OS X Lamadai: Flashback isn’t a usually Mac malware threat
The Flashback trojan has been all over a news lately, though it is not a usually Mac malware hazard out there during a moment. A few weeks ago, we published a technical research of OSX/Lamadai.A, a Mac OS X cargo of a multi-platform conflict exploiting a Java disadvantage CVE-2011-3544 to taint a victims. OSX/Lamadai.A has built-in facilities standard of a backdoor: namely download and execution of an capricious file, uploading of internal files to a operator’s Command and Control (CC) server, and spawning of a command-line shell.
After a technical research was done, we began a monitoring phase. This proviso is really critical since it allows for tracking of how a malware is used by a operator. We can locate new variants of a hazard early on, or even a totally opposite malware family (as mostly seen in pay-per-install schemes), or see a user launch Denial-of-Service attacks (or any other kind of antagonistic activity) from a putrescent systems.
The monitoring proviso authorised us to declare a short, live dialog between a putrescent appurtenance and a malware user that we published this dialog in a initial research of OSX/Lamadai.A. This believe gave us some new ideas that we could put in place in sequence to accumulate some-more believe about this hazard and a chairman or people behind it.
What we did is this: we planted some feign files in a home office of a exam “infected user” and waited for a user to come back. About one week later, we got a initial connection. Here are a highlights of a dialog that took place over a duration of about 10 days. It started with a small reconnoitering in a ~/Documents directory:
The Unix authority lsquo;lsrsquo; is used to list office content. Then we see a burglary of some Tibetan army standing papers and a small porn for combined value.
Now some-more reconnoitering and record theft, this time in a ~/Downloads directory.
It is utterly engaging to see that a user did not take all a files we had put out for him. He left these 3 untouched:
- 2012_report.doc
- application.zip
- im5744.jpg
A few days went by during that a user was usually joining to a complement to emanate some simple commands, many expected with a perspective to last either this was a newly putrescent complement or not. The Unix authority id earnings a stream user’s temperament and a sw_vers authority prints a OS chronicle information.
We motionless it was time to modernise a sourroundings to copy infection of a new user and to implement engaging new files to a user’s home directory.
Shortly after a new sourroundings was adult and running, we got an incoming connection. Almost instantly, a user released a authority to download and govern a record (technical sum of a new record below)!
Immediately after, a user ran a few netstat commands, many substantially looking to see if a new cargo was listening on a network properly.
Not saying what he wanted to see, a user attempted to re-execute a forsaken executable! Let’s see how that incited out:
Yes, we do have to mention a trail to a executable when /tmp is not in $PATH. In despair, he attempted to take some screenshots of a whole desktop window, regulating a OS X ‘screencapture’ command. Oddly enough, a record was not saved in his stream work office as it should have. We can’t explain because that happened.
Then, a few tie attempts later, a user logged behind on and totally mislaid it. He released dual Unix ‘rm’ commands, used to mislay office entries: one to mislay a user’s home office and one to mislay a system’s base directory.
That concludes this thespian part of Monsieur Frustrated Operator. Now to some technical stuff.
One of a initial things we did was to redeem and investigate a Mach-O executable forsaken onto a exam machine. We were extraordinary to see what that was: a new various of OSX/Lamadai, or even a specialized new square of software? Instead, we found it was a same various of OSX/Lamadai with a hardcoded CC server set to 127.0.0.1. This explains because a user grepped his netstat outlay for “127.0.0.1”. However, a motive behind this movement is adult for discuss inside ESET’s Security Intelligence Laboratory. Some disagree that a user satisfied he was connected to a monitoring complement instead of a real, putrescent one and wanted to route a trade divided from a genuine CC. Others contend that it would have been easier for him to simply deactivate or mislay a malware from a system.
Also, when we initial analyzed OSX/Lamadai.A, we pronounced that a malware did not have diligence capabilities on an OS X 10.7.2 system, as a trail /Library/Audio/Plug-Ins/AudioServer was not user-writable. We looked a small deeper into this, as other researchers reported that a hazard was indeed determined on their machines. We satisfied that this really same trail is user-writable in prior OS X versions (10.5/Leopard and 10.6/Snow Leopard). This is a means of some intensity difficulty and a timely sign of a advantages of upgrading to a latest chronicle of OS X.
Credits go to Marc-Étienne M. Léveillé for a technical research and exam sourroundings setup, interjection to a common suspects for reviewing and commenting this article.
MD5 of a forsaken executable: 46c8ca78af43012388936345336d203b
Alexis Dorais-Joncas
Security Intelligence Team Lead
.