Category: malware

Hey Mac Users… The Honeymoon is Over.

I know, its sad.  I too am a die hard mac user.

Today alone I have received 4 copies of an email with the subject line “2 Populaar Myths About Female Orgasms –  How to Become an Irresistible Lover” containing an attachment named “ Document”.

I haven’t had a chance to analyse the .app yet, but I think its safe to assume that its malware of some sort.

The good news is that OS X is still built well.  If I double click it thinking its a document its going to tell me “Hey stupid!  This is an app that was downloaded from the Internet.  Are you sure you want to run it?”.  Maybe not in those exact words.  At that point if I say – “I thought I was opening an document, but sure, lets run this app-like-document” – then I deserve to be infected.

For all the detail oriented folks here are the headers (bold are items changed to protect my info):

Return-path: <>
Envelope-to: MY_ADDRESS
Delivery-date: Fri, 01 May 2009 09:39:27 -0400
Received: from [] (
by with smtp (MyMail Dameon)
(envelope-from <>)
id 1LzsxZ-0000Ib-JG
for MY_ADDRESS; Fri, 01 May 2009 09:39:27 -0400
Message-ID: <>
Date: Fri, 01 May 2009 13:39:25 -0100
From: Chesner <>
MIME-Version: 1.0
Subject: 2 Populaar Myths About Female Orgasms –  How to Become an Irresistible Lover
Content-Type: multipart/mixed;
X-Spam-Status: No, score=3.8
X-Spam-Score: 38
X-Spam-Bar: +++
X-Spam-Flag: NO

The body contains no data.

Mining Ports for Malware

I recently wrote a script that runs croned and port scans all of our servers daily.  It saves the output and diffs it compared to the previous days and emails me as new ports open up.

I think this will be a good way to detect new services and potential malware infection, but what about machines that are already infected?

To fix that I wrote in a function that parses the output for known malware ports.  The only problem is that I cant find a definitive list of known malware ports.  Does anyone know of such a resource?

This Week in Links: 12/31/07 – 1/6/08

Best of 2007





Chinese Hard Drive Manufacturer Embeds Trojan

“Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said.”

“The affected hard discs are Maxtor Basics 500G discs.”

“The bureau said that hard discs with such a large capacity are usually used by government agencies to store databases and other information.”

“Sensitive information may have already been intercepted by Beijing through the two Web sites, the bureau said.”


This sounds rather sensational, eh? I certainly hope it is.

Lets start with the “carried two Trojan horse viruses” part. This is a common mistake made by writers who don’t know anything about technology or information security. The word “viruses” is incorrect. To qualify as a virus the malicious software would require a propagation mechanism. As best I can tell from the articles, this is just a run of the mill trojan.

Next we see that they believe a hard drive shipped to a defense contractor or government agency wouldn’t be formated before being put into production. I will admit that from time to time large organizations may seem inept (none of us are as dumb as all of us) but policy and procedure should be in place to prevent things like this.

The same hysteria came about in May of 06 with Lenovo at which time I made the same argument. The only difference in this case is that this is an actual threat instead of a perceived threat.

In the article it also says…

“The tainted portable hard disc uploads any information saved on the computer automatically and without the owner’s knowledge to and, the bureau said.”

So following this trail starting with we come up with;

Domain ID:D145807509-LROR
Domain Name:NICE8.ORG
Created On:11-May-2007 07:20:24 UTC
Last Updated On:27-Sep-2007 05:57:07 UTC
Expiration Date:11-May-2008 07:20:24 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Registrant ID:JHV8DUH7W9TIL
Registrant Name:ga ga
Registrant Organization:gaga
Registrant Street1:gagaga
Registrant Street2:
Registrant Street3:
Registrant City:gaga
Registrant State/Province:Beijing
Registrant Postal Code:126631
Registrant Country:CN
Registrant Phone:+86.2164729393
Registrant Phone Ext.:
Registrant FAX:+86.2164660456
Registrant FAX Ext.:

Apparently we are dealing an evil mastermind named “Ga ga” who lives on “gagaga street”.  I have heard grumblings of this mad man in the hacker underground.  Okay, so its made up… probably random keyboard bashing.  Dead end.  You get similar worthles results when whois’ing we168.0rg.  Both of which are down now.

Mac OS X Trojan in the Wild

There are reports of an in-the-wild Trojan horse program that targets
Mac OS X systems.  Users are encouraged to visit malware-serving sites
through spam messages in Mac forums.  The Trojan, which pretends to be
a QuickTime plug-in, can hijack users’ search results, sending them to
websites the attackers want them to visit.

