XYMer's Home away from Home • View topic

View unanswered posts | View active topics

Board index » Computers » Networking and Internet

All times are UTC - 8 hours

Virulent Trojan

Page 1 of 2

[ 46 posts ]

Go to page 1, 2 Next

Print view

Previous topic | Next topic

Author

Message

WZZZ

Post subject: Virulent Trojan

Posted: Fri May 13, 2011 8:48 am

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 3218
Location: NYC

This has been all over Apple Discussions for almost the past two weeks. I'm seeing many people being suckered by this thing. Keeps changing and using different names. I'd imagine everyone here already knows, but here are two worthwhile links.

http://www.securelist.com/en/blog/6211/ ... _Mac_users

http://blog.unmaskparasites.com/2011/05 ... h-results/

Top

mc68k

Post subject: Re: Virulent Trojan

Posted: Fri May 13, 2011 11:11 am

Joined: Thu May 15, 2008 8:20 pm
Posts: 1829
Location: on the beach

that detailed unmasked parasites link was amazing. i sent it to my IT cohorts

this is of extreme interest at my workplace. our receptionist DLed it this week supposedly surfing MSN
sophos picked it up on her iMac. we had a chance to take it apart a little bit

Quote:

Scan items:
Path: /Users/[name removed]/Downloads/death/anti-malware.zip enabled: yes
Configuration:
Scan inside archives and compressed files: Yes
Automatically clean up threats: No
Action on infected files: Report only

Scan started at 2011-05-10 15:32:53 -0700

2011-05-10 15:32:53 -0700 Threat: 'OSX/FakeAV-A' detected in /Users/nate/Downloads/death/anti-malware.zip/MacProtector.mpkg/Contents/Packages/macprotector.pkg/Contents/Archive.pax.gz/Archive.pax/./MacProtector.app/Contents/MacOS/MacProtector

Scan completed at 2011-05-10 15:32:53 -0700.
1 items scanned, 1 threats detected, 0 issues

Looking at the payload, it looks like it root kits the OS:

/usr/lib/dyld
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

scary shit. ppl get pwned by this shit all the time on the PC side

Top

BDAqua

Post subject: Re: Virulent Trojan

Posted: Fri May 13, 2011 11:12 am

Benevolent Dictator

Joined: Mon Apr 21, 2008 2:03 am
Posts: 7927

Thanks, great details in that 2nd link!

Top

mc68k

Post subject: Re: Virulent Trojan

Posted: Fri May 13, 2011 11:16 am

Joined: Thu May 15, 2008 8:20 pm
Posts: 1829
Location: on the beach

looks like my boss emailed these links to all of our users

thx WZZZ :ugeek:

Top

WZZZ

Post subject: Re: Virulent Trojan

Posted: Fri May 13, 2011 12:41 pm

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 3218
Location: NYC

mc68k: I posted the payload code you found, above, including your comment that it looks like a root kit and included a link to this topic, here. (Wish I could get everyone together on a conference call on this one, instead of relaying quotes, which is about all I feel competent doing right now.)

From AndyBall_UK on Apple Discussions.

https://discussions.apple.com/message/15194309#15194309

Quote:

Re: Mac Malware/poisoned images
May 13, 2011 4:19 PM (in response to WZZZ)

>>Looking at the payload, it looks like it root kits the OS:

snip...

Unless that's a very different variant from those I've seen - they're just strings from inside the application, ( eg - /Applications/MacProtector.app/Contents/MacOS/MacProtector ) not actual files to be installed.

Did you find that code from elsewhere than inside the app?

Not that I even begin to really grasp the details, the modus operandi of that SEO poisoning and redirecting does seem breath taking in its ingeniousness and complexity.

Top

mc68k

Post subject: Re: Virulent Trojan

Posted: Fri May 13, 2011 3:02 pm

Joined: Thu May 15, 2008 8:20 pm
Posts: 1829
Location: on the beach

yeah i'm assuming that was a result of a 'strings' command. those are bad places in the OS for things to be happening not from apple

ours also had shiny mac icons buttons and such

the noscript idea in the apple thread was immediately what i thought of as defense against this. the user that got this, and many of our business office users don't have admin access. but we do have a ton of laptop users that do

Attachments:

PastedGraphic-1.jpg [ 174.09 KiB | Viewed 1186 times ]

Top

Anonymous

Post subject: Re: Virulent Trojan

Posted: Fri May 13, 2011 4:43 pm

Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8211
Location: North of the State of Jefferson

Hey, Safari makes it easy for stuff like this*. I've been waiting for it to show up. It was only a matter of time**. Google, for their part, needs to get their shit together and stamp this stuff out of the image search results. Personally, I don't use image search, not just because it's a lovely route for malware (thanks to Google's neglect of that issue), but also nudged along by Google's click-through tracking and results frames. I also don't use Safari.

Thanks human race! Some days I think I hate people.

- Anonymous

* Note that while Safari has some really miserable design decisions that make it a warm soft target, using a different browser doesn't prevent someone from installing this sort of thing.

