About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

Codec Exploit on the Loose

Just don't run any installers for a while.

Get It

Try It

Several sources report a codec exploit for OS X on the loose. The exploit uses 'social engineering' to get users to install new codecs, prompts for the admin passphrase - and then goes wild.

There's no real defence except inspecting embedded scripts. No anti-malware package yet picks this critter up. Safari may warn of possible danger.

Bojan Zdrnja of the SANS Internet Storm Center received several reports from security companies about an OS X DNS 'changer' in the wild and found a copy of it.

Social Engineering 101, Phone Home

The exploit uses social engineering. Once installed it corrupts DNS settings and 'phones home'.

The social engineering part is old hat but effective: a user is somehow lured to a website to get a movie clip but told a new codec is needed for the local machine. The 'codec' comes packaged as a DMG. The DMG in turn contains a 'codec' 'installer' and the installer in turn contains scripts - these are the actual payload.

The danger is all too many users will ignore the warning signs (if any) and not suspect something malicious could happen with an installer for a codec.

Of course this can happen with any 'installer' prompting for an admin passphrase: the 'dirty work' is inside - in the Resources directory. [It might be a good practice to always check there first. Ed.]

Calling the Ukraine

Not a shocker exactly: the DNS servers installed as well as the 'phone home' address are all in the Ukraine.

The scripts use scutil to redirect DNS to and (see below) and then create a cron job that runs once per minute to call a copy of the script that's redirecting the DNS and setting the cron job. Then the script sendreq is run.

inetnum: -
netname:        UkrTeleGroup
descr:          UkrTeleGroup Ltd.
org:            ORG-UL25-RIPE
org-name:       UkrTeleGroup Ltd.
                Mechnikova 58/5
                65029 Odessa

person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
abuse-mailbox:  abuse@ukrtelegroup.com.ua
phone:          +380487311011
nic-hdl:        UA481-RIPE
source:         RIPE # Filtered


sendreq collects local machine data with uname -p and hostname, encodes the data with base64, and then sends the data in the Accept-Language header for a GET to

Your Best Protection

As always the best protection against malware is to believe the Apple mantra about not running unknown or untrusted software - or at least invest in this tool if you don't want to play it safe.

Right now is probably not a good time to download any more codecs or run any more 'installers'.

And remember: if someone or something is asking for your admin passphrase - demand to know why. And then think again about what Apple told you.

See Also
Rixstep - ACP - Tracker: No Escape
SANS: DNS changer Trojan for Mac in the Wild

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.