XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Thu Jul 31, 2014 11:35 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 46 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Virulent Trojan
PostPosted: Fri May 13, 2011 8:48 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4062
Location: NYC
This has been all over Apple Discussions for almost the past two weeks. I'm seeing many people being suckered by this thing. Keeps changing and using different names. I'd imagine everyone here already knows, but here are two worthwhile links.

http://www.securelist.com/en/blog/6211/ ... _Mac_users

http://blog.unmaskparasites.com/2011/05 ... h-results/


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Fri May 13, 2011 11:11 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:20 pm
Posts: 1976
Location: by the beach
that detailed unmasked parasites link was amazing. i sent it to my IT cohorts

this is of extreme interest at my workplace. our receptionist DLed it this week supposedly surfing MSN
sophos picked it up on her iMac. we had a chance to take it apart a little bit

Quote:
Scan items:
Path: /Users/[name removed]/Downloads/death/anti-malware.zip enabled: yes
Configuration:
Scan inside archives and compressed files: Yes
Automatically clean up threats: No
Action on infected files: Report only

Scan started at 2011-05-10 15:32:53 -0700

2011-05-10 15:32:53 -0700 Threat: 'OSX/FakeAV-A' detected in /Users/nate/Downloads/death/anti-malware.zip/MacProtector.mpkg/Contents/Packages/macprotector.pkg/Contents/Archive.pax.gz/Archive.pax/./MacProtector.app/Contents/MacOS/MacProtector

Scan completed at 2011-05-10 15:32:53 -0700.
1 items scanned, 1 threats detected, 0 issues


Looking at the payload, it looks like it root kits the OS:

/usr/lib/dyld
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
scary shit. ppl get pwned by this shit all the time on the PC side


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Fri May 13, 2011 11:12 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10069
Thanks, great details in that 2nd link! :)


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Fri May 13, 2011 11:16 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:20 pm
Posts: 1976
Location: by the beach
looks like my boss emailed these links to all of our users

thx WZZZ :ugeek:


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Fri May 13, 2011 12:41 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4062
Location: NYC
mc68k: I posted the payload code you found, above, including your comment that it looks like a root kit and included a link to this topic, here. (Wish I could get everyone together on a conference call on this one, instead of relaying quotes, which is about all I feel competent doing right now.)

From AndyBall_UK on Apple Discussions.

https://discussions.apple.com/message/15194309#15194309
Quote:
Re: Mac Malware/poisoned images
May 13, 2011 4:19 PM (in response to WZZZ)

>>Looking at the payload, it looks like it root kits the OS:

snip...



Unless that's a very different variant from those I've seen - they're just strings from inside the application, ( eg - /Applications/MacProtector.app/Contents/MacOS/MacProtector ) not actual files to be installed.

Did you find that code from elsewhere than inside the app?

Not that I even begin to really grasp the details, the modus operandi of that SEO poisoning and redirecting does seem breath taking in its ingeniousness and complexity.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Fri May 13, 2011 3:02 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:20 pm
Posts: 1976
Location: by the beach
yeah i'm assuming that was a result of a 'strings' command. those are bad places in the OS for things to be happening not from apple

ours also had shiny mac icons buttons and such

the noscript idea in the apple thread was immediately what i thought of as defense against this. the user that got this, and many of our business office users don't have admin access. but we do have a ton of laptop users that do


Attachments:
PastedGraphic-1.jpg
PastedGraphic-1.jpg [ 174.09 KiB | Viewed 1414 times ]
Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Fri May 13, 2011 4:43 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8828
Location: North of the State of Jefferson
Hey, Safari makes it easy for stuff like this*. I've been waiting for it to show up. It was only a matter of time**. Google, for their part, needs to get their shit together and stamp this stuff out of the image search results. Personally, I don't use image search, not just because it's a lovely route for malware (thanks to Google's neglect of that issue), but also nudged along by Google's click-through tracking and results frames. I also don't use Safari.

Thanks human race! Some days I think I hate people.

- Anonymous :(

* Note that while Safari has some really miserable design decisions that make it a warm soft target, using a different browser doesn't prevent someone from installing this sort of thing.

