Centroid.EU Blog

(this blog is mostly encrypted - adults only)
  

Previous Page


Dissecting WebShoppy Mac OS X trojan

January 9th, 2016

My dad got a virus on his Mac (Snow Leopard OS X I think). Before we reinstalled it with El Capitan I saved the binary, the install script, and an lsof output of this trojan called WebShoppy.

First unpack my tarball I made, first impressions are that there is a ._3166.sh file that was copied along with the 3166.sh script when I made the tarball, possibly a trait of the virus.

alpha$ tar -xvzf ws.tgz
ws
ws/._3166.sh
ws/3166.sh
ws/list.open
ws/WebShoppy
let's take a look at this ._3166.sh file it seems to be binary code so I'm going to hexdump it.
alpha$ hexdump -C ._3166.sh
00000000  00 05 16 07 00 02 00 00  4d 61 63 20 4f 53 20 58  |........Mac OS X|
00000010  20 20 20 20 20 20 20 20  00 02 00 00 00 09 00 00  |        ........|
00000020  00 32 00 00 00 79 00 00  00 02 00 00 00 ab 00 00  |.2...y..........|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000050  00 00 00 00 41 54 54 52  00 00 00 00 00 00 00 ab  |....ATTR........|
00000060  00 00 00 9c 00 00 00 0f  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 01  00 00 00 9c 00 00 00 0f  |................|
00000080  00 00 17 63 6f 6d 2e 61  70 70 6c 65 2e 54 65 78  |...com.apple.Tex|
00000090  74 45 6e 63 6f 64 69 6e  67 00 00 00 75 74 66 2d  |tEncoding...utf-|
000000a0  38 3b 31 33 34 32 31 37  39 38 34                 |8;134217984|
000000ab
Next I will show you parts of the 3166.sh script which was placed in the $HOME of my dad's user.
...
# existing check
brands=(flashmall webshoppers webshoppy smartshoppy)
brandExists=false
for currBrand in "${brands[@]}"; do
    if [ `pgrep -i $currBrand | wc -l` -gt 0 ]; then
        brandExists=$currBrand
    fi
done
...
Here it checks for the following programs already running on this computer. However it clobbers brandExists if multiple instances of these four programs exist.
...
    # user
  sudo -u $INSTALLER_USER launchctl unload $plist_user >> ${mmtmp}/${insname}.lo
g 2>&1
  sudo -u $INSTALLER_USER /bin/rm -f $plist_user
  sudo -u $INSTALLER_USER cp $orig_plist_path $plist_user
  sudo -u $INSTALLER_USER launchctl load $plist_user  >> ${mmtmp}/${insname}.log 2>&1
...
it will then try to add what is a crontab like entry (launchctl). So it registers itself into the system to always start up every boot. plist_user is $HOME/Library/LaunchAgents/com.WebShoppy.agent.plist in the scripts case.

On to the binary, What I found interesting was the content was encrypted, but strings on mac os x doesn't list all printable symbols, so on OpenBSD I was able to see who compiled this binary from environment variables packed into the binary. Chances are it's someone who had their computer hijacked.

...
03wnh{ul7yffwqtvs!vcd2gxr5vl{xjgisx5fvvrpriwyy2F|qvvgnB
pwe|hxlw}".i$0nl#hyrmmgjyoru)$Tejjwo%'ru!vywsoqn)viir0%3h'0npk$+Fiwp g#+$6j&%y~p
!wg{nvwc+vfpp)fvssrebxmxs&_ce$Tejjwo_ce$]r`wiu#QjxbWg{nvw'e^]&
...
/Users/janetlev/macwebtools/WebHelper/
...
So there is ciphertext in the binary as you an see. I did find the janetlev user string in there as well. She's likely innocent, I don't accuse her.

And finally I'd like to show an lsof output of the WebShoppy active in the System before we wiped it.

WebShoppy   491 mydadsuser  cwd      DIR              1,2      1224        2 /
WebShoppy   491 mydadsuser  txt      REG              1,2     56664 19581804 \
/Applications/WebShoppy/WebShoppy
WebShoppy   491 mydadsuser  txt      REG              1,2    600832 15963057 \
/usr/lib/dyld
WebShoppy   491 mydadsuser  txt      REG              1,2 344538318 19594212 \
/private/var/db/dyld/dyld_shared_cache_x86_64
WebShoppy   491 mydadsuser    0r     CHR              3,2       0t0      306 \
/dev/null
WebShoppy   491 mydadsuser    1w     CHR              3,2       0t0      306 \
/dev/null
WebShoppy   491 mydadsuser    2w     CHR              3,2       0t0      306 \
/dev/null
It doesn't seem to be doing too much. Perhaps it does things on a timer basis.

If anyone has hints on how I could have done the analysis or post-analysis any better let me know.

0 comments

Organized Crime is the Enemy

January 8th, 2016

When you think of safety, you are naive to think you'll get it anywhere after the sun goes down. Be smart, don't put yourself in situations where you're defenseless, avoid hotspots. In Cologne ruthless gangs of organized criminals roamed the train station on new years eve. The police were helpless, due to being outnumbered. One may now think of how to bring the individuals to justice, and face recognition technology comes to mind. Where will it end us up though? In a totalitarian society where everyones face is recognized in real time?

One thing to remember is that it was organized crime that terrorized the few women and men who were rather defenseless. But the herd of sheep now know the wolf is about, and we need to think of ways to protect ourselves. For one, strong cryptography in voice and data is needed, and should not be backdoored. When organized crime does things they do it big and they want to get at the next victims online banking. Be smart, keep the crypto strong it is a foundation, a pillar for fighting the evil in society who group up. We know the wolf exists now and isn't just a fable. We need the right tools to combat him while keeping our society with it's laws and freedoms intact and sturdy.

0 comments

Donation time

January 6th, 2016

I have donated 100 euros to Theo de Raadt and OpenBSD. He'll have to get me really angry for me to donate to the foundation and even more angry for me to not donate, lol.

0 comments

The invisible man

January 3rd, 2016

Have you ever wanted to go offline for good? No Internet for the NSA to track you. No online marketing. No email, and in my case no job. Believe it or not I went offline for about a year in 2001. I was misinformed when 9/11 happened, having only an FM radio to get my information. But imagine if an offline life was manageable. Can we do this at all? Make my workstations PC's again. Meaning it really is a personal computer and not a cloud extension. I'm interested in organizations who facilitate an offline life. Would I take the leap?

0 comments

How hard can changing a password be?

January 1st, 2016

In my network which consists of 1 access point and 2 repeaters to create a WLAN bridge between 3 routers, I tried to change the Wifi password. Simple, I thought. I'd start with the repeater furthest away from me and change its WLAN password, then do the same on the access point and the same for the repeater closest to me. Was I in for a mental boxing match where I did not win. The repeaters decided they did not want to accept the access point because somehow I had WPS set to active, or was that it? Or was it the "hidden" link to find which station to connect to which had a password of its own. I still don't know what I did exactly to make these repeaters finally connect to my AP. On top of that they changed their IP's and I had to re- configure my router to even connect to them. Talk about making a function hard, when it should be as simple as changing a light bulb! No kudos go to AVM with their Fritz line of Access points and Repeaters. They still owe me one regardless, due to losing ARP packets on their AP. Why did I ever invest into crap?

0 comments

When a book loses significance

January 1st, 2016

It's 2016. The following book has lost its significance.

This is the third edition of DNS and BIND, and it doesn't cover bind9 and it doesn't cover DNSSEC. However this book guided me for a while when I was writing on delphinusdnsd prior to writing the DNSSEC code. I can only put this book back into my bookshelf because it looks good. But that's about it. I would recommend the authors works to anyone, they are written in an easy to understand fashion. Just don't get an old book like this one :-).

0 comments

Delphinusdnsd 1.0.0 Released

January 1st, 2016

I have released delphinusdnsd 1.0.0. You can download it here. The SHA256 code to the tarball looks like this: 8914aa55437081e44895a4cecdfff82b4a3be03fb38dd65d073c71e1be187e41.

I've worked on this release for over a year. Some parts are incomplete still but I feel I gotta get it out the door. When is a DNS server ever complete though one may ask? Anyhow, enjoy!

0 comments

More power from Arabia and Sahara?

December 31st, 2015

A ghost haunts Europe. It's the power ghost. Once there is no more oil either available or sanctioned due to the environmental effects, where will we get our power from? One corporation in Germany has a plan. But do we really want to upkeep the power hegemony in Arabia and Sahara just to get our power? These are political factors which don't convince the technical ones.

0 comments

Our XMAS Dinner

December 29th, 2015

0 comments

2015 Year in Review

December 29th, 2015

December 23, 2015	Merry Christmas
December 22, 2015	I joined Twitter
December 21, 2015	Happy Solstice
December 19, 2015	Getting ready for delphinusdnsd release
December 15, 2015	More sky photos coming up
December 13, 2015	An ejection from Atacama?
December 11, 2015	100 million X speedup from classical computer
December 7, 2015	Thinking of getting a third Internet Link
December 5, 2015	Trying to run letsencrypt beta
December 3, 2015	Anonymity
December 1, 2015	What happens when...	
November 29, 2015	23 days until the December Solstice
November 29, 2015	10 Years
November 20, 2015	10 years Delphinusdnsd in 9 days
November 18, 2015	Keeper of the Isis Light
November 13, 2015	DNSSEC validation tools
November 10, 2015	Delphinusdnsd does TLSA RR and thus DANE
November 8, 2015	Happy Anniversary Delphinusdnsd!
November 8, 2015	swshell.de is DNSSEC enabled now
November 4, 2015	Donated to OpenBSDFoundation
October 31, 2015	pledge(2) Don't do this!
October 27, 2015	Outlook Delphinusdnsd 1.0.0 not before XMAS
October 26, 2015	AVM FritzBox Router losing ARP packets
October 24, 2015	Open Sourced CodeBlue version 1
October 22, 2015	MPS open sourced
October 20, 2015	Oct 21, 2015 Cars that fly?
October 19, 2015	Luna-27
October 17, 2015	Upgraded supercluster
October 11, 2015	Yesterday OpenBSD 5.8 arrived
October 10, 2015	Status update on Delphinusdnsd
October 7, 2015		OpenBSD 5.8 poster arrived
October 7, 2015		Autumn Programmer
October 3, 2015		Happy Birthday R.
October 3, 2015		For God's sake!  Stoererhaftung is in the Way!
October 2, 2015		Happy Birthday M.
September 30, 2015	Wrote a donation to OpenBSD
September 27, 2015	Profit for the poor!
September 26, 2015	European Union where is your strength?
September 23, 2015	Happy September Equinox!
September 15, 2015	I'm not hiring
September 10, 2015	Equinox in less than 2 Weeks
September 5, 2015 	Delphinusdnsd now answers to version queries
September 5, 2015	The last homely house on Earth
August 31, 2015		Changed DNS setup
August 29, 2015		Cancelling io.solarscale.de, eventually
August 27, 2015		Resisting Refugees is Shameful
August 26, 2015		Omega: a new VPS
August 22, 2015		Changes at work
August 21, 2015		Maxed my Soekris 6501
August 19, 2015		OpenBSD 5.8 Pre-orders are on
August 17, 2015		And still in the Rush
August 16, 2015		Still in a Consumer Rush
August 10, 2015		I started shuffling my $HOME/.ssh directory
August 9, 2015		Spampd and taking the -T out
August 9, 2015		Ordered a Book from Amazon
August 2, 2015		CryptoBooks virtualized
July 28, 2015		Delphinusdnsd status update
July 27, 2015		Opinion: Hacking Team are pigs
July 25, 2015		Two CryptoBooks side by side
July 24, 2015		New Network Plans
July 23, 2015		Macbook Pro and things
July 17, 2015		My CryptoBook
July 15, 2015		Donated $15 to FreeBSD Foundation
July 13, 2015		Purchased Netbook
July 10, 2015		Status update of Delphinusdnsd and DNSSEC
July 10, 2015		Hand-Down and a Story
July 9, 2015		Signatures of Time - Double Play
July 7, 2015		Freifunk was affected by an MTU issue
July 6, 2015		It definatly was hotter than 2003
July 4, 2015		Power outtage this morning
July 3, 2015		I have donated 20 euros to the Greece bailout fund
June 28, 2015		AKW Grafenrheinfeld has shut down over night
June 28, 2015		Status update on Delphinusdnsd and DNSSEC
June 25, 2015		RFC 4034 compliant AFAIK
June 25, 2015		Donated 50 euros to OpenBSD
June 24, 2015		Vacation cut short
June 23, 2015		Art display of my parents creations
June 22, 2015		Delphinusdns Project sponsors Luke Antins
June 22, 2015		Donated 150 euros to the Red Cross
June 21, 2015		Happy Solstice
June 20, 2015		The First Ever DNSSEC answer from Delphinusdnsd
June 18, 2015		Delphinusdnsd Hack days, entering production..
June 13, 2015		I'm on Vacation
June 6, 2015		Purchased two Books
June 5, 2015		Vacation in a week
May 22, 2015		Computers are better Rappers?  Perhaps...
May 21, 2015		Advocacy for OpenBSD
May 21, 2015		My udptunnel program is open source now
May 19, 2015		Holidays less than a month away
May 15, 2015		OpenBSD 5.7 arrived
May 15, 2015		Freifunk Tunnel Masters
May 13, 2015		Anexit
May 12, 2015		Donated 25 euros toward Nepal
May 12, 2015		Purchased DJ mixer
May 9, 2015		Where do you get your clothes?
May 8, 2015		Pension, TV and Books
May 2, 2015		OpenBSD CD's delayed, upgraded anyways
April 30, 2015		Httpd died overnight
April 29, 2015		Goodbye Avon!
April 28, 2015		OpenBSD getting hammerfs through GSOC?
April 24, 2015		Happy 25th anniversary Hubble!
April 24, 2015		And the Park seemed inviting
April 22, 2015		Donated 50 euros to OpenBSD
April 22, 2015		Bought two singles
April 22, 2015		Vernal Equinox and Jesus
April 21, 2015		Exploring Xephem
April 20, 2015		Backport of patch for OpenSMTPD 5.4.2p1
April 15, 2015		The contraction of my VPS network
April 15, 2015		Blog Outtage this Morning
April 13, 2015		One year of mercury (computer)
April 11, 2015		Sorry no Linkedin, yet
April 11, 2015		Mac OS X 10.10.3 killed my screensaver!
April 9, 2015		Wildcarddnsd 0.9.1
April 7, 2015		Greece's war reparation demand
April 4, 2015		Happy Easter
April 1, 2015		Astronomers detect a giant star in Constellation Pisces
March 31, 2015		ESA what are your plans?
March 30, 2015		R.I.P. Paul Schenkeveld
March 29, 2015		Please, not another LEO ISS!
March 28, 2015		The catch-22 of mental illness
March 21, 2015		My Eclipse photos were a FAIL
March 14, 2015		Happy Pi day
March 13, 2015		Pre-Ordered OpenBSD 5.7
March 12, 2015		Wrote two members of parliament
March 12, 2015		Equinox in 8 days
March 7, 2015		Crackers are getting more careful
March 5, 2015		Oldlaptop's github repo
March 5, 2015		OpenBSD's httpd with webalizer
March 5, 2015		Softraid Crypto seems secure
February 27, 2015	God Speed Spock!
February 26, 2015	OpenBSD donations reached 397,000 dollars in 2014
February 25, 2015	Got a washing machine
February 24, 2015	Nearing 20 years UNIX experience
February 23, 2015	Ordered three books
February 21, 2015	Scarcity vs. Abundance
February 16, 2015	Moved the blog
February 14, 2015	Upper Lower Class
February 13, 2015	I'm sick
February 6, 2015	Next Week marks Two Years in My Apartment
February 5, 2015	Thinking of voting Die Linke in 2017
February 5, 2015	The last frontier, under the ice
February 3, 2015	Why I think "The Time Machine" doesn't work in reality
February 2, 2015	I want a Greek bailout
January 28, 2015	The rich can't buy smarts, can they?
January 27, 2015	Electricity (day) consumption up (unfortunately)
January	26, 2015	Cryptowars: Organised Crime and Terrorists
January 24, 2015	Administrivia
January 24, 2015	Is it more than Space Junk?
January 19, 2015	This is how fair the world is
January 13, 2015	And our rights diminish
January 11, 2015	I am not your subordinate
January 9, 2015		Ordered 3 books
January 5, 2015		My 150 Euro Calculator
January 5, 2015		Donation time again
December 31, 2014	Happy New Year!
December 29, 2014	Added supercluster to nameservers
December 28, 2014	Winter Flowers
December 24, 2014	Merry Christmas / Frohe Weihnachten!
December 17, 2014	NASA wants to go to Venus
December 16, 2014	My thought about Pegida
December 16, 2014	A domain expired, amdeutschhof.de
December 15, 2014	December solstice in less than a week!
December 12, 2014	Comparison between Mordor and the US
December 9, 2014	Farewell American Forces
December 8, 2014	Speak German at home...
December 6, 2014	When Fighters scramble

0 comments

Next Page

Search

RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries


Powered by BCHS