WARNING: AppleScript Trojan Horse[was: Trojan atack: help me please]
WARNING: AppleScript Trojan Horse[was: Trojan atack: help me please]
- Subject: WARNING: AppleScript Trojan Horse[was: Trojan atack: help me please]
- From: "Bryan" <email@hidden>
- Date: Sun, 25 Feb 2001 17:10:29 -0500
This is a preliminary warning to all users of both lists.
Juan Luis sent me a copy of an applet which is disguised as a text document.
It was titled "mylistofstuff ", so I thought it was something that he had
extracted from the file he wanted me to analyse. Like a dolt, I double
clicked
it without checking to see if there was a resource fork (which a text file
should not have) In my own defense, I did not expect to receive the original
Trojan Horse. Fortunately the little bugger requires a specific file
hierarchy
unique to HotList servers; or I would have paid dearly.
This is where the the scurvy nave who wrote it got clever.
There is a call in the script to display the standard warning:
"Could not open because could not find application ...'" etc.
Obviously, the intent here is to make the user think that nothing happened.
There is no data fork; but there is a resource fork, but there are no aetes
etc.
There is a detectable launch of the applet when the file is double clicked.
But if this had been made into an FBA, it could have been very hard to
detect.
Opening with ResEdit revealed that it was an applet; but there is no applet
icon,
only the text page icon as a disguise.
I have saved the resedit info, anyone who wants a copy can have it.
Smile gives the response"
Can't read this file.
It has been saved as run-only.
Opening with Resource Scavenger 1.0d231 I find scripting code:
----------
Logged Now Wednesday, February 21, 2001 02:33:05 PM
Scanned "Macintosh HD:Desktop Folder:Troyanos:mylistofstuff"
scsz count: 1
[0]
scpt count: 1
[128]
----------
But using 4 versions of OsaxenCheck I find no calls to any
standard OSAX.
There are calls to the OS and there is a "code" resource.
It appears to have been modelled after a Trojan horse technique
that has been around for a while. The novelty is that it uses
vanilla applescript.
I think we will begin to see some very unusual and dangerous applescript
viruses soon. Particularly now that the scripts can be disguised, be made
into faceless background apps and make calls to imbedded, bundled
application resource OSAXen.
----------
>
From: Juan Luis <email@hidden>
>
To: <email@hidden>
>
Subject: Trojan atack: help me please
>
Date: Now Mon, Feb 19, 2001, 01:45 PM
>
>
Hi,
>
>
I need help asap: in my Hotline server someone has uploaded a script with
>
appearance of a Simpletext file.
>
>
The script can't be opened with Apple Script Editor because was saved for
>
execution only.
>
>
With Canopener I have extracted this:
>
>
mylisttrojan.0 PowerPlug PartSIT! <cpntA N^NuNV /<NOTI?< N^NuNV
>
/<aplt/<scptp!.*(_ #NuCTo run this script application, you must first
>
install AppleScript. @0@(@<@ @0@(@<@ JFasdUAS 1.101.10 starts .aevtoappnull
>
error_code hotline_path alias_path the_path alias_there the_disk
>
.aevtoappnull Findern, MACS n+P 8600HD Finder FNDRMACS Carpeta del
>
Sistema !8600HD:Carpeta del Sistema:Finder kfrmID hotline_path
>
.corecnte**** alias_path :Files the_path :Users:guest:files .coredoexbool
>
alias_there the_disk .miscactv**** comments .corecrel**** :comments
>
.miscslct**** Thank you for commenting us error_code \[Zk\ZC2 ,FO*j+
>
error_code myname .earsffdr****
>
The document X Could not be opened because the application program that
>
created it could not be found. Ccould not find a translation extention with
>
appropriate translators .sysodlogaskr =Macintosh HD:Aplicaciones:Hotline
>
Server:Hotline Server 1.8.4 :Macintosh HD:Aplicaciones:Hotline
>
Server:Users:guest:files CMacintosh HD:Aplicaciones:Hotline
>
Server:Users:guest:files:comments boovtrue Macintosh HD text editor
>
>
I don't know the effects in my computer for now.
>
>
What can I do? I have the script yet, if someone can help me I would like
>
send it for analyze it.
>
>
Sorry for my English.
>
>
TIA
>
_______________________________________________
>
applescript-users mailing list
>
email@hidden
>
http://www.lists.apple.com/mailman/listinfo/applescript-users