MPOWER 2020 Logo

is going Digital on Oct 29, Nov 5 & Nov 12.

Learn More
medium-medium

OSX/Puper.a

OSX/Puper.a

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Macintosh
  • Protection Added: 2009-03-26

Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/


--

-- Update March 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://timesonline.typepad.com/technology/2009/03/apple-mac-troja.html

--

This detection is for a trojan which pretends to be a  HDTV (High Defenition Television) player.

The characteristics of this trojan in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.


Minimum Engine

5400.1158

File Length

23,104 Bytes

Description Added

2009-03-26

Description Modified

2009-03-26

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/


--

-- Update July 22, 2009 --

Updated version of this Trojan is being hosted at the following URL:

  • hxxp://video.report-{blocked}/Erin_Andrews_Peephole_Video

This Trojan modifies the infected machine's DNS settings to point to a malicious DNS server. The following are the new list of malicious DNS servers:

  • 85.255.112.120
  • 85.255.112.137

--------------

When executed, this trojan displays the following message:

154438_01

If the user chooses to continue, it would then ask for the installation location and request the user's credentials as shown in the screenshot below:

154438_03

If a user with root privileges provides his/her login credentials, the trojan would run under his/her credentials.

The malware drops a copy of itself in the following folder:

  • /Library/Receipts

The malware then drops the following files:

  • /Library/Internet Plug-Ins/AdobeFlash
  • /Library/Internet Plug-Ins/Mozillaplug.plugin

The malware also modifies the infected machine's DNS settings to point to a malicious DNS server. This is done to either redirect the innocent user to a phishing site or to download more malware.

Given below is a list of the malicious DNS servers that were noted at the time of writing this description. Note that this list is not exhaustive:

  • 85.255.112.210
  • 85.255.112.99

The malware then updates the crontab to run the following script:

  • /Library/Internet Plug-Ins/AdobeFlash

Screenshot below:

154438_02

This is done to ensure that the malicious DNS entry is reverted back if it is changed.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

This malicious file is being distributed as an HDTV player. Users who visit the malicious website may, under the false premise that the file is beneficial, download and install this trojan .

This website, when visited, depending upon the Internet browser's user agent setting will serve different malware.

Example:

If a user visits this site from a Windows machine, a Windows executable will be available for download. If the user visits this site from a Mac machine, a Mac disk image file ".dmg" will be available for download.

Note: The windows executable is already detected as Puper trojan.

  • Presence of files mentioned earlier
  • Presence of the cron job mentioned earlier
  • Presence of a fake DNS server as mentioned earlier