This is yet another example of malware exploiting stupidity and thats all.  I am sick of people jumping at every trivial little article they find regarding mac malware and saying “see, the mac isn’t safe either”.

First off, nothing is ‘safe’… just safer.  Second, you can have the most secure operating system in the world but if someone is stupid enough to install malicious software onto it then it will be infected just like windows.

When I see a self-propagating  worm that exploits a zero-day vulnerability in OS X, only then will I change my rant… but only slightly. 🙂

NoNav: Automated Norton and Symantec AntiVirus Removal Tool

It seems all too often that when uninstalling Symantec Antivirus you are stuck with a partially uninstalled product. In some cases bits linger in add/remove programs, in other cases MS Word stops working. Whenever it happens its a big pain to fix.

A colleague of mine has received this tool direct from the Symantec technicians. Here are some details of it from its PDF documentation.

Symantec Enterprise customers have expressed a need for a way to uninstall Norton AntiVirus Corporate Edition (NAVCE) or Symantec AntiVirus Corporate Edition (SAVCE) when normal uninstall procedures do not work.

Symantec Enterprise Support has created a standalone application / utility to fill this need. This utility will uninstall NAVCE or SAVCE Parent Servers and Clients through registry and file system deletions.

You may download this tool here:
md5 : afcb66d3db289a4c63434e829a9a1689

The AV switch

MSU just got a site license agreement with Eset for Nod32. This was at a time when the collective frustrations with Norton/Symantec Antivirus where at all time high. I have noticed over the years a few very prevalent problems with Symantec’s antivirus solution.

1. The updates don’t come as quickly and often as I would like.
2. Norton is slow to release fixes for already infected machines. In some cases I find myself writing an in house fix to mitigate the damage.
3. It’s a resource hog. It’s just heavy. It drastically affects performance when real time scan is enabled (which it should be to be effective) because it’s running all disk writes and reads through its filters.
4. Anyone who has had to use their server component knows that I don’t even need to continue this sentence.

Given these sins I decided to buy a few licenses for Nod32 and keep it on my key chain flash drive ready to install on the next machine I see with a virus related issue.

On Jan 27 the Brepibot.L took a couple of my users by surprise. It was too early in its life to be detected by the campuses clamav and a few users ran the exe before I could send out my warning to the distro lists.

Norton didn’t have a def that would fix it for a couple of days. In that time Nod32 got it with no problem, and even cleaned it on a guinea pig machine.

The next day a faculty member was having issues with random word doc corruption and suspected it to be virus related. I removed Norton and installed nod32 and then updated its defs. I ran a complete system scan and oddly enough it found four infected files that Norton had not previously detected. Two of these files where OLD viruses (one was my doom and another was sober). The problem ended up being a failing usb flash drive that he had the documents on.

Now to develop a deployment strategy.

New Virus?

I just received an email that looks fairly legit at first glance. It states
that a rape occurred on campus (being that I work at a university this makes sense) and that attached you will find an image of
the suspect as captured from campus CCTV. The attached file (suspect
image.exe) very well may be a virus (im sure as heck not going to run it to
find out). My university ‘s clamav did not pick it up nor did NAV10 with dats
dated yesterday.

I am not able to pull much useful information from the exe via the unix
strings command or ida pro. If anyone has any more experience then I do
with virus disassembly I would be happy to forward the idapro file.

What I am able to pull from ida ‘s hex view is some registry writing, file
deletion, file creation and process manipulation, but no details.

The contents of the email are attached bellow, you may want to warn your
users on this (although I ‘m not sure how prevalent it is yet).


X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=DATE_IN_FUTURE_06_12,
MIME_BOUND_NEXTPART autolearn=disabled version=3.1.0
Delivery-date: Fri, 27 Jan 2006 12:00:45 -0500
Received: from ([]
by with smtp (Exim 4.52 #1)
id 1F2WxA-00089q-69
for; Fri, 27 Jan 2006 12:00:45 -0500
From: “Mr Robert Atkins”
Subject: Rape on Campus
Date: Fri, 27 Jan 2006 17:00:03 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-Virus: None found by Clam AV


During the early morning of January 25 2006, a campus student was the victim
of a horrific sexual assault within college grounds. Eyewitnesses report a
tall black man in grey pants running away from the scene. Campus CCTV has
caught this man on camera and are looking for ways to identify him. If
anyone recognises the attached picture could they inform administraion


Robert Atkins
Campus Administration

All information contained within this e-mail, including any attachment, is
confidential. If you have received this e-mail in error, please delete it
immediately. Do not use, disclose or spread the information in any way and
notify the sender immediately. Any views and opinions expressed in this
e-mail may not represent those of Business Monthly