NEWS FROM THE LAB - Tuesday, March 31, 2009

Not A MacCinema Installer Posted by Response @ 09:37 GMT

We recently received a Mac sample, with a Disk Image File (DMG) extension, that claims to be a MacCinema Installer. The file was downloaded from the following link:

  •  http://power-best.com/download/[...]/Flash.Player.Update.v9.19.dmg

This is a fake video site that serves a fake Adobe Flash Player update for Macs, supposedly to watch a video.

Anyway, when mounted the DMG file has a package file named "install.pkg". Here's the snapshot of what you get when you open the package:


The "install.pkg" file contains the following files:


We extracted the "Archive.pax.gz" which contains the following files:


We analyzed each file and found that "AdobeFlash", "preinstall" and "preupgrade" are all the same thing, which is actually an obfuscated bash script:


So here's the de-obfuscated script:


Based on the above code, the script searches for the string "AdobeFlash" in the Schedule Jobs list; if the string doesn't exist, the script creates the following Schedule Job to run the "AdobeFlash" file every 5 hours.

"* */5 * * * "/Library/Internet Plug-Ins/AdobeFlash" vx 1>/dev/null 2>&1"

Here's the de-obfuscated script after crontab instructions:


The above code reveals that it will download and execute files from the following site: http://94.247.2.[...]/cgi-bin/generator.pl.

Along with these downloads, it also sends the following information about the infected system:

  •  System Information Processor Type
  •  Computer Name

The downloaded file is also an obfuscated bash script:


Again, here's the de-obfuscated script of the downloaded file:


The above code shows that it will modify the infected system´┐Żs DNS server to one of the following:


This range of IP Addresses is actually owned by UkrTeleGroup. We'd recommend blocking DNS traffic to –

Response Team post by — Lordian