Previous 1 2 3 4 5 Next 162 Replies Latest reply: Jun 1, 2015 5:52 PM by Kurt Lang Go to original post Branched to a new discussion.
  • WZZZ Level 6 Level 6
    Mac OS X

    Thanks for all the good work. From your blog.


    I don’t know what data was sent, perhaps someone experienced with packet sniffing could test and let us know.  (Edit: I took a shot at collecting the data in Wireshark, and the relevant packets can be seen here.  None of it looks particularly disturbing to me, but I’m far from an expert at network packet analysis.

    Would you, perhaps, want to forward that on for further analysis? This was the URL MadMacs0 from ClamX provided.





    EDIT: Please see my recent post replying to MadMacs0. I took the liberty of referring him to your blog and the packets dump.




    I also gave him a link to this thread.


    Message was edited by: WZZZ

  • MadMacs0 Level 5 Level 5

    Thomas and I have exchanged emails on some of this and I check his site twice a day, but had not checked yet tonight, so thanks for pointing it out.


    Mostly we discussed the need for a more limited forum to share information without helping the malware developers out there.  I know the commercial guys do this, but folks at our level cannot be part of it.


    I'm afraid packet dumps aren't my area of expertise.  I do have Wireshark and have run a few captures, but was quickly overwhelmed but the sheer volume of it and understood maybe 10% of it, if that.


    I did provide a comment back to Thomas that those two text files appear to be output files for Terminal commands ps and df.  I can only guess they are used to convince the user that it is really doing something by referencing things that can be easily verified.  I agree with Thomas that such info would not be useful.


    I was almost certain that it was phoning home when I took a look at the first version and found an IP that wasn't previously associated with distributing the Trojan.  One of the early reports also speculated this.  Unfortunately I don't yet have an Intel Mac, so my analysis ability on this is quite limited.


    I don't think that VirusTotal is going to help us with this one.  They run most AV engines against submitted files to see which ones match existing signatures.  Community volunteers independently evaluate submissions and express their opinions as to which are threats of what kind and similarity to known malware.  Vendors have access to the files and are free to develope signatures or not, as they choose.  I don't know that any of these are in the business of monitoring outgoing communications.  That's where firewalls and software such as Little Snitch work best.

  • R C-R Level 6 Level 6

    William Kucharski wrote:

    If you really got it from an Apple Store, tell us which one so we can notify them.

    I think mim_aus means Intego Virus Barrier was purchased from an Apple store.

  • g_wolfman Level 4 Level 4



    Had a look at your packet dump.  Frame 10 appears to be the application phoning home - the "affid" and "data" content in the HTTP string suggests that a php automatic form filler-style authenticated login is being used at their end (nice to see they're thinking about security.../sarcasm)


    Frame 12 is missing, so I don't know what was requested from the other end, for which frame 13 is the HTTP 200 OK response.  However frame 15 appears to be the other end sending back a cookie (probably the session authentication for the login from frame 10) so it's probably just more of the same.


    Frames 77 onwards are a pretty standard tear down of the session.


    Was there anything in frames 17 - 76?  If not (for example if that was traffic to other legitimate destinations filtered out by you selection statements) then I'd suggest that no data was transmitted.  However,that doesn't mean it won't in future versions of the malware.  This could very well be evidence of an incremental evolution of the system (make sure we can connect in this version, send some data in the next, then start trying to rape the hard drive after that...?)


    Just my two cents.



  • R C-R Level 6 Level 6

    I have no doubt that this trojan won't evolve to do more once it gets into the computer, but is there any reason to think it can do anything at all unless it is installed & run?


    From all I have read & from my own limited experimentation, its only attack vector is the same as any other Mac trojan: it must trick the user into installing & running it before it can do anything malicious.


    Regardless, it is unlikely it will intentionally be evolved into anything that deletes user files or displays nasty pictures. Serious malware authors are not in this for glory or the sheer joy of annoying Mac users. They are criminals interested only in profit, & the more stealthy they can make the infection, the better they can maximize that.

