Endpoint Protection

I just recently received the following URL from a consultant. It points to a supposedly Forbes discussion titled "New Trojan Backdoor Malware Targets Mac OS X And Linux, Steals Passwords And Keystrokes." I can't find any info on regarding it on the Symantec websitte. Has anyone any additional information on it, or is Symantec working on something for it?

http://www.forbes.com/sites/anthonykosner/2012/08/31/new-trojan-backdoor-malware-targets-mac-os-x-and-linux-steals-passwords-and-keystrokes/

Thanks,

Dave

Which company analyze the malware strain?

The naming convention might be different from Symantec.... try match with Virustotal.com result..

or it could be completely new threat...

Hi,

He has keylogger functionality, can steal passwords typed by the user in the browser Opera, Firefox, Chrome, Chromium, and passwords for applications like Thunderbird, SeaMonkey, Pidgin.

When run, it copies itself to the user's home directory.
In MacOS: the% home% / WIFIADAPT.app.app
On Linux: in ~ / WIFIADAPT

Establishes a connection to a remote command center to 212.7.208.65.

Uses a connection verification algorithm using Advanced Encryption Standard (AES).

Defense and Removal:
1. Block this IP with your router / firewall.
2. Delete the above directory / files.

In this case blocking communication with the IP address 212.7.208.65 should do the trick.

I'm already studying it but do these tips that you spent that you will certainly stay protected

Hugs

There is a new threat but the IP it has been identified by both achieve cominicação block with this IP backdoor everything resolved.

hugs

Hi all,

I took one of crazy and ran a scan on Backdoor server IP 212.7.28.65

See the log

root@bt:~# nmap -sV -f -O -T5 -A -vv -v 212.7.208.65

Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-05 01:39 BRT
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Initiating Ping Scan at 01:39
Scanning 212.7.208.65 [4 ports]
Completed Ping Scan at 01:39, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:39
Completed Parallel DNS resolution of 1 host. at 01:39, 5.51s elapsed
DNS resolution of 1 IPs took 5.52s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 01:39
Scanning 212.7.208.65 [1000 ports]
Completed SYN Stealth Scan at 01:40, 5.73s elapsed (1000 total ports)
Initiating Service scan at 01:40
Initiating OS detection (try #1) against 212.7.208.65
Retrying OS detection (try #2) against 212.7.208.65
Initiating Traceroute at 01:40
Completed Traceroute at 01:40, 3.02s elapsed
Initiating Parallel DNS resolution of 15 hosts. at 01:40
Completed Parallel DNS resolution of 15 hosts. at 01:40, 5.83s elapsed
DNS resolution of 15 IPs took 5.83s. Mode: Async [#: 3, OK: 11, NX: 3, DR: 1, SF: 4, TR: 28, CN: 0]
NSE: Script scanning 212.7.208.65.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:40
Completed NSE at 01:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 212.7.208.65
Host is up (0.20s latency).
Scanned at 2012-09-05 01:39:50 BRT for 24s
Not shown: 995 closed ports
PORT    STATE    SERVICE      VERSION
22/tcp  filtered ssh
80/tcp  filtered http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=6.01%E=4%D=9/5%OT=%CT=1%CU=%PV=N%DS=16%DC=T%G=N%TM=5046D7AE%P=i686-pc-linux-gnu)
SEQ(CI=Z)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=N)

Network Distance: 16 hops

TRACEROUTE (using port 143/tcp)
HOP RTT       ADDRESS
1   0.75 ms   192.168.0.1
2   13.91 ms  10.65.128.1
3   13.51 ms  201.17.0.7
4   11.64 ms  embratel...
5   120.51 ms ebt-
6   130.02 ms ebt-
7   ...
8   225.00 ms ae-7.r05.nycmny01.us.bb.gin.ntt.net (129.250.3.161)
9   145.82 ms ae-1.r22.nycmny01.us.bb.gin.ntt.net (129.250.4.172)
10  232.50 ms as-1.r22.londen03.uk.bb.gin.ntt.net (129.250.3.255)
11  199.65 ms ae-0.r23.londen03.uk.bb.gin.ntt.net (129.250.4.86)
12  228.34 ms ae-3.r22.amstnl02.nl.bb.gin.ntt.net (129.250.5.198)
13  227.66 ms ae-1.r02.amstnl02.nl.bb.gin.ntt.net (129.250.2.113)
14  227.48 ms xe-0-5-0-2.r02.amstnl02.nl.ce.gin.ntt.net (81.20.69.78)
15  217.36 ms te9-2.sr8.evo.leaseweb.net (62.212.80.114)
16  216.38 ms 212.7.208.65

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.85 seconds
           Raw packets sent: 1066 (50.348KB) | Rcvd: 1029 (42.012KB)

Now I know the server cmo play with him (laughs)

Let's go to war (laughs)

hugsNow I know the server cmo play with him (laughs)

Let's go to war (laughs)

hugs

I will try to perform a DoS attack and run NAMP together to try to fool the firewall
Since le is a web server like I've been researching it receives tcp packets would be good to use in nmap-P0 but he also argues filtered ports even with this command by either a DoS attack deceive the firewall I think.
Fighting and I will inform (laughs)

hugs

BackDoor.Wirenet.1 Keylogger is a backdoor trojan that can run on Linux and MacOSX, stealing personal information, passwords, and banking credentials! It copies itself to the user's home directory at/home/WIFIADAPT

It then creates a connection to a remote IP, currently 212.7.208.65

Defence and Removal:

1. Block that IP with your router / firewall.
2. Delete the above directory/files.

Hi Dave,

Many thanks for posting this! And thumbs up for the advice to block that IP at the firewall.

Delete the above directory/files.

I have found one report online that the hash for this threat is 1c4ba1bf8003b9d66b4423e0503bf5489cd4de13b1a3038499d039baa553cd0e - as of now Symantec has not received a submission of this file, but I can confirm it has a unfavorable Reputation.  If anyone has encountered it, please do submit the file to Security Response for full analysis as soon as possible (and then delete it!!). 

It is very important, give the cross-platform threats of recent months, to ensure all Macintosh and Linux boxes are defended.  AV definitions for Mac and Linux machines are released daily by Symantec.  It's crucial to keep the machine patched, get an AV on there and keep it up-to-date.

Some recommeneded reading: 

I Don't Use AV Because I Have a Mac
https://www-secure.symantec.com/connect/blogs/i-dont-use-av-because-i-have-mac

Do we really need a Antivirus for Linux
https://www-secure.symantec.com/connect/articles/do-we-really-need-antivirus-linux#comment-7349001
 

SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
https://www-secure.symantec.com/connect/articles/sav-linux-scanning-best-practices-somewhat-illustrated-guide

All the best,

Mick