** Now someone just needs to find a new security flaw that allows an attacker to automatically open a document or launch a program at a specified local path, and they can have the malware installer auto-open itself, at which point a scared user could install it. This class of flaws isn't too uncommon, and again, Safari helps out thanks to its "automatically open (un)safe downloads" behavior. Or better yet, you could plant a local privilege escalation exploit in the installer, and bingo, insta-rooted, just by browsing the wrong site. Local privilege escalation flaws are even more common, and often considered lower risk. And finally, the last I heard Apple didn't think auto-downloading and opening files with no user interaction constituted a security flaw, but I haven't kept up with their view of the issue. And why should I? Apple is infallible. Just pray some Apple tech doc doesn't some day misprint the value of pi.
:roll:

Top

MonkeyBoy

Post subject: Re: Virulent Trojan

Posted: Fri May 13, 2011 6:53 pm

Joined: Thu May 15, 2008 8:13 pm
Posts: 5281
Location: Inner Suburbia

Only tangentially related, but at work our Mac-only lab caught at least one system trying to load data from js.tongji.linezing.com, which was implicated in an SQL injection attack all the way back in 2009.

Odd that the domain is still up and active, despite being a .com domain. The Chinese must be particular strident about shielding their hackers from international influence.

Top

cancerman

Post subject: Re: Virulent Trojan

Posted: Fri May 13, 2011 10:04 pm

Executive Director of the x704.net Think Tank

Joined: Thu May 15, 2008 8:05 pm
Posts: 2745

A mac user had this today, though it was called Mac Protector. Couldn't be more easy to remove though, in malware terms. Force quit Mac Protector in Activity Monitor, delete Mac Protector from Applications, delete Mac Protector from Login Items. Uncheck "Open safe downloads..." in Safari. Kiddie stuff.

_________________
I believe in a long, prolonged derangement of the senses to attain the unknown.
-Jim Morrison.

On Obama: "Muhammad Ali also had a way with words, but it helped enormously that he could punch guys in the face."
-Bill Maher

Top

Anonymous

Post subject: Re: Virulent Trojan

Posted: Sat May 14, 2011 12:36 am

Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8211
Location: North of the State of Jefferson

cancerman wrote:

...Uncheck "Open safe downloads..." in Safari. Kiddie stuff.

But which, it must be pointed out, is still enabled by default even though at last count Safari will also automatically download files without user interaction!

- Anonymous :upset:

Top

WZZZ

Post subject: Re: Virulent Trojan

Posted: Sat May 14, 2011 7:24 am

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 3218
Location: NYC

mc68k wrote:

yeah i'm assuming that was a result of a 'strings' command. those are bad places in the OS for things to be happening not from apple

Has anyone decided if the payload of this thing really does involve a rootkit? This is not being mentioned anywhere in the numerous articles all over the place and from those who've completely analyzed it.

The only files it appears to install are something in the Applications Folder, a Login Item and com.alppe.spav.plist in ~Library/Preferences.

Top

BDAqua

Post subject: Re: Virulent Trojan

Posted: Sat May 14, 2011 9:55 am

Benevolent Dictator

Joined: Mon Apr 21, 2008 2:03 am
Posts: 7927

Well, I'm assuming even if they are just "Strings", that it must be using those for access to those functions.

Top

Anonymous

Post subject: Re: Virulent Trojan

Posted: Sat May 14, 2011 1:54 pm

Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8211
Location: North of the State of Jefferson

I'll set my user agent string to Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 and go browse Google Images for a while. Once I've got a copy I'll see what it does...

- Anonymous

Top

WZZZ

Post subject: Re: Virulent Trojan

Posted: Sat May 14, 2011 2:07 pm

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 3218
Location: NYC

It's been known to come from servers at these IPs

69.50.201.198

178.17.162.163

Top

BDAqua

Post subject: Re: Virulent Trojan

Posted: Sat May 14, 2011 3:08 pm

Benevolent Dictator

Joined: Mon Apr 21, 2008 2:03 am
Posts: 7927

First IP timed out, second one Google Safe browsing stopped, yet had this silly message!?...

Quote:

Safe Browsing
Diagnostic page for 178.17.162.0

What is the current listing status for 178.17.162.0?

This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 8 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-05-12, and suspicious content was never found on this site within the past 90 days.

This site was hosted on 1 network(s) including AS43289 (TRABIA).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, 178.17.162.0 did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

Top

The Finale of Seem

Post subject: Re: Virulent Trojan

Posted: Sun May 15, 2011 9:00 am

Joined: Thu May 15, 2008 8:25 pm
Posts: 1414

Isn't this still install-and-authenticate malware? Looks like it requires the user to punch in their password.

As always, the best defense against this crap on any platform is to install Common Sense 2.0.

Top

WZZZ

Post subject: Re: Virulent Trojan

Posted: Sun May 15, 2011 10:04 am

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 3218
Location: NYC

Sure, for us who know a bit more, it's just common sense. I've been following this on Apple Discussions since it surfaced and there are many people who know more about doing their laundry in a washer-dryer than they do about using a computer.

