This in effect will inject binary2 into Safari when the browser is launched. LSEnvironmentDYLD_INSERT_LIBRARIES /Applications/Safari.app/Contents/Resources/.%decoded_filename%.xsl.The malware then creates a launch point, inserting the following line into "/Applications/Safari.app/Contents/ist": /Applications/Safari.app/Contents/Resources/.%decoded_filename%.xsl - contains %decoded_binary2_contents%./Applications/Safari.app/Contents/Resources/.%decoded_filename%.png - contains %decoded_binary1_contents% and %decoded_payload_config%.If the user inputs their administrator password, the malware will create the following files: Whether or not the user inputs their administrator password at the prompt determines the type of infection the malware subsequently performs: Infection Type 1 Since this image is controlled by the remote host, it can be changed any time the author deems necessary. This is dropped to the location '/tmp/.i.png' on the system. The icon indicated by the red box in the screenshot is the PNG content returned by the remote host. To do so, the malware prompts for the administrator password, as in the following screenshot: Only after downloading the payload does Flashback.I proceed with infecting the machine. In the sample that we analyzed, it targets the Safari web browser. This is to avoid crashing incompatible applications and raising the user's suspicions. Binary 2 - Binary2 is basically a filter component that will load binary1 only into a targeted process.It targets the contents of specific webpages, as determined by config information returned by the remote host. The malware modifies contents returned or send by these APIs. In the sample that we analyzed, it hijacks CFReadStreamRead and CFWriteStreamWrite by creating an interposition to these functions. Binary 1 - Binary1 is more or less the malware's main component. The reply is compressed and encrypted but the actual content follows this format: %encoded_filename%|%encoded_binary1_content%|%encoded_payload_config%| %encoded_binary2_content%|%encoded_png_content% The filename and actual content of the payload depends on reply of the remote host.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |