Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: New Mac Trojan: BASH/QHost.WB - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Mac Trojan: BASH/QHost.WB

F-Secure blogged about a new Trojan for Mac’s IOSX
It relies on the fact that due to the "dispute" between Adobe and Apple, Apple's latest Mac OS X version "Lion" comes without any flash player, enhancing the odds people do not find it strange to have to install it separately.

This is a DNS changer type malware that modifies the hosts file to redirect google sites to Which appears to be in the British Virgin Islands.

inetnum: -
netname:        Bergdorf-network
descr:          Bergdorf Group Ltd.
country:        NL
org:            ORG-BGL9-RIPE
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         AINT-MNT
mnt-routes:     AINT-MNT
mnt-domains:    AINT-MNT
source:         RIPE # Filtered

organisation:   ORG-BGL9-RIPE
org-name:       Bergdorf Group Ltd.
org-type:       other
address:        3A Little Denmark Complex, 147 Main Street, PO Box 4473, Roa
wn, Torola, British Virgin Islands VG1110
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
mnt-ref:        AINT-MNT
mnt-by:         AINT-MNT
source:         RIPE # Filtered

person:         Agnes Jouaneau
address:        A Little Denmark Complex, 147 Main Street, PO Box 4473
address:        Road Town, Torola, VG1110
address:        British Virgin Islands
phone:          +44 20 81333030
fax-no:         +44 20 81333030
nic-hdl:        AJ2256-RIPE
mnt-by:         aint-mnt
source:         RIPE # Filtered

% Information related to ''
descr:          Bergdorf Group Ltd.
origin:         AS51430
mnt-by:         AINT-MNT
source:         RIPE # Filtered

When I asked that server where google was it gave me an interesting response. It is still providing fake replies to dns queries for google.

> lserver
Default server:


Watching for upd port 53 packets towards that IP might be a good idea.


While the whois information points to the British Virgin Islands a traceroute gave me a very different answer.

Tracing route to over a maximum of 30 hops

  1    75 ms    <1 ms    <1 ms
 14   236 ms   147 ms   138 ms []
 15   350 ms   139 ms   138 ms []
 16   138 ms   142 ms   142 ms


206 Posts
Aug 5th 2011
I'm sure I've heard of this network before. Like maybe I've seen some sort of abuse out of that IP range recently. I remember being confused by the WHOIS data. 'Little Denmark' street, a P.O. Box the British Virgin Isles, but registered in the RIPE (Europe) NIC with 'country: NL' where it seems to get its IP transit from a Swedish company. And yet their top-level domain WHOIS gives anonymous Pakistani registration details and mentions another address in Belgrade.

Good old robtex offers a list of domains hosted in this IP block. Many are .ru, and I'd advise caution about visiting any of them:

And I've just noticed the SNORT Emerging Threats ruleset identifies many of these IPs as Russian Business Network. Be worried if you see traffic on your network going to/from these IPs.

Sign Up for Free or Log In to start participating in the conversation!