** Now someone just needs to find a new security flaw that allows an attacker to automatically open a document or launch a program at a specified local path, and they can have the malware installer auto-open itself, at which point a scared user could install it. This class of flaws isn't too uncommon, and again, Safari helps out thanks to its "automatically open (un)safe downloads" behavior. Or better yet, you could plant a local privilege escalation exploit in the installer, and bingo, insta-rooted, just by browsing the wrong site. Local privilege escalation flaws are even more common, and often considered lower risk. And finally, the last I heard Apple didn't think auto-downloading and opening files with no user interaction constituted a security flaw, but I haven't kept up with their view of the issue. And why should I? Apple is infallible. Just pray some Apple tech doc doesn't some day misprint the value of pi.
:roll:


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Fri May 13, 2011 6:53 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 6582
Location: Inner Suburbia
Only tangentially related, but at work our Mac-only lab caught at least one system trying to load data from js.tongji.linezing.com, which was implicated in an SQL injection attack all the way back in 2009.

Odd that the domain is still up and active, despite being a .com domain. The Chinese must be particular strident about shielding their hackers from international influence.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Fri May 13, 2011 10:04 pm 
Offline
Executive Director of the x704.net Think Tank
User avatar

Joined: Thu May 15, 2008 8:05 pm
Posts: 2745
A mac user had this today, though it was called Mac Protector. Couldn't be more easy to remove though, in malware terms. Force quit Mac Protector in Activity Monitor, delete Mac Protector from Applications, delete Mac Protector from Login Items. Uncheck "Open safe downloads..." in Safari. Kiddie stuff.

_________________
I believe in a long, prolonged derangement of the senses to attain the unknown.
-Jim Morrison.

On Obama: "Muhammad Ali also had a way with words, but it helped enormously that he could punch guys in the face."
-Bill Maher


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Sat May 14, 2011 12:36 am 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8828
Location: North of the State of Jefferson
cancerman wrote:
...Uncheck "Open safe downloads..." in Safari. Kiddie stuff.

But which, it must be pointed out, is still enabled by default even though at last count Safari will also automatically download files without user interaction!

- Anonymous :upset:


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Sat May 14, 2011 7:24 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4062
Location: NYC
mc68k wrote:
yeah i'm assuming that was a result of a 'strings' command. those are bad places in the OS for things to be happening not from apple

Has anyone decided if the payload of this thing really does involve a rootkit? This is not being mentioned anywhere in the numerous articles all over the place and from those who've completely analyzed it.

The only files it appears to install are something in the Applications Folder, a Login Item and com.alppe.spav.plist in ~Library/Preferences.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Sat May 14, 2011 9:55 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10069
Well, I'm assuming even if they are just "Strings", that it must be using those for access to those functions.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Sat May 14, 2011 1:54 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8828
Location: North of the State of Jefferson
I'll set my user agent string to Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 and go browse Google Images for a while. Once I've got a copy I'll see what it does...

- Anonymous


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Sat May 14, 2011 2:07 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4062
Location: NYC
It's been known to come from servers at these IPs

69.50.201.198

178.17.162.163


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Sat May 14, 2011 3:08 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10069
First IP timed out, second one Google Safe browsing stopped, yet had this silly message!?...

Quote:
Safe Browsing
Diagnostic page for 178.17.162.0

What is the current listing status for 178.17.162.0?

This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 8 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-05-12, and suspicious content was never found on this site within the past 90 days.

This site was hosted on 1 network(s) including AS43289 (TRABIA).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, 178.17.162.0 did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Sun May 15, 2011 9:00 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:25 pm
Posts: 1437
Isn't this still install-and-authenticate malware? Looks like it requires the user to punch in their password.

As always, the best defense against this crap on any platform is to install Common Sense 2.0.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Sun May 15, 2011 10:04 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4062
Location: NYC
Sure, for us who know a bit more, it's just common sense. I've been following this on Apple Discussions since it surfaced and there are many people who know more about doing their laundry in a washer-dryer than they do about using a computer.

At one end of the spectrum, the more knowing arrive vaguely suspicious they might be getting scammed, but at the other end many are hysterical and panicked and really don't understand what's happening. It's not a matter of common sense, but, rather, education. A number actually ask if this alert is really coming from Apple; someone was even ranting at Apple, once he found out it was a scam, for allowing this to happen on the Internet. As it gets more market share, Apple is getting more users in the latter category. I think we'll be seeing more, not less, of this.

