Home / malwarePDF  

Trojan:MacOS_X/QHost.A


First posted on 31 August 2011.
Source: SecurityHome

Aliases :

Trojan:MacOS_X/QHost.A is also known as Trojan.SH.QHost.GMU (VirusBuster), Trojan.Hosts.4737 (Dr.Web), Linux/Qhost.A trojan (ESET), Virus.Hosts (Ikarus), Trojan.BAT.Qhost.nh (Kaspersky), OSX/Qhosts (McAfee), Troj/QHost-CU (Sophos), Trojan.Chost (Symantec).

Explanation :

Trojan:MacOS_X/QHost.A is a malicious program that modifies the Hosts file to redirect specific websites to a predetermined IP address.


Top

Trojan:MacOS_X/QHost.A is a malicious program that modifies the Hosts file to redirect specific websites to a predetermined IP address.



Installation

Trojan:MacOS_X/QHost.A may arrive as the file "FlashPlayer.pkg", which poses as an installer of Adobe Flash Player for Mac.

The malicious bash script file "preinstall" is contained within the installer package file. It takes advantage of Apple's Mac OS X Installer packaging, which allows custom scripts to run during the installation process.

The package also contains "info.plist", which defines the installation requirement. The trojan requires root privileges to successfully run its payload.



Payload

Modifies Hosts file

Trojan:MacOS_X/QHost.A modifies the Hosts file found in the /private/etc/ folder. It redirects the following hosts to the IP address 91.224.160.26:

  • google.ae
  • google.as
  • google.at
  • google.az
  • google.ba
  • google.be
  • google.bg
  • google.bs
  • google.ca
  • google.cd
  • google.ch
  • google.co.ck
  • google.co.id
  • google.co.il
  • google.co.in
  • google.co.jp
  • google.co.kr
  • google.co.ls
  • google.co.ma
  • google.co.nz
  • google.co.tz
  • google.co.ug
  • google.co.uk
  • google.co.za
  • google.co.zm
  • google.com
  • google.com.af
  • google.com.gh
  • google.com.hk
  • google.com.jm
  • google.com.mx
  • google.com.my
  • google.com.na
  • google.com.nf
  • google.com.ng
  • google.com.np
  • google.com.pr
  • google.com.qa
  • google.com.sg
  • google.com.tj
  • google.com.tw
  • google.de
  • google.dj
  • google.dk
  • google.dm
  • google.ee
  • google.fi
  • google.fm
  • google.fr
  • google.ge
  • google.gg
  • google.gm
  • google.gr
  • google.ht
  • google.ie
  • google.im
  • google.in
  • google.it
  • google.ki
  • google.la
  • google.li
  • google.lv
  • google.ma
  • google.ms
  • google.mu
  • google.mw
  • google.nl
  • google.no
  • google.nr
  • google.nu
  • google.pl
  • google.pn
  • google.pt
  • google.ro
  • google.ru
  • google.rw
  • google.sc
  • google.se
  • google.sh
  • google.si
  • google.sm
  • google.sn
  • google.st
  • google.tl
  • google.tm
  • google.tt
  • google.us
  • google.vu
  • google.ws


As a result, the remote server captures traffic from any of these hosts, and this may alter the results and content of the search page.



Analysis by Methusela Cebrian Ferrer

Last update 31 August 2011

 

TOP

Malware :

Family: