Author Topic: Mac trojan (Read 2590 times)

Paddy · « **on:** April 02, 2008, 05:32:05 PM »

Mac OS X Scareware trojan ‘MacSweep from Imunizator’ tries to scam Mac users

The hilarious thing is their web site:

http://www.imunizator.com/

Under features it lists the following:

QUOTE

Erases

Erases system's old logs and universal binaries.

Er...just what universal binaries are you planning on erasing???

And this is a hoot:

QUOTE

What evidence does your computer have?

Private companies are tracking the ISPs to record your Internet behavior and downloads for evidence. Simply deleting these files does not get rid of the evidence. Many times you are not even aware of the files that get installed by themselves and could compromise your career, your marriage or your overall status quo.

Ooh...now I'm reeeeally scared!

And then when you go to their buy online page, you're greeted with "Warning! Your MAC is in danger of COMPROMISING OBJECTS. These objects may compromise YOUR CREDIT CARD information. Immediate removal of malicious objects is highly recommended."

Compromising OBJECTS? What sort of objects do they have in mind? The falling sort? The magnetic sort?

Who comes up with this stuff? Well, no surprise there - it would appear to be at least somewhat related to our good old pals in Russia - same domain registration as all the rest of 'em:

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: IMUNIZATOR.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 09-Mar-2008
Expiration Date: 09-Mar-2009

Domain servers in listed order:
ns1.twisted4life.com
ns.imunizator.com

However, it's a bit more tangled than that - the IP resolves to the US (a static IP too) according to the lookup I used. I've noticed that this is not unusual - our stats for our school web site indicate a bunch of IPS that I know belong to Rogers as "US". HOWEVER, it's hosted by privatedns.com - and they're in Quebec.

From what I could find, they are involved in a whole lot of this sort of thing. If you go to their website, you simply get a message to email them. Somehow, I don't think there is much point in emailing them to tell them that they have some scam artists using their hosting!!

The other domain server (twisted4life) is in West Yorkshire, England. Have no idea what that connection is, but it has the same message as the Quebec site.

krissel · « **Reply #1 on:** April 03, 2008, 12:52:06 AM »

Guess this is wave of the future.

Gregg · « **Reply #2 on:** April 03, 2008, 07:14:32 AM »

Paddy, that stuff sounds like the instructions in electronic devices, toys, etc. Obviously written by a non-native English speaker...

Xairbusdriver · « **Reply #3 on:** April 03, 2008, 12:17:29 PM »

Well, I'm not taking any chances! I certainly don't want the status of my quo badly affected. I'm going to the hardware store and get some of that electric fencing and encircle our computers. As the illustrious mayor of Memphis would say, "Ain't no horses comin' in here!"

Fact: This "gentleman" was the cities school superindent for several years. Now, since they are looking for a replacement, again, he has offered to step down as Mayor (after only 3 months into his 3rd reelection) to take back control of the school system! And many wonder why everyone who can is moving OUT of Memphis. "Ain't no tellin'!"

Oh, did I mention that his pension and his income would be higher as Superintendent than as Mayor? But I'm sure that has nothing to do with his 'loop-holed' offer...

tacit · « **Reply #4 on:** April 03, 2008, 01:19:21 PM »

Yep, same folks who did MacSweeper a while back. Same languag, same tactics. The MacSweeper site is still up at www.macsweeper.com and as you can see, it's the same site, same software, just under a different name.

The English is kind of awkward because the site's owners are Russian. In fact, the site uses similar language to, and the macsweeper.com site is hosted in the same IP space as, sites believed to be associated with the Russian Business Network, which sell similar fake "security" software for Windows. It would not surprise me if the authors of this fake Mac software are themselves affiliated in some way with Russian Business Network.

Paddy · « **Reply #5 on:** April 03, 2008, 06:29:48 PM »

I dug a bit deeper...and found that the phone number listed in the WhoIs for privatedns.com happened to match the phone number for a web hosting service by the name of iWeb.com (have Apple sued them yet?) - who appear to be quite legitimate - and no Russians in sight. They've been around for over ten years and get very good reviews. One of the owners has a blog here: http://www.martinleclair.com

They really don't look like the sort to knowingly host a Mac Trojan

Through another IP lookup, I confirmed that info:

Domain: IMUNIZATOR.COM

ISP : Groupe iWeb Technologies
Organization : Groupe iWeb Technologies
Location : CA, Canada
City : Montreal, QC h1w1g4

So - I sent them an email to ask if they were aware that they were hosting Mac scamware, with a link to the MacDailyNews article. We'll see if I get a response!! Sent the email to their general email addy and the one for Martin LeClair.

Domain Name.......... iweb.com
Creation Date........ 1999-03-29
Registration Date.... 2007-08-20
Expiry Date.......... 2017-03-29
Organisation Name.... Leclair, Martin
Organisation Address. iWeb Technologies Inc.
Organisation Address. 3185 Hochelaga
Organisation Address. Montreal
Organisation Address. H1W 1G4
Organisation Address. Qc
Organisation Address. CANADA

Admin Name........... Leclair Martin
Admin Address........ iWeb Technologies Inc.
Admin Address........ 3185 Hochelaga
Admin Address........ Montreal
Admin Address........ H1W 1G4
Admin Address........ Qc
Admin Address........ CANADA
Admin Email.......... martin_ml@iweb.ca
Admin Phone.......... +1.5142864242
Admin Fax............

