New Mac Trojan: BASH/QHost.WB

Published: 2011-08-05
Last Updated: 2011-08-05 20:27:24 UTC
by donald smith (Version: 1)
1 comment(s)

F-Secure blogged about a new Trojan for Mac’s IOSX

http://www.f-secure.com/weblog/archives/00002206.html
It relies on the fact that due to the "dispute" between Adobe and Apple, Apple's latest Mac OS X version "Lion" comes without any flash player, enhancing the odds people do not find it strange to have to install it separately.

This is a DNS changer type malware that modifies the hosts file to redirect google sites to 91.224.160.26. Which appears to be in the British Virgin Islands.

inetnum:        91.224.160.0 - 91.224.161.255
netname:        Bergdorf-network
descr:          Bergdorf Group Ltd.
country:        NL
org:            ORG-BGL9-RIPE
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         AINT-MNT
mnt-routes:     AINT-MNT
mnt-domains:    AINT-MNT
source:         RIPE # Filtered

organisation:   ORG-BGL9-RIPE
org-name:       Bergdorf Group Ltd.
org-type:       other
address:        3A Little Denmark Complex, 147 Main Street, PO Box 4473, Roa
wn, Torola, British Virgin Islands VG1110
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
mnt-ref:        AINT-MNT
mnt-by:         AINT-MNT
source:         RIPE # Filtered

person:         Agnes Jouaneau
address:        A Little Denmark Complex, 147 Main Street, PO Box 4473
address:        Road Town, Torola, VG1110
address:        British Virgin Islands
phone:          +44 20 81333030
fax-no:         +44 20 81333030
abuse-mailbox:  abuse@bergdorf-group.com
nic-hdl:        AJ2256-RIPE
mnt-by:         aint-mnt
source:         RIPE # Filtered

% Information related to '91.224.160.0/23AS51430'
route:          91.224.160.0/23
descr:          Bergdorf Group Ltd.
origin:         AS51430
mnt-by:         AINT-MNT
source:         RIPE # Filtered

When I asked that server where google was it gave me an interesting response. It is still providing fake replies to dns queries for google.


> lserver 91.224.160.26
Default server: 91.224.160.26
Address: 91.224.160.26#53
> google.com
Server:         91.224.160.26
Address:        91.224.160.26#53

Name:   google.com
Address: 91.224.160.26

Watching for upd port 53 packets towards that IP might be a good idea.

  UPDATE/CORRECTION:

While the whois information points to the British Virgin Islands a traceroute gave me a very different answer.

Tracing route to 91.224.160.26 over a maximum of 30 hops

  1    75 ms    <1 ms    <1 ms  10.1.195.3
<SNIP>
 14   236 ms   147 ms   138 ms  Open-Peering-Amsterdam.Te3-3.ar7.AMS2.gblx.net [208.50.237.194]
 15   350 ms   139 ms   138 ms  jt.altushost.com [217.170.19.60]
 16   138 ms   142 ms   142 ms  91.224.160.26

Keywords: dnschanger mac trojan
1 comment(s)

Comments

I'm sure I've heard of this network before. Like maybe I've seen some sort of abuse out of that IP range recently. I remember being confused by the WHOIS data. 'Little Denmark' street, a P.O. Box the British Virgin Isles, but registered in the RIPE (Europe) NIC with 'country: NL' where it seems to get its IP transit from a Swedish company. And yet their top-level domain WHOIS gives anonymous Pakistani registration details and mentions another address in Belgrade.

Good old robtex offers a list of domains hosted in this IP block. Many are .ru, and I'd advise caution about visiting any of them:
* http://www.robtex.com/cnet/91.224.160.html
* http://www.robtex.com/cnet/91.224.161.html

And I've just noticed the SNORT Emerging Threats ruleset identifies many of these IPs as Russian Business Network. Be worried if you see traffic on your network going to/from these IPs.

Diary Archives