A few weeks ago I analyzed the original sample and since then Miner-D is becoming somewhat of a regular on OS X, over the past few weeks it has also been receiving updates. They are still using spreading through torrents with legit OS X applications, for instance the torrent I found was packaged with EvoCam. Miner-D still uses the victims computer for mining bitcoins, and I wonder how they profit since their botnet is small. This also gave me a chance to use the Hopper Disassembler from the app store. For $20 buck it works well and more, features a control flow graph and pseudo code translation.
This sample uses the same technique as previous one by using a setup script. Checks for littlesnitch, and if Miner-D has already infected the user. After the checks, the script unzips an archive and runs the program. The Time function is called and then used as a seed to srand, this value is later stored in a file named d_status.cfg.
Pseudo code from Hopper :
The program will sleep unless the time stored in d_status.cfg - the current time is greater than 0xEA5F ( 59999 seconds). You can patch this spot up to get around. Next the program will decrypt the ftp credentials then call curl_easy_perform for a file transfer. To simply get the ftp credentials use gdb to break at *0x00001d11 or use a sniffer.
Code used for decrypting
Finally, curl_easy_perform is used to retrieve the file bin.bop from an ftp server, I was unable to get the bin.bop file for now :( . I will update the blog and the files if I do find them.
Link to bin: http://www.mediafire.com/?024a032fdbhgxtd
YoBit lets you to claim FREE CRYPTO-COINS from over 100 different crypto-currencies, you complete a captcha once and claim as much as coins you want from the available offers.
ReplyDeleteAfter you make about 20-30 claims, you complete the captcha and keep claiming.
You can click claim as much as 50 times per one captcha.
The coins will safe in your account, and you can exchange them to Bitcoins or USD.