At one end of the spectrum, the more knowing arrive vaguely suspicious they might be getting scammed, but at the other end many are hysterical and panicked and really don't understand what's happening. It's not a matter of common sense, but, rather, education. A number actually ask if this alert is really coming from Apple; someone was even ranting at Apple, once he found out it was a scam, for allowing this to happen on the Internet. As it gets more market share, Apple is getting more users in the latter category. I think we'll be seeing more, not less, of this.

Anon: I'll post a link to something if someone over there puts one up. A live link to this will be taken down kind of quickly, though. Apparently, this scammer is rotating through quite a number of servers. As his crap gets taken off, he uses a new one.

Top

WZZZ

Post subject: Re: Virulent Trojan

Posted: Tue May 17, 2011 10:18 am

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 3218
Location: NYC

Don't know if you've had any success finding the Trojan. Perhaps Google has wised up. I've seen a few, recently, where it appears to be coming from msnbc, somewhere.

Top

Anonymous

Post subject: Re: Virulent Trojan

Posted: Tue May 17, 2011 10:52 am

Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8211
Location: North of the State of Jefferson

Haven't got around to tweaking the user agent string...actual work to do.

I need to move to Portland and retire.

- Anonymous

Top

WZZZ

Post subject: Re: Virulent Trojan

Posted: Tue May 17, 2011 11:41 am

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 3218
Location: NYC

Just curious: Why the need to fake the user agent? I thought this thing was available to all comers. (Although, I may remember reading somewhere it was Intel only -- but that was far from being authoritative.) Still, even though it might not install on a PPC, I would have thought it would, at least, jump on to a browser from one.

Last edited by WZZZ on Tue May 17, 2011 12:12 pm, edited 1 time in total.

Top

mc68k

Post subject: Re: Virulent Trojan

Posted: Tue May 17, 2011 11:58 am

Joined: Thu May 15, 2008 8:20 pm
Posts: 1829
Location: on the beach

The Finale of Seem wrote:

...install Common Sense 2.0.

this is difficult for our business office ladies, no matter how much user education verbally or written is presented to them. and they do have work-from-home machines where we have to give them admin privs and loose technical support. they work with all kinds of sensitive HR info, which makes it all the more scary

Top

Anonymous

Post subject: Re: Virulent Trojan

Posted: Tue May 17, 2011 2:23 pm

Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8211
Location: North of the State of Jefferson

WZZZ wrote:

Just curious: Why the need to fake the user agent? I thought this thing was available to all comers.

I thought it was aimed at Safari for OS X users, as detected from the user agent string...but I could be nuts or read something that isn't (or is no longer) accurate.

- Anonymous

Top

WZZZ

Post subject: Re: Virulent Trojan

Posted: Tue May 17, 2011 2:44 pm

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 3218
Location: NYC

Anonymous wrote:

WZZZ wrote:

Just curious: Why the need to fake the user agent? I thought this thing was available to all comers.

I thought it was aimed at Safari for OS X users, as detected from the user agent string...but I could be nuts or read something that isn't (or is no longer) accurate.

- Anonymous

No, it doesn't care about the browser; it's quite happily promiscuous. Safari has gotten more attention in this only because of its wonderful, default "Open "Safe" files after downloading" feature, and that it doesn't flag downloads for approval the way other browsers, like Firefox, will. With Safari, if someone hits a link hijacked with this thing, it's there in the blink of any eye without anyone noticing what happened. And, then, OS X doesn't quarantine mpkg.zip files, in which form this has been coming. They just get to run immediately.

But, I don't know if, for installation, it's a Universal Binary or not. That's why I was wondering if you knew something that made you want to set the user agent to Intel. I would have thought it would gladly jump to any user agent -- I guess as long as long as it's something in the OS X family -- but not at all sure of this. I'm asking at Apple if anyone knows, for sure.

EDIT: OK, I'm hearing it's probably Intel only, but it will still download with a PPC user agent. So, don't know if that means you need to finagle the user agent or not to get a copy.

Top

Anonymous

Post subject: Re: Virulent Trojan

Posted: Tue May 17, 2011 3:14 pm

Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8211
Location: North of the State of Jefferson

WZZZ wrote:

EDIT: OK, I'm hearing it's probably Intel only, but it will still download with a PPC user agent. So, don't know if that means you need to finagle the user agent or not to get a copy.

If it'll be delivered irrespective of user agent string, then you should be able to get a copy with a PPC. That is, it either ignores the string or it changes its behavior based on the string. If the latter, then it doesn't matter if you're PPC or Intel, because it'll almost certainly be determining that from the string.

Responding differently to certain user agents is a cute way to delivering your intended payload to the intended targets. For example, you might deliver pariswithjello.jpg to Google, and virulentJavaThing.jar to Netscape 4 users, or whatever.

- Anonymous

Top

Anonymous

Post subject: Re: Virulent Trojan

Posted: Tue May 17, 2011 3:18 pm

Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8211
Location: North of the State of Jefferson

Are the links that deliver the trojan those to the web page in general, or the actual image link?

I clicked about a dozen things in Google Image Search and did not get pwn3d. Why can't I download malware when I want to?

- Anonymous

Top

Page 1 of 2

[ 46 posts ]

Go to page 1, 2 Next

Board index » Computers » Networking and Internet

All times are UTC - 8 hours

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum