Pages

Wednesday, July 27, 2011

Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots in China (Samples included)


The recently discovered Backdoor for Mac Olyx (Criminals gain control over Mac with BackDoor.Olyx)  was used for targeted attacks (or what it appears to be), which is not surprising. As Microsoft pointed out, in addition to malware, the package contains an html page and photos from a Wikipedia page for events dated July 5, 2009, however it appears that all photos relate to one event - July 2009 Ürümqi riots in China. 
"Government censors disabled keyword searches for "Urumqi", and blocked access to Facebook and Twitter as well as local alternatives Fanfou and Youku. Chinese news sites mainly fed from Xinhua news service for updates about the rioting in Urumqi, comments features on websites were disabled on some stories to prevent negative posts about the lack of news. Internet connections in Urumqi were reportedly down.Many unauthorized postings on local sites and Google were said to have been "harmonised" by government censors, and emails containing terms related to the riots were blocked or edited to prevent discord."
Perhaps the trojans found in the package Ghostnet backdoor as Backdoor:Win32/Remosh.A. and the new Backdoor:MacOS_X/Olyx.A were destined for a Chinese human rights activist, as he/she would be likely to be interested in this particular event update. In addition, it is known that many of the Gh0stnet targets were  human rights activists.


  General File Information

MD5: 93a9b55bb66d0ff80676232818d5952f
File Type: Mach-O I386
Malware:
Backdoor.Olyx


MD5: f65fbeb945348ad2e1a123ef5cee65d3
File Type: Windows PE EXE
Malware: Ghostnet backdoor



Download


Download the package (including 93a9b55bb66d0ff80676232818d5952f and  f65fbeb945348ad2e1a123ef5cee65d3) as a password protected archive (contact me if you need the password)

All the thanks and credits go Kyle Yang, who was very kind to share (thank you, Kyle!!!)

(If you downloaded it on July 27 from  7:00 to 11:30 am UTC, please do it again, the pass was wrong but the scheme will work now)



Additional information and Analysis links

----------------------------------------------------------------------
Microsoft Malware Protection center posted an excellent analysis with a lot of details, which you can find at the link below: Backdoor Olyx - is it malware on a mission for Mac?
Original report of Olyx backdoor by Dr.Web Criminals gain control over Mac with BackDoor.Olyx
MD5:
93a9b55bb66d0ff80676232818d5952f
File Type:
Mach-O I386
Malware: Backdoor.Olyx
I am not a Mac or RE expert, I just made a few screenshots of the disassembled Mach-O file with Microsoft comments, which I thought were relevant. Please correct me if needed :)


MD5: f65fbeb945348ad2e1a123ef5cee65d3
File Type: Windows PE EXE
Malware: Ghostnet backdoor
Anubis Analysis  http://anubis.iseclab.org/?action=result&task_id=1ae9dcbf36d882e541d8fa26d533a9d39&format=html
Here is a screenshot of the certificate, which was revoked and some strings from the binary


Automated Scans

Current events 2009 July 5
Submission date:2011-07-27 05:07:51 (UTC)
Result:19 /43 (44.2%)
http://www.virustotal.com/file-scan/report.html?id=a5c1b89b26007f4672409e0e7a3ab85135a0ffc01c74c4b6d49084da7fe9def5-1311743271
AhnLab-V3     2011.07.27.00     2011.07.27     MacOS_X/Olyx
Avast     4.8.1351.0     2011.07.26     MacOS:Olyx [Trj]
Avast5     5.0.677.0     2011.07.26     MacOS:Olyx [Trj]
BitDefender     7.2     2011.07.27     MAC.OSX.Backdoor.Olyx.A
Comodo     9524     2011.07.27     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.07.27     BackDoor.Olyx.1
Emsisoft     5.1.0.8     2011.07.27     Backdoor.OSX.Olyx!IK
F-Secure     9.0.16440.0     2011.07.27     Backdoor:OSX/Olyx.A
GData     22     2011.07.27     MAC.OSX.Backdoor.Olyx.A
Ikarus     T3.1.1.104.0     2011.07.27     Backdoor.OSX.Olyx
Kaspersky     9.0.0.837     2011.07.27     Backdoor.OSX.Olyx.a
Microsoft     1.7104     2011.07.26     Backdoor:MacOS_X/Olyx.A
NOD32     6327     2011.07.27     OSX/Olyx.A
PCTools     8.0.0.5     2011.07.27     Backdoor.Olyx
Sophos     4.67.0     2011.07.27     OSX/Bckdr-RID
Symantec     20111.1.0.186     2011.07.27     Backdoor.Olyx
TrendMicro-HouseCall     9.200.0.1012     2011.07.27     OSX_OLYX.WA
VBA32     3.12.16.4     2011.07.26     BackDoor.OSX.Generic
VirusBuster     14.0.140.0     2011.07.26     Backdoor.OSX.Olyx.A
Additional information
Show all
MD5   : 93a9b55bb66d0ff80676232818d5952f

