Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Mac Trojan: BASH/QHost.WB

Published: 2011-08-05
Last Updated: 2011-08-05 20:27:24 UTC
by donald smith (Version: 1)
1 comment(s)

F-Secure blogged about a new Trojan for Mac’s IOSX
It relies on the fact that due to the "dispute" between Adobe and Apple, Apple's latest Mac OS X version "Lion" comes without any flash player, enhancing the odds people do not find it strange to have to install it separately.

This is a DNS changer type malware that modifies the hosts file to redirect google sites to Which appears to be in the British Virgin Islands.

inetnum: -
netname:        Bergdorf-network
descr:          Bergdorf Group Ltd.
country:        NL
org:            ORG-BGL9-RIPE
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         AINT-MNT
mnt-routes:     AINT-MNT
mnt-domains:    AINT-MNT
source:         RIPE # Filtered

organisation:   ORG-BGL9-RIPE
org-name:       Bergdorf Group Ltd.
org-type:       other
address:        3A Little Denmark Complex, 147 Main Street, PO Box 4473, Roa
wn, Torola, British Virgin Islands VG1110
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
mnt-ref:        AINT-MNT
mnt-by:         AINT-MNT
source:         RIPE # Filtered

person:         Agnes Jouaneau
address:        A Little Denmark Complex, 147 Main Street, PO Box 4473
address:        Road Town, Torola, VG1110
address:        British Virgin Islands
phone:          +44 20 81333030
fax-no:         +44 20 81333030
nic-hdl:        AJ2256-RIPE
mnt-by:         aint-mnt
source:         RIPE # Filtered

% Information related to ''
descr:          Bergdorf Group Ltd.
origin:         AS51430
mnt-by:         AINT-MNT
source:         RIPE # Filtered

When I asked that server where google was it gave me an interesting response. It is still providing fake replies to dns queries for google.

> lserver
Default server:


Watching for upd port 53 packets towards that IP might be a good idea.


While the whois information points to the British Virgin Islands a traceroute gave me a very different answer.

Tracing route to over a maximum of 30 hops

  1    75 ms    <1 ms    <1 ms
 14   236 ms   147 ms   138 ms []
 15   350 ms   139 ms   138 ms []
 16   138 ms   142 ms   142 ms

Keywords: dnschanger mac trojan
1 comment(s)
Diary Archives