Tech Name............ Leclair Martin
Tech Address......... iWeb Technologies Inc.
Tech Address......... 3185 Hochelaga
Tech Address......... Montreal
Tech Address......... H1W 1G4
Tech Address......... Qc
Tech Address......... CANADA
Tech Email........... martin_ml@iweb.ca
Tech Phone........... +1.5142864242
Tech Fax.............
Name Server.......... MY.PRIVATEDNS.COM
Name Server.......... YOUR.PRIVATEDNS.COM

Xairbusdriver · « **Reply #6 on:** April 03, 2008, 08:59:49 PM »

Hope you used a 'throw away' addy! They may know the status of your quo!

Do your kids know how quickly and thoroughly you do your research!

Don't try putting anything over on this Mom!

tacit · « **Reply #7 on:** April 04, 2008, 01:24:42 PM »

QUOTE(Paddy @ Apr 3 2008, 11:29 PM) <{POST_SNAPBACK}>

I dug a bit deeper...and found that the phone number listed in the WhoIs for privatedns.com happened to match the phone number for a web hosting service by the name of iWeb.com (have Apple sued them yet?) - who appear to be quite legitimate - and no Russians in sight. They've been around for over ten years and get very good reviews. One of the owners has a blog here: http://www.martinleclair.com

They really don't look like the sort to knowingly host a Mac Trojan

That phone numbr doesn't actually belong to imunizator.com; the whois for imunizator.com is cloaked by PrivacyProtect.org and the domain is registered through estdomains.com. The registrar estdomains.com is the preferred domain registrar for Russian organized crome; every Russian Business Network site I've seen so far, without exception, is registered through them.

tacits-computer-2:~ tacit$ whois www.imunizator.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "WWW.IMUNIZATOR.COM".
>>> Last update of whois database: Fri, 04 Apr 2008 18:16:34 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
tacits-computer-2:~ tacit$ whois imunizator.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: IMUNIZATOR.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS.IMUNIZATOR.COM
Name Server: NS1.TWISTED4LIFE.COM
Status: clientTransferProhibited
Updated Date: 09-mar-2008
Creation Date: 09-mar-2008
Expiration Date: 09-mar-2009

>>> Last update of whois database: Fri, 04 Apr 2008 13:16:49 EST <<<

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: IMUNIZATOR.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 09-Mar-2008
Expiration Date: 09-Mar-2009

Domain servers in listed order:
ns1.twisted4life.com
ns.imunizator.com

Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Status:ACTIVE

The phone number probably belongs to their Web host. Right now, imunizator.com is hosted by iWeb (which has been around for longer than Apple's iWeb, and is located in Canada):

Parsing input: imunizator.com
Tracking details
$ whois 67.205.75.10@whois.arin.net

[whois.arin.net]
Groupe iWeb Technologies inc. IWEB-BLK-04 (NET-67-205-64-0-1)
67.205.64.0 - 67.205.95.255
Individual IWEB-CL-T062-361CL-188 (NET-67-205-75-8-1)
67.205.75.8 - 67.205.75.15
"whois 67.205.75.10@whois.arin.net" (Getting contact from whois.arin.net )
checking NET-67-205-75-8-1
$ whois NET-67-205-75-8-1@whois.arin.net

[whois.arin.net]

CustName: Individual
Address: Olevska 3
City: Kiev
StateProv:
PostalCode: 03164
Country: UA
RegDate: 2008-04-03
Updated: 2008-04-03

NetRange: 67.205.75.8 - 67.205.75.15
CIDR: 67.205.75.8/29
OriginAS: AS32613
NetName: IWEB-CL-T062-361CL-188
NetHandle: NET-67-205-75-8-1
Parent: NET-67-205-64-0-1
NetType: Reassigned
Comment:
RegDate: 2008-04-03
Updated: 2008-04-03

OrgAbuseHandle: ABUSE1906-ARIN
OrgAbuseName: Abuse Coordinator
OrgAbusePhone: +1-514-286-4242
OrgAbuseEmail: abuse@noc.privatedns.com

OrgNOCHandle: NETWO2356-ARIN
OrgNOCName: Network Admministrator
OrgNOCPhone: +1-514-286-4242
OrgNOCEmail: net-admin@noc.privatedns.com

OrgTechHandle: NETWO2356-ARIN
OrgTechName: Network Admministrator
OrgTechPhone: +1-514-286-4242
OrgTechEmail: net-admin@noc.privatedns.com
"whois NET-67-205-75-8-1@whois.arin.net" (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse@noc.privatedns.com
Ignoring small (7 IP) network
checking NET-67-205-64-0-1
Display data:
"whois NET-67-205-64-0-1@whois.arin.net" (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse@noc.privatedns.com
67.205.64.0 - 67.205.95.255:abuse@noc.privatedns.com
Routing details for 67.205.75.10
Using abuse net on abuse@noc.privatedns.com
abuse net noc.privatedns.com = abuse@privatedns.com, support@privatedns.com, abuse-report@iweb.ca, abuse@iweb.ca

So they're registered through estdomains.com, cloaked by provacyprotect.org, and hosted on iweb.ca. The odds that iWeb will take action against them are, unfortunately, quite small.

Paddy · « **Reply #8 on:** April 04, 2008, 01:48:49 PM »

I realize that the phone number doesn't belong to Imunizator.com (that's not what I said...) - it's iWeb's.

I did contact iWeb anyway - fully realizing that they may take no action, but figured it was worth a try. You never know. If they were in some other country, I wouldn't bother, but they're here in Canada and they have a very good reputation, so I thought I'd give it a whirl. Haven't heard a peep out of them so far though, other than the auto-response.

News:

Author Topic: Mac trojan (Read 2590 times)