Wednesday, July 27, 2011

Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots in China (Samples included)

The recently discovered Backdoor for Mac Olyx (Criminals gain control over Mac with BackDoor.Olyx)  was used for targeted attacks (or what it appears to be), which is not surprising. As Microsoft pointed out, in addition to malware, the package contains an html page and photos from a Wikipedia page for events dated July 5, 2009, however it appears that all photos relate to one event - July 2009 Ürümqi riots in China. 
"Government censors disabled keyword searches for "Urumqi", and blocked access to Facebook and Twitter as well as local alternatives Fanfou and Youku. Chinese news sites mainly fed from Xinhua news service for updates about the rioting in Urumqi, comments features on websites were disabled on some stories to prevent negative posts about the lack of news. Internet connections in Urumqi were reportedly down.Many unauthorized postings on local sites and Google were said to have been "harmonised" by government censors, and emails containing terms related to the riots were blocked or edited to prevent discord."
Perhaps the trojans found in the package Ghostnet backdoor as Backdoor:Win32/Remosh.A. and the new Backdoor:MacOS_X/Olyx.A were destined for a Chinese human rights activist, as he/she would be likely to be interested in this particular event update. In addition, it is known that many of the Gh0stnet targets were  human rights activists.

  General File Information

MD5: 93a9b55bb66d0ff80676232818d5952f
File Type: Mach-O I386

MD5: f65fbeb945348ad2e1a123ef5cee65d3
File Type: Windows PE EXE
Malware: Ghostnet backdoor


Download the package (including 93a9b55bb66d0ff80676232818d5952f and  f65fbeb945348ad2e1a123ef5cee65d3) as a password protected archive (contact me if you need the password)

All the thanks and credits go Kyle Yang, who was very kind to share (thank you, Kyle!!!)

(If you downloaded it on July 27 from  7:00 to 11:30 am UTC, please do it again, the pass was wrong but the scheme will work now)

Additional information and Analysis links

Microsoft Malware Protection center posted an excellent analysis with a lot of details, which you can find at the link below: Backdoor Olyx - is it malware on a mission for Mac?
Original report of Olyx backdoor by Dr.Web Criminals gain control over Mac with BackDoor.Olyx
File Type:
Mach-O I386
Malware: Backdoor.Olyx
I am not a Mac or RE expert, I just made a few screenshots of the disassembled Mach-O file with Microsoft comments, which I thought were relevant. Please correct me if needed :)

MD5: f65fbeb945348ad2e1a123ef5cee65d3
File Type: Windows PE EXE
Malware: Ghostnet backdoor
Anubis Analysis
Here is a screenshot of the certificate, which was revoked and some strings from the binary

Automated Scans

Current events 2009 July 5
Submission date:2011-07-27 05:07:51 (UTC)
Result:19 /43 (44.2%)
AhnLab-V3     2011.07.27.00     2011.07.27     MacOS_X/Olyx
Avast     4.8.1351.0     2011.07.26     MacOS:Olyx [Trj]
Avast5     5.0.677.0     2011.07.26     MacOS:Olyx [Trj]
BitDefender     7.2     2011.07.27     MAC.OSX.Backdoor.Olyx.A
Comodo     9524     2011.07.27     UnclassifiedMalware
DrWeb     2011.07.27     BackDoor.Olyx.1
Emsisoft     2011.07.27     Backdoor.OSX.Olyx!IK
F-Secure     9.0.16440.0     2011.07.27     Backdoor:OSX/Olyx.A
GData     22     2011.07.27     MAC.OSX.Backdoor.Olyx.A
Ikarus     T3.     2011.07.27     Backdoor.OSX.Olyx
Kaspersky     2011.07.27     Backdoor.OSX.Olyx.a
Microsoft     1.7104     2011.07.26     Backdoor:MacOS_X/Olyx.A
NOD32     6327     2011.07.27     OSX/Olyx.A
PCTools     2011.07.27     Backdoor.Olyx
Sophos     4.67.0     2011.07.27     OSX/Bckdr-RID
Symantec     20111.1.0.186     2011.07.27     Backdoor.Olyx
TrendMicro-HouseCall     2011.07.27     OSX_OLYX.WA
VBA32     2011.07.26     BackDoor.OSX.Generic
VirusBuster     2011.07.26     Backdoor.OSX.Olyx.A
Additional information
Show all
MD5   : 93a9b55bb66d0ff80676232818d5952f

Video-Current events 2009 July 5.exe
  - WINDOWS BINARY Submission date:2011-07-27 05:00:39 (UTC)
Result:19/ 43 (44.2%)
AhnLab-V3    2011.07.27.00    2011.07.27    Win-Trojan/Olyx.205480
AntiVir    2011.07.27    BDS/Olyx.A
BitDefender    7.2    2011.07.27    Backdoor.Wolyx.A
Comodo    9524    2011.07.27    TrojWare.Win32.Magania.~AD
DrWeb    2011.07.27    Trojan.PWS.Multi.228
Emsisoft    2011.07.27!IK
eSafe    2011.07.26    Win32.Backdoor.Troja
GData    22    2011.07.27    Backdoor.Wolyx.A
Ikarus    T3.    2011.07.27
McAfee    5.400.0.1158    2011.07.27    Artemis!F65FBEB94534
McAfee-GW-Edition    2010.1D    2011.07.26    Heuristic.BehavesLike.Win32.AdSpyware.A
Microsoft    1.7104    2011.07.26    Backdoor:Win32/Wolyx.A
NOD32    6327    2011.07.27    Win32/Delf.OBY
Panda    2011.07.26    Suspicious file
PCTools    2011.07.27    Backdoor.Trojan
Symantec    20111.1.0.186    2011.07.27    Backdoor.Trojan
TrendMicro-HouseCall    2011.07.27    BKDR_WOLYX.WA
VIPRE    9978    2011.07.27    Trojan.Win32.Generic.pak!cobra
VirusBuster    2011.07.26    Backdoor.Wolyx!YVAf5CV8Y34

MD5   : f65fbeb945348ad2e1a123ef5cee65d3

Anubis Analysis

Host reachable, 234 ms. average -

Korea Internet Data Center Inc.
Korea, Republic of

Yunmi Lee
KIDC Bldg, 261-1, Nonhyun-dong, Kangnam-ku, Seoul
phone: +82-2-6440-2925
fax: +82-2-6440-2909


  1. Hi Mila,

    The archive contains just one file with md5 1c100e7f3bda579bb4394460ef530f0c6f63205c - is this the dropper or something like that?


  2. That have been fixed. 2 am password making is a bad idea but all is good now.

  3. Hi Mila,
    Is your archive only the Windows trojan or do you also have the Mac 93a9b55bb66d0ff80676232818d5952f sample?

  4. it includes mac 93a9b55bb66d0ff80676232818d5952f sample and the windows f65fbeb945348ad2e1a123ef5cee65d3