Once executed, OSX_JAHLAV.K decrypts codes, which include a script that downloads other malicious scripts. The said script then alters the DNS configuration and includes two additional IP addresses in its DNS server. Users are thus possibly redirected to phishing sites and other fraudulent sites. In fact, some of these bogus sites are reportedly hosting FAKEAV (rogue antivirus) variants and components.

As of this writing, all malicious URLs are already blocked by Trend Micro. Users are strongly advised to get only the latest Snow Leopard update directly from the Apple site, as well as consider using Trend Micro Smart Surfing for Macs.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus Snow Leopard Update Sites Lead to DNS Changers

The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as:

• allincorx
• bigdron
• cikaredo
• civilizxx
• comeandtryx
• deribrowns
• draxxtermania
• givendream
• hitrowzone
• jumborad
• ltdkeeper
• operationelx
• oxxadox
• paxxtiger
• rednetx
• rstdeals
• simplexdoom
• sinisteer
• tdenuwas
• tniredrum
• ufapeace

If infected, a victim’s Web traffic can then be diverted to the website of the attacker’s choosing.

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

Trend Micro Advanced Threats Researcher Feike Hacquebord notes the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts.

It would serve Mac users well to stay away from the above-mentioned domains and IP addresses or be wary of prompts to download software updates that do not come from Apple’s legitimate website.

Mac users are protected by the Smart Protection Network through Trend Micro Security for Mac and Smart Surfing for Mac.

Post from: TrendLabs | Malware Blog - by Trend Micro

Mac OS X DNS-Changing Trojan in the Wild

The infamous UkrTelegroup rogue DNS servers resolve domain name www.vkontakte.ru to a foreign IP address beginning today. These rogue DNS servers belong to the most prevalent DNS Changer Trojans (like TROJ_DNSCHANG) that modify DNS settings of victims to point to foreign IP addresses. DNS Trojan victims are at great risk, because the controllers of the rogue DNS servers can send them to any site at any time, thus exposing the victims to possible information theft, fraudulent traffic and malicious URLs.

Apparently the number of Russian-speaking DNS Changer victims has reached critical mass, so that it becomes profitable to spoof Russian sites as well. Earlier we saw only about 60 Russian porn sites that got rogue resolution by the UkrTelegroup gang in a click fraud scheme, but now they are taking interest in spoofing Russian high-traffic sites like this social networking website.

Apart from personal information leakage, Internet users who visit the spoofed version of www.vkontakte.ru will see a “pop-under” box that advertises a different social networking site called youdo.ru through an intermediary site named youdoitnow.ru. According to Alexa.com vkontakte.ru is the second most visited website in Russia. Alexa however does not have statistics yet on youdo.ru.

Special thanks to Senior Threat Researcher Max Goncharov for additional information in this post.

Post from: TrendLabs | Malware Blog - by Trend Micro

Rogue DNS Targets Popular Russian Social Networking Site

It is accomplished by inserting 213.174.139.72 (IP of the rogue DNS server) into the values of NameServer and DhcpNameServer found in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\{Device ID}

What this system modification does is, every time a website is visited, the domain of the website is resolved by asking the rogue DNS, which can then serve a bad IP that will redirect the unsuspecting user to a malicious or phishing site.

As of writing, the rogue DNS IP is inactive, but we recommend anyone who suspects that something fishy is happening while browsing should search for the presence of that bad IP and remove it (do NOT remove your original DNS IP though). The rouge DNS IP has a history of hosting various malware and malicious pages before so whatever it will do when it wakes up will be anything but good.

The said DNS changer is now detected as TROJ_DNSCHANG.UB, thus the Smart Protection Network also protects Trend Micro users from this.

Other notorious DNS-changers in the past can be read here:

• DNS Changer Malware Evolves – Again
• New ZLOB Rigs Routers
• Blended Targeted Attack in Mexico Now a DNS Changer and a Botnet

Post from: TrendLabs | Malware Blog - by Trend Micro

New Koobface Component: A DNS Changer

While this is completely unrelated to any particular malware, there is a rather disconcerting DNS cache-poisoning vulnerability that has surfaced which deserves the attention of any and every organization on the planet that operates their own DNS servers.

The importance of determining if you are vulnerable, and getting the vulnerability fixed quickly, is becoming more important as each day passes. This is due not only to the criticality of the vulnerability, but also due to some of the “colorful” background in how some of the details have become available surrounding the vulnerability itself.

First, US-CERT published an advisory on this vulnerability on 8 July 2008, and they have a detailed reference of vendor products that are affected on their advisory page. Please visit their advisory page to determine if your DNS infrastructure is at risk.

As the US-CERT advisory states, the heart of this issue is that DNS caching nameservers can be poisoned by an “…attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver.”

This is a very serious situation, and can possibly lead to widespread and targeted attacks that hijack sensitive information by redirecting legitimate traffic to fraudulent Web sites, due to incorrect (fraudulent) information being injected into the vulnerable caching nameserver(s).

Secondly, while the details of this vulnerability were originally discovered by Dan Kaminsky, and were originally to be revealed at the upcoming Black Hat conference in Las Vegas next month, some details regarding the vulnerability have been “leaked” to the public, which increases the importance of quickly patching any vulnerability in deployed DNS servers.

There are also some publicly available tools to determine if your DNS servers are affected.

This vulnerability is quite serious, so please — PATCH NOW.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

Post from: TrendLabs | Malware Blog - by Trend Micro

Major DNS Cache-Poisoning Vulnerability: Patch Now