Video-Current events 2009 July 5.exe
  - WINDOWS BINARY Submission date:2011-07-27 05:00:39 (UTC)
Result:19/ 43 (44.2%)
http://www.virustotal.com/file-scan/report.html?id=d2f45192f22ef62a694facd0604b12c8c748ac94a6d8a2913f4beec7f04be1c1-1311742839
AhnLab-V3    2011.07.27.00    2011.07.27    Win-Trojan/Olyx.205480
AntiVir    7.11.12.130    2011.07.27    BDS/Olyx.A
BitDefender    7.2    2011.07.27    Backdoor.Wolyx.A
Comodo    9524    2011.07.27    TrojWare.Win32.Magania.~AD
DrWeb    5.0.2.03300    2011.07.27    Trojan.PWS.Multi.228
Emsisoft    5.1.0.8    2011.07.27    Trojan-PWS.Win32.Hangame.cl!IK
eSafe    7.0.17.0    2011.07.26    Win32.Backdoor.Troja
GData    22    2011.07.27    Backdoor.Wolyx.A
Ikarus    T3.1.1.104.0    2011.07.27    Trojan-PWS.Win32.Hangame.cl
McAfee    5.400.0.1158    2011.07.27    Artemis!F65FBEB94534
McAfee-GW-Edition    2010.1D    2011.07.26    Heuristic.BehavesLike.Win32.AdSpyware.A
Microsoft    1.7104    2011.07.26    Backdoor:Win32/Wolyx.A
NOD32    6327    2011.07.27    Win32/Delf.OBY
Panda    10.0.3.5    2011.07.26    Suspicious file
PCTools    8.0.0.5    2011.07.27    Backdoor.Trojan
Symantec    20111.1.0.186    2011.07.27    Backdoor.Trojan
TrendMicro-HouseCall    9.200.0.1012    2011.07.27    BKDR_WOLYX.WA
VIPRE    9978    2011.07.27    Trojan.Win32.Generic.pak!cobra
VirusBuster    14.0.140.0    2011.07.26    Backdoor.Wolyx!YVAf5CV8Y34

MD5   : f65fbeb945348ad2e1a123ef5cee65d3

Anubis Analysis
http://anubis.iseclab.org/?action=result&task_id=1ae9dcbf36d882e541d8fa26d533a9d39&format=html

Traffic

121.254.173.57
Host reachable, 234 ms. average

121.254.128.0 - 121.254.255.255

Korea Internet Data Center Inc.
Korea, Republic of

Yunmi Lee
ip@kidc.net
KIDC Bldg, 261-1, Nonhyun-dong, Kangnam-ku, Seoul
phone: +82-2-6440-2925
fax: +82-2-6440-2909



4 comments:

  1. Hi Mila,

    The archive contains just one file with md5 1c100e7f3bda579bb4394460ef530f0c6f63205c - is this the dropper or something like that?

    Thanks
    Anthony

    ReplyDelete
  2. That have been fixed. 2 am password making is a bad idea but all is good now.

    ReplyDelete
  3. Hi Mila,
    Is your archive only the Windows trojan or do you also have the Mac 93a9b55bb66d0ff80676232818d5952f sample?
    Best,
    Dan

    ReplyDelete
  4. it includes mac 93a9b55bb66d0ff80676232818d5952f sample and the windows f65fbeb945348ad2e1a123ef5cee65d3

    ReplyDelete