|Home » Industry Watch
Codec Exploit on the Loose
Just don't run any installers for a while.
Several sources report a codec exploit for OS X on the loose. The exploit uses 'social engineering' to get users to install new codecs, prompts for the admin passphrase - and then goes wild.
There's no real defence except inspecting embedded scripts. No anti-malware package yet picks this critter up. Safari may warn of possible danger.
Bojan Zdrnja of the SANS Internet Storm Center received several reports from security companies about an OS X DNS 'changer' in the wild and found a copy of it.
Social Engineering 101, Phone Home
The exploit uses social engineering. Once installed it corrupts DNS settings and 'phones home'.
The social engineering part is old hat but effective: a user is somehow lured to a website to get a movie clip but told a new codec is needed for the local machine. The 'codec' comes packaged as a DMG. The DMG in turn contains a 'codec' 'installer' and the installer in turn contains scripts - these are the actual payload.
The danger is all too many users will ignore the warning signs (if any) and not suspect something malicious could happen with an installer for a codec.
Of course this can happen with any 'installer' prompting for an admin passphrase: the 'dirty work' is inside - in the Resources directory. [It might be a good practice to always check there first. Ed.]
Calling the Ukraine
Not a shocker exactly: the DNS servers installed as well as the 'phone home' address are all in the Ukraine.
The scripts use scutil to redirect DNS to 220.127.116.11 and 18.104.22.168 (see below) and then create a cron job that runs once per minute to call a copy of the script that's redirecting the DNS and setting the cron job. Then the script sendreq is run.
inetnum: 22.214.171.124 - 126.96.36.199
descr: UkrTeleGroup Ltd.
org-name: UkrTeleGroup Ltd.
person: Andrew Sotov
address: Mechnikova 58/5 65029 Odessa
source: RIPE # Filtered
sendreq collects local machine data with uname -p and hostname, encodes the data with base64, and then sends the data in the Accept-Language header for a GET to 188.8.131.52.
Your Best Protection
As always the best protection against malware is to believe the Apple mantra about not running unknown or untrusted software - or at least invest in this tool if you don't want to play it safe.
Right now is probably not a good time to download any more codecs or run any more 'installers'.
And remember: if someone or something is asking for your admin passphrase - demand to know why. And then think again about what Apple told you.
Rixstep - ACP - Tracker: No Escape
SANS: DNS changer Trojan for Mac in the Wild