No, really. A Mac trojan. And not just the same old FUD, this one appears to be from an established malware gang. So we can likely expect it to be managed in a successful manner, unlike previous Mac issues which usually turn out to be just POC or rumors.

This one may be interesting. I’m not saying it’ll get anywhere, but it has a better chance than previous things we’ve seen come and go.

The sig is capitalizing on the fact that it sends the output of:

uname -p; hostname

Encoded in base64 as the Accept-Language: field in the http request.

So a sig like so that looks for a string longer than 20 bytes without a space or punctuation should be pretty reliable (as base64 encoding is a-zA-Z0-9). A normal accept-language would look something like:

Accept-Language: da, en-gb;q=0.8, en;q=0.7

When it’s used at all…

Source for the trojan shows:

my $request=”GET / HTTP/1.1\r\nAccept-Language: $uniqid\r\nHost:

Posting this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE CURRENT_EVENTS Mac Trojan HTTP Checkin (accept-language violation)”; flow:established,to_server; content:”GET “; depth:4; content:” HTTP/1.1|0d 0a|Accept-Language\: “; pcre:”/Accept-Language\: [a-zA-Z0-9]{20}/”; classtype:trojan-activity; sid:2007650; rev:1;)

Will update as we get more info. Thanks to Bojan at ISC and Russell Fulton for info and efforts.

More information here:

http://isc.sans.org/diary.html?storyid=3595

Matt

This entry was posted on Thursday, November 1st, 2007 at 6:10 am and is filed under New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.