Archive for the ‘malware report’ Category

Analysis of OSX Starfield

When you download an application or installer from legitimate website, you establish a level of trust expecting not to be tricked or deceived.


The installer is distributed by Starfield a technology and research branch of Go Daddy Group. If you are Go Daddy user, when you logged-in, this tool is available in the tool section as:

1)  Desktop Notified Installer

2) It is also offered as “Web-Based Email Tools plugin” promising that this tool will enable image paste.

It’s possible that this installer will be distributed elsewhere.

When you download the installer, you’ll notice two things:

1) It is telling you “Double-click to Install”

2) It is not the installer itself, instead it is a shortcut link.


It is a social engineering trick. It attempts to trigger user’s immediate impulse to respond based from a command or instruction.

Let’s check ACL using terminal:


$ ls -al /Volumes/install

total 8


drwxr-xr-x  7 test  staff  306 23 Dec 03:50 .
drwxrwxrwt@ 6 root  admin  204 12 Jan 23:42 ..
drwxr-xr-x  2 test  staff   68 23 Dec 03:50 .Trashes
lrwxr-xr-x  1 test  staff   20 23 Dec 03:49 Double-click to Install ->
drwxr-xr-x@ 3 test  staff  102 23 Dec 03:49


The application is basically hidden. Obviously, It discourages user to inspect the package. Back in the terminal, let’s run this command to unhide:


$ defaults write AppleShowAllFiles TRUE
$ killall Finder

Installation: What happens when you ‘double click’ it?  You’ll notice that it requires root privilege.

In this stage, it is already too late because even if you decide to discard or cancel the authorization, the tricky ‘’ has already installed itself as follows:

1)  It creates a ‘Starfield’ folder in the Application directory.  In this folder, you’ll find a copy of itself and an update component.



2) It is set to run at login by adding ‘starfieldupdate’ in the Login Items.

3) It is always running in the background.


$ lsof -c Starfield
Starfield 221 test  cwd      DIR       14,2      1394       2 /
Starfield 221 test  txt      REG       14,2     93668 1294527 /Applications/Starfield/
Starfield 221 test  txt      REG       14,2   1064960 2655251 /private/var/folders/ur/urE9xwfCE+a922ltbYjezk+++TU/-Caches-/
Starfield 221 test  txt      REG       14,2   1054960   25052 /usr/lib/dyld
Starfield 221 test  txt      REG       14,2 206983168 2609511 /private/var/db/dyld/dyld_shared_cache_i386
Starfield 221 test    0r     CHR        3,2       0t0     297 /dev/null
Starfield 221 test    1     PIPE 0x079a7640     16384         ->0x079a76a4
Starfield 221 test    2     PIPE 0x079a7640     16384         ->0x079a76a4
Starfield 221 test    3r     REG       14,2       163   42178 /private/etc/security/audit_control
Starfield 221 test    4u  KQUEUE                              count=1, state=0x2
Starfield 221 test    5r     REG       14,2     93668 1294527 /Applications/Starfield/
Starfield 221 test   66r     REG       14,2       611   42177 /private/etc/security/audit_class

So, when you thought it’s gone, it’s not because ‘StarfieldInstall’ sleeps and activates again to request your password. It will continue to annoy you with repeated request until it gets authorized.

On a sidenote, ‘’ gets the following information:
  • OS version and CPU Type
  • Local user
  • Previous installation
  • Starfield installation component versions

And performs the following:

  • Checks user privilege on the system by checking if user is admin or if the user can be elevated to admin.
  • StarfieldInstall launches ‘’ which is kept in the background.
  • ‘’ is responsible for initial installation (first run) and updates.
  • The initial installation path of Starfield would be:
/Library/Application Support/Starfield
/Library/Internet Plug-ins/
/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
  • Dumps data log of its activity especially the installation. Notice the name ‘starfield’ in the ~/Library/Logs/ folder.


Launch.cpp(18): Launching /Applications/Starfield/ runme
StarfieldInstall.cpp(862): Starting v1.0.4.9 with command: -psn_0_1011959
StarfieldInstall.cpp(879): OS Version 10.6 x86
StarfieldInstall.cpp(880): Local user test (test)
StarfieldInstall.cpp(881): User can become administrator.
StarfieldUpdate.cpp(90): Starting v1.0.3.3 with command: -psn_0_1007862
StarfieldUpdate.cpp(119): launchargs runme
StarfieldUpdate.cpp(144): Local user test
StarfieldUpdate.cpp(145): User can become administrator.
StarfieldUpdate.cpp(162): Launching /Applications/Starfield/
Launch.cpp(18): Launching /Applications/Starfield/


The payload is mainly handled by ‘’. When the user inputs the password, the installation continues by sending a HTTP request to the server as follows:

GET /moduleinfo HTTP/1.1
User-Agent: StarfieldInstall/1.0
Accept: *.*

‘Moduleinfo’ is a JSON text which ‘’ parses and evaluating the content of a JSON string. For example, it reads and evaluate which package appropriate to the user: Windows or Mac.

