SHA1 c206a19d7fb4a7dbabe3f1a0d9bfa8476356ecb2
A Trojan for OS X that is installed by Mac.Trojan.VSearch.4.
It includes the following components:
DemoInjector.app
change_net_settings.sh
com.pref.net-preferences.plist
com.pref.preferences.plist
install_Injector.sh
readme_inj.txt
uninstall_injector.sh
When the Trojan is installed, it creates a user account that has a random username and the “test. ID = 401” password that is not displayed in the OS X Welcome dialog, and redirects HTTP traffic from all interfaces to the local port 9882. Mac.Trojan.VSearch.7 uses this port to launch a proxy server that injects a JavaScript script into all webpages browsed by the victim. The Trojan receives the script via the URL that looks as follows:
http://domain/sm/mu?id=machine_id&d=dist_channel_id&cl=click_id
The Trojan gets the parameters necessary for its normal work from /Library/Preferences/com.appName.preferences.plist, where appName is an application name generated randomly.
The script injected into webpages displays advertisements, sends statistics to the server, and collects the user’s Web search queries transmitting them to servers, a list of which is incorporated into the script:
www.google.
www.bing.
.ask.
search.whitesmoke
thesmartsearch
