NEWS FROM THE LAB - Monday, August 1, 2011

Trojan:BASH/QHost.WB Posted by ThreatSolutions @ 03:17 GMT

We've come across a fake FlashPlayer.pkg installer (MD5: 1fc90b8f532028805d167b2b0ac9ce11) for Mac:

Install FlashPlayer

Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address, which is located in Netherlands.

The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.

As an example, this is what Google.com.tw looks like on a normal, uninfected system:

clean google.tw

In contrast, this is what Google.com.tw looks like on an infected system:

infected google.tw

When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.

Here's a search request on the real Google.com.tw site on a clean system:

google.tw clean searches

And here's the same request on an infected system:

google.tw infected system searches

Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server:

google.tw infected system search source

At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.

The other remote server returning fake search requests appears to be still active.

We detect this trojan as Trojan:BASH/QHost.WB.

Analysis by — Brod


Corrected on August 9th: The MD5 for the installer is as above; the previous MD5 cited (2ee750f19f2cb43968af78b0dd0be541) is for the BASH file in the PKG.

Updated to add on August 8th: The sample's MD5.