I started off by using the file and strings utility to examine the file: Current events 2009 July 5. The file output shows that this a Mach-O executable for a 32bit architecture. The strings output shows a plist file( used for user configurations), an IP address( used by the backdoor), and some functions for managing files( for uploads/downloads).
I opened the file in gdb, and disassembled main to understand what the backdoor would do once executed. I noticed functions such as fopen,mkdir,fwrite,fork, execve, next would be to examine the parameters passed to these functions.
0x00001c7f <main+49>: mov DWORD PTR [esp],0x1e08
0x00001c86 <main+56>: call 0x1f04 <dyld_stub_mkdir>
(gdb) x/s 0x1e08
0x1e08: "/Library/Application Support/google"
0x00001c93 <main+69>: mov DWORD PTR [esp],0x1e30
0x00001c9a <main+76>: call 0x1eec <dyld_stub_fopen$UNIX2003>
0x00001cba <main+108>: mov DWORD PTR [esp],eax
0x00001cbd <main+111>: call 0x1ef8 <dyld_stub_fwrite$UNIX2003>
0x00001db4 <main+358>: movl $0x1e30,(%esp)
0x00001dbb <main+365>: call 0x1eda <dyld_stub_execve>
(gdb) x/s 0x1e30
0x1e30: "/Library/Application Support/google/startp"
(gdb) x/s 0x1e80
0x1e80: "/Library/LaunchAgents/www.google.com.tstart.plist"
the plist file:
<string>/Library/Application Support/Google/startp</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>LaunchOnlyOnce</key>
- The backdoor creates a folder to disguise itself as a google application.
- Creates another executable named startp in the google folder.
- Creates the plist file that will allow it to run each time a user restarts his computer.
- Launches the new startp bin.
Without running the the program to find the second executable, you can use the hexdump utility and search for the Intel Mach-O magic number "
CEFAEDFE"(located at offset 1240).
I had problem running the binary, maybe due to this?
We can still take a look for anything interesting, disassembly of main shows that a thread is created..
int pthread_create(pthread_t *thread, const pthread_attr_t *attr,
void *(*start_routine)(void*), void *arg);
- The thread is created executing start_routine with arg as its sole argument.
Looking at the 3rd parameter the start routine is the address 0x23de, this is where party starts. :)
The backdoor uses a set CFileManagger* functions for uploading,downloading, opening files.
Here's example of opening a file
Dump of assembler code for function CFileManagerOpenFile:
0x00004b1c <CFileManagerOpenFile+0>: push ebp
0x00004b1d <CFileManagerOpenFile+1>: mov ebp,esp
0x00004b1f <CFileManagerOpenFile+3>: sub esp,0x18
0x00004b22 <CFileManagerOpenFile+6>: call 0x5c74 <dyld_stub_fork>
0x00004b27 <CFileManagerOpenFile+11>: mov edx,0x1
0x00004b2c <CFileManagerOpenFile+16>: test eax,eax
0x00004b2e <CFileManagerOpenFile+18>: jne 0x4b4d <CFileManagerOpenFile+49>
0x00004b30 <CFileManagerOpenFile+20>: mov DWORD PTR [esp+0x8],0x0
0x00004b38 <CFileManagerOpenFile+28>: mov DWORD PTR [esp+0x4],0x0
0x00004b40 <CFileManagerOpenFile+36>: mov eax,DWORD PTR [ebp+0xc]
0x00004b43 <CFileManagerOpenFile+39>: mov DWORD PTR [esp],eax
0x00004b46 <CFileManagerOpenFile+42>: call 0x5c5c <dyld_stub_execve>
The packets are compressed using the LZO compression, and decompressed when received.
http://www.oberhumer.com/opensource/lzo/
0x00002e20 <CClientSocketOnRead+539>: mov DWORD PTR [esp+0xc],ebx
0x00002e24 <CClientSocketOnRead+543>: mov DWORD PTR [esp+0x8],edi
0x00002e28 <CClientSocketOnRead+547>: lea ecx,[ebp-0x24]
0x00002e2b <CClientSocketOnRead+550>: mov DWORD PTR [esp+0x4],ecx
0x00002e2f <CClientSocketOnRead+554>: mov eax,DWORD PTR [ebp-0x44]
0x00002e32 <CClientSocketOnRead+557>: mov DWORD PTR [esp],eax
0x00002e35 <CClientSocketOnRead+560>: call 0x459f <uncompress> .
Setting up socket and connecting to IP address 121.254.173, found earlier with strings.
0x00002f66 <ClientSocketConnect+46>: mov DWORD PTR [esp+0x8],0x6
0x00002f6e <ClientSocketConnect+54>: mov DWORD PTR [esp+0x4],0x1
0x00002f76 <ClientSocketConnect+62>: mov DWORD PTR [esp],0x2
0x00002f7d <ClientSocketConnect+69>: call 0x5d58 <dyld_stub_socket>
0x00002fbc <ClientSocketConnect+132>: mov DWORD PTR [esp+0x8],0x10
0x00002fc4 <ClientSocketConnect+140>: mov DWORD PTR [esp+0x4],eax
0x00002fc8 <ClientSocketConnect+144>: mov eax,DWORD PTR [ebx+0x13c]
0x00002fce <ClientSocketConnect+150>: mov DWORD PTR [esp],eax
0x00002fd1 <ClientSocketConnect+153>: call 0x5c50 <dyld_stub_connect$UNIX2003>
So is malware emerging for OS X or just a phase?
Anyone willing to share Flashback? I'd really appreciate it :).
MD5 hash of Flashback.C sample (actual .pkg): 041ec03a36598a9823fb342cd9840acc
MD5 hash of Flashback.C sample (postinstall): e24979f7bd55a458a33247c5201a6a7d
Good resource for reversing on OS X
http://reverse.put.as/