Posted by: oldmacbloggit | March 28, 2012

OSX/Lamadai.A: more analysis

ESET’s Alexis Dorais-Joncas has published some further analysis on the malware also discussed by AlienVault Labs and Intego, among others (including David!), and which ESET detects as OSX/Lamadai.

As Mr. Harley pointed out, this malware is exploiting a somewhat elderly vulnerability: in fact, Apple patched it back in November. Here are the MD5s for the samples analysed by ESET:

MD5 of the files analyzed:
39084b60790ca3fdebe1cd93a4764819  file-mac.tmp (OSX payload)

MD5 of related files
7f7cbc62c56aec9cb351b6c1b1926265  file-win.tmp (Win32 payload)
dd7421fb6ca03c5752a06cffb996285a  index.jar (OSX/Linux dropper)
2d86dce83851f76493ba0492d066c095  default.jar (Win32 dropper)
4b6eb782f9d508bbe0e7cfbae1346a43  index.html (HTML serving the droppers)

Dorais-Joncas points out that the code they analysed doesn’t resemble OSX/Olyx, but revisiting the MD5s F-Secure provided for threats related to what it calls OSX/Olyx.B, it looks as if both companies are looking at much the same code and drawing different conclusions in terms of malware families. Which only makes a point we’ve made many times before: when the media try to base their conclusions on malware names by different companies, they’re on a hiding to nothing. In a time of sample glut like the 21st century, arbitrary naming tells you more about the perception and processes of individual labs than it does about the relationship between binaries.

Exploit:Java/CVE-2011-3544.E — MD5: 6C8F0C055431808C1DF746F9D4BB8CB5, MD5: 453A3DC32E2FAFD39F837A1EBE62CA80

  • Backdoor:OSX/Olyx.B — MD5: 39084b60790ca3fdebe1cd93a4764819
  • Backdoor:W32/Poison.CE — MD5: 7F7CBC62C56AEC9CB351B6C1B1926265

Old ‘What did we tell you?’ Mac

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: