Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Mac Trojan: BASH/QHost.WB

Published: 2011-08-05
Last Updated: 2011-08-05 20:27:24 UTC
by donald smith (Version: 1)
1 comment(s)

F-Secure blogged about a new Trojan for Mac’s IOSX

http://www.f-secure.com/weblog/archives/00002206.html
It relies on the fact that due to the "dispute" between Adobe and Apple, Apple's latest Mac OS X version "Lion" comes without any flash player, enhancing the odds people do not find it strange to have to install it separately.

This is a DNS changer type malware that modifies the hosts file to redirect google sites to 91.224.160.26. Which appears to be in the British Virgin Islands.

inetnum:        91.224.160.0 - 91.224.161.255
netname:        Bergdorf-network
descr:          Bergdorf Group Ltd.
country:        NL
org:            ORG-BGL9-RIPE
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         AINT-MNT
mnt-routes:     AINT-MNT
mnt-domains:    AINT-MNT
source:         RIPE # Filtered

organisation:   ORG-BGL9-RIPE
org-name:       Bergdorf Group Ltd.
org-type:       other
address:        3A Little Denmark Complex, 147 Main Street, PO Box 4473, Roa
wn, Torola, British Virgin Islands VG1110
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
mnt-ref:        AINT-MNT
mnt-by:         AINT-MNT
source:         RIPE # Filtered

person:         Agnes Jouaneau
address:        A Little Denmark Complex, 147 Main Street, PO Box 4473
address:        Road Town, Torola, VG1110
address:        British Virgin Islands
phone:          +44 20 81333030
fax-no:         +44 20 81333030
abuse-mailbox:  abuse@bergdorf-group.com
nic-hdl:        AJ2256-RIPE
mnt-by:         aint-mnt
source:         RIPE # Filtered

% Information related to '91.224.160.0/23AS51430'
route:          91.224.160.0/23
descr:          Bergdorf Group Ltd.
origin:         AS51430
mnt-by:         AINT-MNT
source:         RIPE # Filtered

When I asked that server where google was it gave me an interesting response. It is still providing fake replies to dns queries for google.


> lserver 91.224.160.26
Default server: 91.224.160.26
Address: 91.224.160.26#53
> google.com
Server:         91.224.160.26
Address:        91.224.160.26#53

Name:   google.com
Address: 91.224.160.26

Watching for upd port 53 packets towards that IP might be a good idea.

  UPDATE/CORRECTION:

While the whois information points to the British Virgin Islands a traceroute gave me a very different answer.

Tracing route to 91.224.160.26 over a maximum of 30 hops

  1    75 ms    <1 ms    <1 ms  10.1.195.3
<SNIP>
 14   236 ms   147 ms   138 ms  Open-Peering-Amsterdam.Te3-3.ar7.AMS2.gblx.net [208.50.237.194]
 15   350 ms   139 ms   138 ms  jt.altushost.com [217.170.19.60]
 16   138 ms   142 ms   142 ms  91.224.160.26

Keywords: dnschanger mac trojan
1 comment(s)
Forensics: SIFT Kit 2.1 now available for download http://computer-forensics.sans.org/community/downloads
Microsoft Patch Tuesday Advance Notification: 13 Bulletins coming http://www.microsoft.com/technet/security/Bulletin/MS11-aug.mspx

Common Web Attacks. A quick 404 project update

Published: 2011-08-05
Last Updated: 2011-08-05 15:49:45 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

We are now collecting for about a week now, and I think it is time to give everybody a quick update on the project. Thanks to all the submissions so far. We do have some initial results, just not enough to automate the reports quite yet. But there are now clients for perl, python and ASP! (thanks to the contributors)

Some of the most common scans target:

  • Word Press. We do have a good number of reports joing for wp-login.php. 
  • PHPMyAdmin (/phpmyadmin/scripts/setup.php )
  • MediaWiki/Wiki (but these hits only come from a few submitters, may not be statistically significant yet)

And some frequently requested files that are likely not an attack:

  • robots.txt - search engines will look for it. You should have the file to control well behaved search engines. Just don't use it to list secret / restricted pages ;-)
  • apple-touch-icon files (there are a number of different once for different resolutions). This is just like a "favicon", but used by Apple's IOs devices. With them being more and more popular, you may want to set one up.
  • crossdomain.xml - this file is used by flash and Silverlight to communicate your cross domain policies. We have talked about the file before. It is a good idea to have an empty one that restricts access (this is the default for up to date flash players)

Please keep the reports coming and please install the "client code" on your error page if you haven't yet. Once you installed it, you can verify if your submissions are working after logging in and projecting to the 404 report page.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: 404 project
5 comment(s)
Diary Archives