Posts Tagged ‘PornTube’

Porn Trojan Talks

Unusual Pop-up Ads

If you thought Trojan DNSChanger is dead, think twice ‘coz lately there has been series of reports from Mac OS X users experiencing unusual pop-up ads in their machines. Most of the infected users noticed that the unusual ads is coming from IP Address or as shown in the screen shot above.

This IP Address points to Intercage [AS27595] which is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more. [Further Reading]

Unusual pop-up ads and internet browser results were amongst visible symptoms of this threat. Infected user should immediately change their DNS Settings and remove the following files in this folders:

~/Library/Internet Plug-Ins/plugins.settings
~/Library/Internet Plug-Ins/sendreq (usually the malware deletes this, but just double check)
~/Library/Internet Plug-Ins/QuickTime.xpt
~/Library/Internet Plug-Ins/Mozillaplug.plugin
Related Post:

Analysis of Trojan DNSChanger
Malware Retailer Includes Trojan for Mac
Fake YouTube Installs OS X Trojan DNSChange

New DNSChanger Hacks Router In Mac?

DNSChanger has two executables: EXE for Windows and DMG for Mac OS X. This threat has been around for quite sometime, but there’s nothing exceptional until last week a new variant captured our attention. [Read WashingtonPost blog]

A new EXE variant of DNSChanger is capable of changing users’ DNS settings by hacking the configuration page of the wireless router. Is this true ? Yes, it’s targeting a list of routers and performs dictionary attack.

Below are the extracted strings from EXEcutable file.

TrustedSource Blog published an analysis of this EXE variant.

Is there similar variant affecting Mac? Let’s check the latest downloadable DMG file, courtesy of several PornTube sites roaming around the net.

If you’ll notice, the installer package doesn’t contain anything new. As I mentioned in my previous post about OS X DNS Changer analysis, the malicious file here are preinstall and preupgrade (which contains exactly the same code).

The latest DNSChanger in Mac are obfuscated, which is a minor modification. Going further, the deobfuscated script clearly suggest that there’s nothing new except the variable IP address (s1 and s2).

So, the new behavior found in the latest DNSChanger in Windows doesn’t exist yet in Mac.