Anon: I'll post a link to something if someone over there puts one up. A live link to this will be taken down kind of quickly, though. Apparently, this scammer is rotating through quite a number of servers. As his crap gets taken off, he uses a new one.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Tue May 17, 2011 10:18 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4062
Location: NYC
Don't know if you've had any success finding the Trojan. Perhaps Google has wised up. I've seen a few, recently, where it appears to be coming from msnbc, somewhere.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Tue May 17, 2011 10:52 am 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8828
Location: North of the State of Jefferson
Haven't got around to tweaking the user agent string...actual work to do. :(

I need to move to Portland and retire.

- Anonymous


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Tue May 17, 2011 11:41 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4062
Location: NYC
Just curious: Why the need to fake the user agent? I thought this thing was available to all comers. (Although, I may remember reading somewhere it was Intel only -- but that was far from being authoritative.) Still, even though it might not install on a PPC, I would have thought it would, at least, jump on to a browser from one.


Last edited by WZZZ on Tue May 17, 2011 12:12 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Tue May 17, 2011 11:58 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:20 pm
Posts: 1976
Location: by the beach
The Finale of Seem wrote:
...install Common Sense 2.0.
this is difficult for our business office ladies, no matter how much user education verbally or written is presented to them. and they do have work-from-home machines where we have to give them admin privs and loose technical support. they work with all kinds of sensitive HR info, which makes it all the more scary


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Tue May 17, 2011 2:23 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8828
Location: North of the State of Jefferson
WZZZ wrote:
Just curious: Why the need to fake the user agent? I thought this thing was available to all comers.

I thought it was aimed at Safari for OS X users, as detected from the user agent string...but I could be nuts or read something that isn't (or is no longer) accurate.

- Anonymous


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Tue May 17, 2011 2:44 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4062
Location: NYC
Anonymous wrote:
WZZZ wrote:
Just curious: Why the need to fake the user agent? I thought this thing was available to all comers.

I thought it was aimed at Safari for OS X users, as detected from the user agent string...but I could be nuts or read something that isn't (or is no longer) accurate.

- Anonymous

No, it doesn't care about the browser; it's quite happily promiscuous. Safari has gotten more attention in this only because of its wonderful, default "Open "Safe" files after downloading" feature, and that it doesn't flag downloads for approval the way other browsers, like Firefox, will. With Safari, if someone hits a link hijacked with this thing, it's there in the blink of any eye without anyone noticing what happened. And, then, OS X doesn't quarantine mpkg.zip files, in which form this has been coming. They just get to run immediately.

But, I don't know if, for installation, it's a Universal Binary or not. That's why I was wondering if you knew something that made you want to set the user agent to Intel. I would have thought it would gladly jump to any user agent -- I guess as long as long as it's something in the OS X family -- but not at all sure of this. I'm asking at Apple if anyone knows, for sure.

EDIT: OK, I'm hearing it's probably Intel only, but it will still download with a PPC user agent. So, don't know if that means you need to finagle the user agent or not to get a copy.


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Tue May 17, 2011 3:14 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8828
Location: North of the State of Jefferson
WZZZ wrote:
EDIT: OK, I'm hearing it's probably Intel only, but it will still download with a PPC user agent. So, don't know if that means you need to finagle the user agent or not to get a copy.

If it'll be delivered irrespective of user agent string, then you should be able to get a copy with a PPC. That is, it either ignores the string or it changes its behavior based on the string. If the latter, then it doesn't matter if you're PPC or Intel, because it'll almost certainly be determining that from the string.

Responding differently to certain user agents is a cute way to delivering your intended payload to the intended targets. For example, you might deliver pariswithjello.jpg to Google, and virulentJavaThing.jar to Netscape 4 users, or whatever.

- Anonymous


Top
 Profile  
 
 Post subject: Re: Virulent Trojan
PostPosted: Tue May 17, 2011 3:18 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8828
Location: North of the State of Jefferson
Are the links that deliver the trojan those to the web page in general, or the actual image link?

I clicked about a dozen things in Google Image Search and did not get pwn3d. Why can't I download malware when I want to?

- Anonymous


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 46 posts ]  Go to page 1, 2  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group