Fake Installer Trojan specifically targeting Cisco ANY CONNECT /etc/hosts.ac file for MacOSX, discoved by Magmatic. These Fake Installer Trojans are related to recent click fraud campains including that of in-appstore()com that directed users to 91()224()160()136, a known spammer as of June, 2012. Click Fruad has been the finacial motive for criminals using methods. This Fake Installer Trojan is LOW RISK.

<<Awaiting Independent Comfirmation from two reasearch sources.>>

Background

A Fake Installer Trojan, using methods similar to past FAKE INSTALLERS that altered the /etc/hosts file, is specifically targeting Cisco ANYCONNECT's /etc/hosts.ac for MAC OSX. This malicious script can be delivered by a host of social engineering methods. Basically, the Fake Installer Trojan tricks the users by getting them to run a the script. The result is altered entries in to the hosts.ac file, similar to the BASH/Qhost.WD. (Entries appear to be related to google.*.com.) Similar to FlashBack and the recent in-appstore()com redirect, the criminal activity is to use click fraud to generate a revenue stream. There is no evidence or has there ever been evidence of state sponsorship of any kind. The cloak of state sponsorship is part of the overall deception to drive clicks. The most recent one reported to be targeting the Dalai Lama.

The IP addresses for all of these acts of fraud are on the same network segment, 91.224.160.0/24. (Possible email- [email protected])

Details

On Mac OSX, the /hosts.ac is used by Cisco ANY CONNECT. On restart the contents /etc/hosts.ac file used by Cisco ANY CONNECT will be written to the /etc/hosts file. The result is after a user or anti-virus software corrects the /etc/hosts file when Mac OSX systems with Cisco ANY CONNECT installed restart, the hosts file will be changed to match the fruadulent entries in the /etc/hosts.ac. This is an attempt by the criminals to either circumvent correcting the /etc/hosts file or targeting specifically users of larger enterprise organizations. 

Important

Users of Cisco ANYCONNECT SHOULD CONTACT THEIR INCIDENT RESPONSE TEAMS IN THEIR ORAGANIZATIONS IMMEDIATELY. THERE CAN BE FORENSICALLY USEFUL INFORMATION ON YOUR MAC SINCE THIS MAY INDICATE A WIDER BREACH AT YOUR ORGANIZATION.

Fix

We stress that users should contact their organization's network response teams immediately if there host.ac file contain rouge entries. 

How to Repair /etc/hosts.ac for Administrators Using Cisco ANYCONNECT (Similare to /etc/hosts.)

• Boot your Mac in Safe Mode holding down the Shift key on Startup.
• Open the Terminal.app
• Change directory to /etc
  •  cd /etc/
• List the hosts.ac file.
  • cat hosts.ac
• Check to see if there are hosts listed that are not vaild. Example (91.224.160.26 google.com, which is related to click fraud campain of in-appstore()com which directed iPhone to 91.224.160.136)
• Remove the entries by using the nano editor in Terminal.
  • sudo nano hosts.ac
• Save the changes to /hosts.ac (Keyboard Command <Command O>)
• Comfirm Changes to /hosts.ac (Hit Return)
• Exit nano. (Keyboard Command <Command X>)
• Confirm changes have been made properly.
  • cat hosts.ac 
• Reboot your Mac.
• Open Terminal.app
• Check your hosts file which should now match the hosts.ac file you changed in Terminal.app.
  • cat /./etc/hosts
• Block 91()224()160()0/24 at your Gateway for all traffic.

We stress that users should contact their organization's network response teams immediately if there host.ac file contain rouge entries. 

Summary

The Fake Installer Trojan specificlly Cisco ANY CONNECT and does not represent a threat to standard users. We expect that the actors involve are testing various attack surfaces and a more robust version may be used in future crimeware.

Similar to past Fake Installer Trojans this represents VERY LOW RISK. Network adminstrators should block 91()224()160()0/24. 

Update on Sunday, July 15, 2012 at 11:13AM by Sean OConnell Public

There are known multile vulnerabilities in Cisco ANY CONNECT Secure Mobile Client. The Product Confirmed Not Vulnerable list Mac OSX version AnyConnect 3.0 MR8 (3.0.08057) as not vulnerable. The Fake Installer Trojan is editing the file similar to previous methods. 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

Link Credit twitter.com/@egyp7

Update on Sunday, July 15, 2012 at 12:34PM by Sean OConnell Public

Fake Installer Trojan specifically targeting Cisco ANY CONNECT /etc/hosts.ac file for MacOSX, discoved by Magmatic. These Fake Installer Trojans are related to recent click fraud campains including that of in-appstore()com that directed users to 91()224()160()136, a known spammer as of June, 2012. Click Fruad has been the finacial motive for criminals using methods. This Fake Installer Trojan is LOW RISK. 

Update on Monday, July 16, 2012 at 10:06AM by Sean OConnell Public

Block 91_224_160_0 /24 at your gateway for all Apple Products.

 91_224_160_136 Comment Spammer.