<<<
NEWS FROM THE LAB - Tuesday, March 31, 2009
>>>
 

 
Not A MacCinema Installer Posted by Response @ 09:37 GMT

We recently received a Mac sample, with a Disk Image File (DMG) extension, that claims to be a MacCinema Installer. The file was downloaded from the following link:

  •  http://power-best.com/download/[...]/Flash.Player.Update.v9.19.dmg

This is a fake video site that serves a fake Adobe Flash Player update for Macs, supposedly to watch a video.

Anyway, when mounted the DMG file has a package file named "install.pkg". Here's the snapshot of what you get when you open the package:

Install

The "install.pkg" file contains the following files:

install.pkg

We extracted the "Archive.pax.gz" which contains the following files:

Archive.pax.gz

We analyzed each file and found that "AdobeFlash", "preinstall" and "preupgrade" are all the same thing, which is actually an obfuscated bash script:

bash

So here's the de-obfuscated script:

bash1

Based on the above code, the script searches for the string "AdobeFlash" in the Schedule Jobs list; if the string doesn't exist, the script creates the following Schedule Job to run the "AdobeFlash" file every 5 hours.

"* */5 * * * "/Library/Internet Plug-Ins/AdobeFlash" vx 1>/dev/null 2>&1"

Here's the de-obfuscated script after crontab instructions:

bash2

The above code reveals that it will download and execute files from the following site: http://94.247.2.[...]/cgi-bin/generator.pl.

Along with these downloads, it also sends the following information about the infected system:

  •  System Information Processor Type
  •  Computer Name

The downloaded file is also an obfuscated bash script:

bash3

Again, here's the de-obfuscated script of the downloaded file:

bash4

The above code shows that it will modify the infected system�s DNS server to one of the following:

  •  85.255.112.205
  •  85.255.112.237

This range of IP Addresses is actually owned by UkrTeleGroup. We'd recommend blocking DNS traffic to 85.255.112.0 – 85.255.127.255.

Response Team post by — Lordian