  • Linc Davis Level 10 Level 10

    Regardless, it is unlikely it will intentionally be evolved into anything that deletes user files or displays nasty pictures.


    It already displays nasty pictures. I see no reason to assume that future versions won't delete files, and then blame the deletions on imaginary viruses, while offering to remove those viruses. This guy needs to ratchet up the pressure to make a quick score before the vic wises up.

  • thomas_r. Level 7 Level 7
    Mac OS X

    I captured everything for a short period of time - I don't really know enough about Wireshark to be able to filter the output.  I still have that raw file saved, but the copy I uploaded had all transactions to other addresses removed.  Perhaps I trimmed too much?  I don't know enough to be able to say.  Here's frame 12, let me know if that looks related or unrelated...


    No.     Time           Source                Destination           Protocol Info
         12 20.275374000   fe80::ec5b:d9b6:74d5:5b47 ff02::c               SSDP     M-SEARCH * HTTP/1.1 
    Frame 12 (208 bytes on wire, 208 bytes captured)
    Ethernet II, Src: IntelCor_49:7c:94 (00:27:10:49:7c:94), Dst: IPv6mcast_00:00:00:0c (33:33:00:00:00:0c)
    Internet Protocol Version 6
    User Datagram Protocol, Src Port: 52461 (52461), Dst Port: ssdp (1900)
    Hypertext Transfer Protocol
    0000  33 33 00 00 00 0c 00 27 10 49 7c 94 86 dd 60 00   33.....'.I|...`.
    0010  00 00 00 9a 11 01 fe 80 00 00 00 00 00 00 ec 5b   ...............[
    0020  d9 b6 74 d5 5b 47 ff 02 00 00 00 00 00 00 00 00   ..t.[G..........
    0030  00 00 00 00 00 0c cc ed 07 6c 00 9a 34 42 4d 2d   .........l..4BM-
    0040  53 45 41 52 43 48 20 2a 20 48 54 54 50 2f 31 2e   SEARCH * HTTP/1.
    0050  31 0d 0a 48 6f 73 74 3a 5b 46 46 30 32 3a 3a 43   1..Host:[FF02::C
    0060  5d 3a 31 39 30 30 0d 0a 53 54 3a 75 72 6e 3a 4d   ]:1900..ST:urn:M
    0070  69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73   icrosoft Windows
    0080  20 50 65 65 72 20 4e 61 6d 65 20 52 65 73 6f 6c    Peer Name Resol
    0090  75 74 69 6f 6e 20 50 72 6f 74 6f 63 6f 6c 3a 20   ution Protocol: 
    00a0  56 34 3a 49 50 56 36 3a 4c 69 6e 6b 4c 6f 63 61   V4:IPV6:LinkLoca
    00b0  6c 0d 0a 4d 61 6e 3a 22 73 73 64 70 3a 64 69 73   l..Man:"ssdp:dis
    00c0  63 6f 76 65 72 22 0d 0a 4d 58 3a 33 0d 0a 0d 0a   cover"..MX:3....
  • WZZZ Level 6 Level 6
    Mac OS X
    Linc Davis wrote: This guy needs to ratchet up the pressure to make a quick score before the vic wises up.

    Or starts stealing data.


    vic? What's that?

  • ds store Level 7 Level 7

    Linc Davis wrote:


    Regardless, it is unlikely it will intentionally be evolved into anything that deletes user files or displays nasty pictures.


    It already displays nasty pictures. I see no reason to assume that future versions won't delete files, and then blame the deletions on imaginary viruses, while offering to remove those viruses. This guy needs to ratchet up the pressure to make a quick score before the vic wises up.


    Ransomware AES-256 even...TimeMachine? isn't that a EUID 0 process?

  • g_wolfman Level 4 Level 4

    I agree that the attack vector is still the same.  I see the risks increasing if this is capable of calling out, however.  You're absolutely correct that malware authors want to maximize both stealth and profit - accordingly here are the risks I see:


    1.  Communications are on HTTP port 80.  This is unlikely to ever be filtered by any firewall software (unlikely as in...never).  It's also always going to be permitted outbound through proxies.  It's just one of those protocols that no one can live without.  So the trojan has an unimpeded communication channel.  Also, the format of the HTTP protocol is so loose that almost anything can be put in an HTTP payload.  Sounds pretty stealthy to me.


