New Mac Trojan: BASH/QHost.WB
F-Secure blogged about a new Trojan for Mac’s IOSX
http://www.f-secure.com/weblog/archives/00002206.html
It relies on the fact that due to the "dispute" between Adobe and Apple, Apple's latest Mac OS X version "Lion" comes without any flash player, enhancing the odds people do not find it strange to have to install it separately.
This is a DNS changer type malware that modifies the hosts file to redirect google sites to 91.224.160.26. Which appears to be in the British Virgin Islands.
inetnum: 91.224.160.0 - 91.224.161.255
netname: Bergdorf-network
descr: Bergdorf Group Ltd.
country: NL
org: ORG-BGL9-RIPE
admin-c: AJ2256-RIPE
tech-c: AJ2256-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: AINT-MNT
mnt-routes: AINT-MNT
mnt-domains: AINT-MNT
source: RIPE # Filtered
organisation: ORG-BGL9-RIPE
org-name: Bergdorf Group Ltd.
org-type: other
address: 3A Little Denmark Complex, 147 Main Street, PO Box 4473, Roa
wn, Torola, British Virgin Islands VG1110
admin-c: AJ2256-RIPE
tech-c: AJ2256-RIPE
mnt-ref: AINT-MNT
mnt-by: AINT-MNT
source: RIPE # Filtered
person: Agnes Jouaneau
address: A Little Denmark Complex, 147 Main Street, PO Box 4473
address: Road Town, Torola, VG1110
address: British Virgin Islands
phone: +44 20 81333030
fax-no: +44 20 81333030
abuse-mailbox: abuse@bergdorf-group.com
nic-hdl: AJ2256-RIPE
mnt-by: aint-mnt
source: RIPE # Filtered
% Information related to '91.224.160.0/23AS51430'
route: 91.224.160.0/23
descr: Bergdorf Group Ltd.
origin: AS51430
mnt-by: AINT-MNT
source: RIPE # Filtered
When I asked that server where google was it gave me an interesting response. It is still providing fake replies to dns queries for google.
> lserver 91.224.160.26
Default server: 91.224.160.26
Address: 91.224.160.26#53
> google.com
Server: 91.224.160.26
Address: 91.224.160.26#53
Name: google.com
Address: 91.224.160.26
Watching for upd port 53 packets towards that IP might be a good idea.
UPDATE/CORRECTION:
While the whois information points to the British Virgin Islands a traceroute gave me a very different answer.
Tracing route to 91.224.160.26 over a maximum of 30 hops
1 75 ms <1 ms <1 ms 10.1.195.3
<SNIP>
14 236 ms 147 ms 138 ms Open-Peering-Amsterdam.Te3-3.ar7.AMS2.gblx.net [208.50.237.194]
15 350 ms 139 ms 138 ms jt.altushost.com [217.170.19.60]
16 138 ms 142 ms 142 ms 91.224.160.26
Comments
Good old robtex offers a list of domains hosted in this IP block. Many are .ru, and I'd advise caution about visiting any of them:
* http://www.robtex.com/cnet/91.224.160.html
* http://www.robtex.com/cnet/91.224.161.html
And I've just noticed the SNORT Emerging Threats ruleset identifies many of these IPs as Russian Business Network. Be worried if you see traffic on your network going to/from these IPs.
Steven Chamberlain
Aug 6th 2011
1 decade ago