{ "win" :

, "mac" :

It also evaluates the installation requirement, example:


, "mac" :
[ { "file" : "StarfieldInstall.App"
, "version" : 4
, "source" : ""
, "app" : "*"
, "type" : "util"
, "adminRequired" : false
, "osMin" : [10,4]

‘StarfieldInstall’ compares this requirement defined by JSON file ‘moduleinfo’ before it downloads, extracts and run the latest package resulting to installation of the following:




So far we have 17 files here and 4 of these files do not require root password. It is important to take note that  ‘’ is always running in the background and launch ‘’ to perform the following:

– Evaluating JSON text ‘moduleinfo’ for update

– Download and installation of latest versions

– Discovery of products installed

– Running privileged shell command

It installs two Firefox extensions and plugins, which is persistent. It means that you can’t just click ‘uninstall’ to remove it . In Firefox, click Tools and Addons to view the installed Extensions and Plugins as shown below:

Another notable process created is ‘OffSyncService’ which is always running in the background .

In conclusion, this is a nasty and abusive application that performs remote activities and installation of unwanted plugins and application without user consent. It is a bloatware and a backdoor.

Bandwagon effect allows you to check some popular searches or trends that threats might take advantage as well.

However,  you don’t often check it, and for events like “Station Fire” which I just learned from the news this morning (here in Melbourne), it’s good that there are concern Mac users that sends you a heads up!

As a result, I’ve published this post.

Latest Threat: MacCinema

maccinemaMacCinema is the latest OS X threat. It’s not really new, it is an update of MacAccess although this time it uses different strings and clever obfuscation but overall the installation and behavior remains the same.


So, here’s the fixed one…

fixedThis will output script below…

Notice the IP Address “”- This is the backdoor IP which executed through cronjob. The backdoor is responsible for executing or installing “DNSChanger” which will change or add malicious DNS entries :, es :

integostrikesagainNotice “enialbdivad 777 nigeb”, obviously we have to fix again …. davidblaine

To fill up our curiosity, here’s the final deobfuscated script.


To remove this threat, just follow MacAccess removal instruction.

World Map Infection Report

This is the global picture of “MacAccess” infection as reported by users through this blog.  This is just small data but looking on mathematical perspective considering percentage of Mac users per continent, I believe the infection is not isolated but definitely in-the-wild. Perhaps, the author could show more infection report – Obviously, it’s giving them good numbers to the extent that these threats remain online and evolving.


Wondering why attackers are interested in Mac? Here’s an interesting trend as published by NetApplications Market Share.


Malicious CHM

I was cleaning up my messy folders when I bumped on this file – chungtak.chm. I reckon, it was the malicious CHM file spreading around early March of this year.

Is this another exploited file ? Let’s take a look …

CHM Basic File Structure

Microsoft’s HTML Help CHM format starts with 38 bytes of header information and then followed by header sections which contains information such as total filesize and directory list.

This header is followed by directory chunks which consist of index and listing chunks.

The content is self explanatory while the section data is actually part of the content which associates other related files. The section data could contain compressed or uncompressed data. The compressed section uses LZX compression method, which is popularly used in Microsoft cabinet files.

[Read Matthew T. Russotto CHM file format]

With this basic information, let’s investigate the suspicious file – chungtak.chm.

1 – Chungtak.chm
2 – Using CHM decoder tool, these files were extracted.
3 – Chungtak.chm main page is Index.htm. Index.htm contains a malicious code that allows music.exe to execute.
4 – music.exe is a Trojan Dropper. A good analysis posted in McAfee Avert Labs Blog last March 11.

So, what happened? The CHM file is not exploited instead the malicious user uses a legitimate feature that allows an external local file execute by linking it to the chm. [Read CHM Linking Tips]

Analysis of SWF Exploit

With recent massive websites carrying SWF exploit, it’s impressive to see thorough analysis from fellow collegues.

Zarestel’s SWF Exploit analysis on series:

SWF Exploit – CVE-2007-0071 Part 1
SWF Exploit – CVE-2007-0071 Part 2

AusCERT 2008: Telstra Distributed Infected USB

Telstra is red-faced after handing out malware-infected USB drives to tutorial attendees at the AusCERT security conference on the Gold Coast. [Read Patrick Gray @ SearchSecurity]
The folks at Australian mega-telco Telstra are wiping eggs from their faces after distributing malware-infected USB drives to attendees at this year’s AusCERT security conference. [Read Ryan Naraine @ ZDNet Blog]
What an embarring moment… The good thing is that most of AntiVirus scanners already detects that piece of malicious program and if you have a good AV scanner installed with latest or updated signature on it and with an agressive features such as Real-Time detection or AutoScanning for all mounted drives, then definitely no worries of infection.

Virus Total returned 96.88% detection rate which is 31/32 different AntiVirus scanners detect this malware. [VirusTotal Detection]

The culprit … As you can see in the screenshot below, autorun.inf contains instructions that allows USB to auto play once it is mounted in the computer and thereafter, automatically execute sys.exe.

McAfee detects this malware as W32/CEP.worm!33925d66 and has already published a malware report found here.

ThreatExpert Report here.