Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New Mac Trojan: BASH/QHost.WB SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Mac Trojan: BASH/QHost.WB

F-Secure blogged about a new Trojan for Mac’s IOSX

http://www.f-secure.com/weblog/archives/00002206.html
It relies on the fact that due to the "dispute" between Adobe and Apple, Apple's latest Mac OS X version "Lion" comes without any flash player, enhancing the odds people do not find it strange to have to install it separately.

This is a DNS changer type malware that modifies the hosts file to redirect google sites to 91.224.160.26. Which appears to be in the British Virgin Islands.

inetnum:        91.224.160.0 - 91.224.161.255
netname:        Bergdorf-network
descr:          Bergdorf Group Ltd.
country:        NL
org:            ORG-BGL9-RIPE
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         AINT-MNT
mnt-routes:     AINT-MNT
mnt-domains:    AINT-MNT
source:         RIPE # Filtered

organisation:   ORG-BGL9-RIPE
org-name:       Bergdorf Group Ltd.
org-type:       other
address:        3A Little Denmark Complex, 147 Main Street, PO Box 4473, Roa
wn, Torola, British Virgin Islands VG1110
admin-c:        AJ2256-RIPE
tech-c:         AJ2256-RIPE
mnt-ref:        AINT-MNT
mnt-by:         AINT-MNT
source:         RIPE # Filtered

person:         Agnes Jouaneau
address:        A Little Denmark Complex, 147 Main Street, PO Box 4473
address:        Road Town, Torola, VG1110
address:        British Virgin Islands
phone:          +44 20 81333030
fax-no:         +44 20 81333030
abuse-mailbox:  abuse@bergdorf-group.com
nic-hdl:        AJ2256-RIPE
mnt-by:         aint-mnt
source:         RIPE # Filtered

% Information related to '91.224.160.0/23AS51430'
route:          91.224.160.0/23
descr:          Bergdorf Group Ltd.
origin:         AS51430
mnt-by:         AINT-MNT
source:         RIPE # Filtered

When I asked that server where google was it gave me an interesting response. It is still providing fake replies to dns queries for google.


> lserver 91.224.160.26
Default server: 91.224.160.26
Address: 91.224.160.26#53
> google.com
Server:         91.224.160.26
Address:        91.224.160.26#53

Name:   google.com
Address: 91.224.160.26

Watching for upd port 53 packets towards that IP might be a good idea.

  UPDATE/CORRECTION:

While the whois information points to the British Virgin Islands a traceroute gave me a very different answer.

Tracing route to 91.224.160.26 over a maximum of 30 hops

  1    75 ms    <1 ms    <1 ms  10.1.195.3
<SNIP>
 14   236 ms   147 ms   138 ms  Open-Peering-Amsterdam.Te3-3.ar7.AMS2.gblx.net [208.50.237.194]
 15   350 ms   139 ms   138 ms  jt.altushost.com [217.170.19.60]
 16   138 ms   142 ms   142 ms  91.224.160.26

donald

206 Posts
ISC Handler
I'm sure I've heard of this network before. Like maybe I've seen some sort of abuse out of that IP range recently. I remember being confused by the WHOIS data. 'Little Denmark' street, a P.O. Box the British Virgin Isles, but registered in the RIPE (Europe) NIC with 'country: NL' where it seems to get its IP transit from a Swedish company. And yet their top-level domain WHOIS gives anonymous Pakistani registration details and mentions another address in Belgrade.

Good old robtex offers a list of domains hosted in this IP block. Many are .ru, and I'd advise caution about visiting any of them:
* http://www.robtex.com/cnet/91.224.160.html
* http://www.robtex.com/cnet/91.224.161.html

And I've just noticed the SNORT Emerging Threats ruleset identifies many of these IPs as Russian Business Network. Be worried if you see traffic on your network going to/from these IPs.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!