New Mac Trojan: BASH/QHost.WB - SANS Internet Storm Center

New Mac Trojan: BASH/QHost.WB
F-Secure blogged about a new Trojan for Mac’s IOSX http://www.f-secure.com/weblog/archives/00002206.html It relies on the fact that due to the "dispute" between Adobe and Apple, Apple's latest Mac OS X version "Lion" comes without any flash player, enhancing the odds people do not find it strange to have to install it separately. This is a DNS changer type malware that modifies the hosts file to redirect google sites to 91.224.160.26. Which appears to be in the British Virgin Islands. inetnum: 91.224.160.0 - 91.224.161.255 netname: Bergdorf-network descr: Bergdorf Group Ltd. country: NL org: ORG-BGL9-RIPE admin-c: AJ2256-RIPE tech-c: AJ2256-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-lower: RIPE-NCC-END-MNT mnt-by: AINT-MNT mnt-routes: AINT-MNT mnt-domains: AINT-MNT source: RIPE # Filtered organisation: ORG-BGL9-RIPE org-name: Bergdorf Group Ltd. org-type: other address: 3A Little Denmark Complex, 147 Main Street, PO Box 4473, Roa wn, Torola, British Virgin Islands VG1110 admin-c: AJ2256-RIPE tech-c: AJ2256-RIPE mnt-ref: AINT-MNT mnt-by: AINT-MNT source: RIPE # Filtered person: Agnes Jouaneau address: A Little Denmark Complex, 147 Main Street, PO Box 4473 address: Road Town, Torola, VG1110 address: British Virgin Islands phone: +44 20 81333030 fax-no: +44 20 81333030 abuse-mailbox: abuse@bergdorf-group.com nic-hdl: AJ2256-RIPE mnt-by: aint-mnt source: RIPE # Filtered % Information related to '91.224.160.0/23AS51430' route: 91.224.160.0/23 descr: Bergdorf Group Ltd. origin: AS51430 mnt-by: AINT-MNT source: RIPE # Filtered When I asked that server where google was it gave me an interesting response. It is still providing fake replies to dns queries for google. > lserver 91.224.160.26 Default server: 91.224.160.26 Address: 91.224.160.26#53 > google.com Server: 91.224.160.26 Address: 91.224.160.26#53 Name: google.com Address: 91.224.160.26 Watching for upd port 53 packets towards that IP might be a good idea. UPDATE/CORRECTION: While the whois information points to the British Virgin Islands a traceroute gave me a very different answer. Tracing route to 91.224.160.26 over a maximum of 30 hops 1 75 ms <1 ms <1 ms 10.1.195.3 <SNIP> 14 236 ms 147 ms 138 ms Open-Peering-Amsterdam.Te3-3.ar7.AMS2.gblx.net [208.50.237.194] 15 350 ms 139 ms 138 ms jt.altushost.com [217.170.19.60] 16 138 ms 142 ms 142 ms 91.224.160.26	donald 206 Posts Aug 5th 2011
Thread locked Subscribe	Aug 5th 2011 1 decade ago
I'm sure I've heard of this network before. Like maybe I've seen some sort of abuse out of that IP range recently. I remember being confused by the WHOIS data. 'Little Denmark' street, a P.O. Box the British Virgin Isles, but registered in the RIPE (Europe) NIC with 'country: NL' where it seems to get its IP transit from a Swedish company. And yet their top-level domain WHOIS gives anonymous Pakistani registration details and mentions another address in Belgrade. Good old robtex offers a list of domains hosted in this IP block. Many are .ru, and I'd advise caution about visiting any of them: * http://www.robtex.com/cnet/91.224.160.html * http://www.robtex.com/cnet/91.224.161.html And I've just noticed the SNORT Emerging Threats ruleset identifies many of these IPs as Russian Business Network. Be worried if you see traffic on your network going to/from these IPs.	Anonymous
Quote	Aug 6th 2011 1 decade ago