How To Download DNSChanger DMG In Windows?

Last December 27, I blogged about Trojan DNSChanger entitled "Mac OS X: 2007 Year Ender for Zlob", which I mentioned the following:

• Zlob & Fake Codec History
  
• List of Zlob distribution domains
  
• Trojan DNSChanger checks whether the user is downloading in Windows or Mac.
  
• Network Information that leads to Russian Business Network(RBN)

January 2, when I wrote a follow-up article entitled "Impersonating Mac Browser". This article explains how Trojan DNSChanger serves the right executable to the requesting user and how to impersonate Mac browser to download the right DMG file.

January 10, when I posted "Analysis of OSX Trojan DNS Changer".

Why I am discussing this again?

Because, there is an increase prevalence of this threat that captures more attention of malware analysts. Just recently, I received an email that says "New DNS Changer" with an attachment "jetcodec1000.dmg". But, unfortunately the DMG file was not properly downloaded, instead the file contains MZ header which means Windows executable.

Unfortunately, it was the same story posted in ISC Diary "When is a DMG file not a DMG file".

So, how to download DNSChanger DMG file in Windows?

When you visit any of Trojan DNSChanger websites, your browser sends a User-Agent information to the server, which contain details about your operating system, web browser you use, application version and language preference. Base from this information, the malicious server decides whether to serve PE file for Windows or DMG file for Mac.


This means that you cannot download the right file by simply modifying the URL. In this case, you need to impersonate by changing your User-Agent info to this value:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us)

To perform this task, you can either use Wget for Windows or Malzilla.

Using Wget

Example,

[c:\] wget -U "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us)" http://jetcodec.com/download/jetcodec1000.dmg

**Note: -U means user-agent

This site (jetcodec.com) is not available today. But there's another site that is up today and I can show you how this works.



Using Malzilla



I just created a YouTube account and started to upload demo videos, hopefully this week I can upload a video for this one.

Mac OS X: 2007 Year Ender for Zlob

Zlob has been proliferating in Windows platform since 2005. It only started as simple trojan downloader and stealer which is capable to check and update itself.

Then, it was last year when this trojan stand-out to the crowd of other competing malwares. A new variant arrived to users via email employing social engineering tactics to attract users in clicking the link to video. However, the video does not play successfully without installing the required codec. This tricky behavior persuades the user to install the fake codec - unknowingly, the user has just installed the malware!

The spurs of shares, free downloads, blogs and social websites has become a perfect time for Zlob to infiltrate networks. Evidently, the increasing domain names and clicks have been utility for Zlob to stay visible in search engines.

Yes, all of this works in Windows until late this year (November), this trojan crosses over to Mac specifically OS X. Suddenly, a list of domain names is capable to download installers both for Windows and Mac users. Domain names hosting Zlob fake codec for Mac user does not sleep, it stays online 24x7 and it’s increasing in numbers. It’s out there in-the-wild!

These sites are smart enough to check if you are running in Windows or Mac. Then, it gives you the right installer either in Windows Executable (EXE) or Disk Image (DMG) for Mac.

Who's behind Zlob? Let's investigate its network connection ...

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Web Site: http://codecdemo.com

A-->64.28.184.189--PTR->64.28.184.189-rev.cernel.net
NS-->ns1.codecdemo.com---A-->64.28.181.226--PTR->64-28-181-226-rev.cernel.net
NS-->ns2.codecdemo.com----A-->64.28.181.227--PTR->64-28-181-227-rev.cernel.net
MX-->10mail.codecdemo.com--A-->64.28.184.164--PTR->64-28-184-164-rev.cernel.net

NET ----> gw1.cernel.net [ 64.28.176.1]--> AS27595
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Intercage [AS27595] is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more.

In conclusion, the massive increase of sophisticated and organize cyber crimes boils to pursuit of profit and Mac users are no longer subject to proof-of-concept. The world's known worst attackers are now introducing web base cross platform malware and this should increase awareness.