    2.  If the web server on the other end is being written using "standard" technologies like php, then as long as it works, the "capital" involved in building it and the communication protocols to this malware is invested.  It makes sense to use it (from their POV).  Also, the comms protocol is probably generic, not OS X specific.  Although we haven't seen it here (for obvious reasons), I wouldn't be surprised if there are Windows variants of this malware making the rounds.  Especially since the first version of this trojan used badly designed "Windows-like" imagery.  It sounds like the start of an infrastructure for a botnet C2 channel.


    3.  If the trojan is making authenticated logins to a server, then it can (via its HTTP tunnel) pass just about any traffic.  It's possible for the server's owner to simply leave commands on the server for each infected host to retrieve and execute after login (a la the Browser Exploitation Framework).  If a person is logged into the server, the HTTP tunnel could be used to establish a reverse shell and execute commands in real-time.


    In many ways, this reminds me of the early days of the Zeus botnet (circa 2007), when the developers were testing its capabilities, before the big explosion of infected PCs in 2009.  In this case, of course, we appear to have the advantage of not being Windows...which should prevent fully automated installation and privilege escalation - which is a good thing!


    However, considering how many new threads are still showing up on the boards daily, plus the fact that only some percentage of people who install this thing are going to show up and ask's impossible to estimate how many infected Macs are out there...could be a few dozen or a few thousand.  And if the id numbers in the login are somehow being assigned linearly...then based on Thomas' packet capture there are at least 37000 of them.  That's profit for a bot-farmer.  Hopefully one of these callbacks doesn't result in a keylogger downloading...

  • g_wolfman Level 4 Level 4

    This one looks like a Windows Peer Name Resolution request on an IPv6 multicast segment...probably not related....


    Hm, so I looked at frames 11 and 13 again, and they appear to be identical - or rather frame 11 appears to be the same as the start of frame 13, but cut off.  13 is then the correct ack to frame 10.  Which doesn't change anything from my previous look, really.


    BTW, Wireshark has a nice feature under its "Analyze" menu - following streams.  Depending on the version you use, there might by only one option, or several for following TCP, UDP and SSL streams.  It makes identifying and saving a conversation much easier, as the filter query is automatically built and applied simultaneously.


    But for the moment, it still appears the same - a simple "Hi! Here I am!" call to a central server.


    I hope this guy doesn't discover double fast-flux anytime soon...

  • peter0962 Level 1 Level 1

    My wife just called me about this same thing from her Hotmail account.  She tells me it popped up totally on it's own.  At first, she clicked on "remove all" button.  The downloads window opened, and downloaded the MacProtector.mpkg.  She then realized that it might be malware, so she called me and didn't do anything else.  I had her close out Safari, but  when she re-opened Safari, an installation prompt came up to install the MacProtector.mpkg file.   So i just had her put it in the trash and empty it. 


    My question is

    a) is that sufficient? 

    b) if not, if we go into the time machine and restore to an earlier date, will that ensure we don't have any malware?



  • thomas_r. Level 7 Level 7
    Mac OS X

    As long as it never got installed, deleting the MacProtector.mpkg file is all you have to do.  You do not need to restore to an earlier date in TM.  See the coverage of the MacDefender outbreak on my blog for more details.


    * Disclaimer: links to my pages may give me compensation.

  • Badunit Level 6 Level 6

    First clue that something is malware: poor grammar and/or spelling.  "Apple Web Security have detected"

  • Bearclaww89 Level 1 Level 1

    Hey did it look like this? Every time I see it I force quit safari. Pops up all the time in google images which is annoying when i am doing work. Is it something to be worried about or just ignore and keep force quitting. Also is the something better to do other then force quit?


    Thanks guys


    Screen shot 2011-05-11 at 12.07.16 PM.png

Previous 1 2 3 4 5 Next