r     REG       14,2       163   42178 /private/etc/security/audit_control
Starfield 221 test    4u  KQUEUE                              count=1, state=0x2
Starfield 221 test    5r     REG       14,2     93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate
Starfield 221 test   66r     REG       14,2       611   42177 /private/etc/security/audit_class

So, when you thought it’s gone, it’s not because ‘StarfieldInstall’ sleeps and activates again to request your password. It will continue to annoy you with repeated request until it gets authorized.

On a sidenote, ‘StarfieldUpdate.app’ gets the following information:
  • OS version and CPU Type
  • Local user
  • Previous installation
  • Starfield installation component versions

And performs the following:

  • Checks user privilege on the system by checking if user is admin or if the user can be elevated to admin.
  • StarfieldInstall launches ‘starfieldupdate.app’ which is kept in the background.
  • ‘starfieldupdate.app’ is responsible for initial installation (first run) and updates.
  • The initial installation path of Starfield would be:
/Applications/Starfield
/Library/Application Support/Starfield
/Library/Internet Plug-ins/
/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
  • Dumps data log of its activity especially the installation. Notice the name ‘starfield’ in the ~/Library/Logs/ folder.

 

Launch.cpp(18): Launching /Applications/Starfield/StarfieldUpdate.app runme
StarfieldInstall.cpp(862): Starting v1.0.4.9 with command: -psn_0_1011959
StarfieldInstall.cpp(879): OS Version 10.6 x86
StarfieldInstall.cpp(880): Local user test (test)
StarfieldInstall.cpp(881): User can become administrator.
StarfieldUpdate.cpp(90): Starting v1.0.3.3 with command: -psn_0_1007862
StarfieldUpdate.cpp(119): launchargs runme
StarfieldUpdate.cpp(144): Local user test
StarfieldUpdate.cpp(145): User can become administrator.
StarfieldUpdate.cpp(162): Launching /Applications/Starfield/StarfieldInstall.app
Launch.cpp(18): Launching /Applications/Starfield/StarfieldInstall.app

Payload:

The payload is mainly handled by ‘StarfieldInstall.app’. When the user inputs the password, the installation continues by sending a HTTP request to the server as follows:

GET /moduleinfo HTTP/1.1
User-Agent: StarfieldInstall/1.0
Host: na.secureserver.net
Accept: *.*

‘Moduleinfo’ is a JSON text which ‘StarfieldInstall.app’ parses and evaluating the content of a JSON string. For example, it reads and evaluate which package appropriate to the user: Windows or Mac.


{ "win" :

, "mac" :

It also evaluates the installation requirement, example:

 

, "mac" :
[ { "file" : "StarfieldInstall.App"
, "version" : 4
, "source" : "starfieldinstall.zip"
, "app" : "*"
, "type" : "util"
, "adminRequired" : false
, "osMin" : [10,4]
}

‘StarfieldInstall’ compares this requirement defined by JSON file ‘moduleinfo’ before it downloads, extracts and run the latest package resulting to installation of the following:

starfieldinstall.zip

starfieldupdate.zip

fileedittool64.plugin.zip

fileedittool.zip

WBETools14.plugin

wbetools64.zip

copypaste.xpi

zoomext.xpi

offdavhelper_mac4.zip

offdavhelper_mac.zip

offsettings.bundle.zip

wbesettings.bundle.zip

drivemapreconnect.zip

backupstatus.zip

offsync_mac.zip

desktoptools.zip

wbedesktopnotifier.zip

So far we have 17 files here and 4 of these files do not require root password. It is important to take note that  ‘StarfieldUpdate.app’ is always running in the background and launch ‘StarfieldInstall.app’ to perform the following:

– Evaluating JSON text ‘moduleinfo’ for update

– Download and installation of latest versions

– Discovery of products installed

– Running privileged shell command

It installs two Firefox extensions and plugins, which is persistent. It means that you can’t just click ‘uninstall’ to remove it . In Firefox, click Tools and Addons to view the installed Extensions and Plugins as shown below:

Another notable process created is ‘OffSyncService’ which is always running in the background .

In conclusion, this is a nasty and abusive application that performs remote activities and installation of unwanted plugins and application without user consent. It is a bloatware and a backdoor.