Monday, December 12, 2011

Analyzing updated OSX/Miner-D

A few weeks ago I analyzed the original sample and since then Miner-D is becoming somewhat of a regular on OS X, over the past few weeks it has also been receiving updates. They are still using spreading through torrents with legit OS X applications, for instance the torrent I found was packaged with EvoCam. Miner-D still uses the victims computer for mining bitcoins, and I wonder how they profit since their botnet is small. This also gave me a chance to use the Hopper Disassembler from the app store. For $20 buck it works well and more, features a control flow graph and pseudo code translation. 

This sample uses the same technique as previous one by using a setup script. Checks for littlesnitch, and if Miner-D has already infected the user. After the checks, the script unzips an archive and runs the program.  The Time function is called and then used as a seed to srand, this value is later stored in a file named d_status.cfg.  



Pseudo code from Hopper :







The program will sleep unless the time stored in d_status.cfg - the current time is greater than 0xEA5F ( 59999 seconds). You can patch this spot up to get around. Next the program will decrypt the ftp credentials then call curl_easy_perform for a file transfer. To simply get the ftp credentials use gdb to break at *0x00001d11 or use a sniffer.




   Code used for decrypting


                                     

Finally, curl_easy_perform is used to retrieve the file bin.bop from an ftp server, I was unable to get the bin.bop file for now :( . I will update the blog and the files if I do find them. 



Link to bin: http://www.mediafire.com/?024a032fdbhgxtd