{"id":58684,"date":"2016-10-25T09:25:57","date_gmt":"2016-10-25T16:25:57","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=58684"},"modified":"2016-10-25T12:38:54","modified_gmt":"2016-10-25T19:38:54","slug":"silverinstaller-sneakier-than-previously-thought","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/silverinstaller-sneakier-than-previously-thought\/","title":{"rendered":"SilverInstaller, Sneakier Than Previously Thought"},"content":{"rendered":"

\"SilverInstaller<\/p>\n

Last week, Intego reported on the discovery of a new fake Flash Player installer, called SilverInstaller<\/a>.\u00a0When SilverInstaller was found, a few things didn’t add up, so the Intego malware team kept poking at it over the weekend\u00a0and\u00a0have\u00a0uncovered\u00a0some new details. What we found is that SilverInstaller is a bit sneakier than previously thought \u2014 it detects whether it’s running in a virtual machine and behaves differently.<\/p>\n

Here’s everything we now know about SilverInstaller.<\/p>\n

Why keep poking at it?<\/h3>\n

Initially some of the payloads did not decompress. The PostInstall script (dropper) that is responsible for installing the payload downloads this as a compressed file “act.tgz.” This file, when examined, sometimes opened and sometimes didn’t. Why?<\/p>\n

Also, why does the installer say it’s going to install MacKeeper, DavinciSearch and MegaBackup but install MPlayer instead?<\/p>\n

Unanswered questions do not sit well with the team, so down\u00a0the rabbit hole they went.<\/p>\n

All right Alice, what did they find?<\/h3>\n

The biggest find is the difference in behavior when the installer runs in a virtual machine or a real Mac.<\/p>\n

\n

The installer mentions it will install several Potentially Unwanted Applications (PUA) but fails to do so. Intego’s malware\u00a0team found out this is intentional.<\/p>\n

The way malware is tested<\/a> is by setting up a virtual machine (VM) that runs a copy of macOS. This VM can be infected without having to worry about compromising the host Mac it runs on, and when the testing is done, the VM can be stored or simply deleted. It is much safer and significantly faster than infecting an actual Mac and having to re-install it completely when done.<\/p>\n

SilverInstaller is aware it will probably end up inside a VM to be picked apart by malware researchers, so it cleverly installs only MPlayer if it finds itself inside a VM. If it sees the Mac is an actual Mac and not a virtual one, it behaves differently. Even on an actual Mac it checks for signs of analysis and if any are found, like Packet Filtering, MPlayer is installed. However, if no analysis tools are found and the Mac is real, all of the goodies mentioned by the installer are downloaded and installed.<\/p>\n

I previously mentioned<\/a>:\u00a0“The Dropper downloads the Payload, which is then responsible for opening a connection to “http:\/\/i.silvinst.com” on port 80 and a shell script is then executed.” This shell script, install_unit.sh, becomes much more interesting if it finds itself downloaded to a real Mac. Rather than installing just MPlayer, it installs the following:<\/span><\/p>\n

MacKeeper (if not already present):<\/strong><\/p>\n

\"SilverInstaller<\/p>\n

It’s even nice enough to make sure the user receives a localized version, though it currently installs the same version no matter what.<\/p>\n<\/div>\n

VSearch<\/strong><\/p>\n

“http:\/\/i.silvinst.com\/static\/c\/c.tgz”<\/span><\/p><\/blockquote>\n

A Pirrit\u00a0injector\u00a0(VSearch family)<\/strong><\/p>\n

“http:\/\/i.silvinst.com\/static\/ij\/ij_v2.tgz”<\/span><\/p><\/blockquote>\n

BrowserEnhancer, which Intego detects as VSearch<\/strong><\/p>\n

“http:\/\/i.silvinst.com\/static\/sr\/sr_v2.tgz”<\/span><\/p><\/blockquote>\n

And finally MPlayer<\/strong><\/p>\n

“http:\/\/i.silvinst.com\/static\/mplayer\/MPlayer.zip”<\/span><\/p><\/blockquote>\n

As observed previously, the payload files are deleted when the installations are finished and the installer itself can only be used once.<\/p>\n

Other Findings<\/h3>\n

You may recall each downloaded package has a unique file name and hash. Intego\u00a0quickly confirmed that the packages are dynamically generated (built) by the server. This not only causes every downloads installer package to have a unique name, like “FlashPlayer_01.10.pkg” or “FlashPlayer_01.18.pkg,” but also means the contents of each installer vary slightly. Part of this varying data is the dropper that downloads the payload onto a system, the “act.tgz” file mentioned earlier.<\/p>\n

The first time the installer runs it shows an installer that doesn’t actually do anything, runs the PostInstall script, downloads the “act.tgz” payload, decompresses it, and then downloads and installs MPlayer. When done, the payload file is deleted.<\/p>\n

The second time the installer is opened, it behaves the same but the result is different. This time when the payload “act.tgz” file is downloaded, it’s a fake. It does not decompress and is deleted right away. The installer knows if it has been run before by comparing keys with the server. Each package is assigned a key as it’s built by the server, and it is likely\u00a0that the installer checks with the server to see if a key has been used more than once. This basically guarantees the installer package can only be used once, even if copied to another machine on a different IP address. Here is an example of a key:<\/p>\n

\n

“http:\/\/t.silvinst.com\/is\/cact?i=”fd4ee38b-d713-47ba-82c7-3df8790288c7<\/b><\/span>“&ve=10.12\u201d<\/p><\/blockquote>\n

This key is the UUID, which is taken from the IOKit framework (IOPlatformUUID) by the Payload. The UUID is a unique identifier for your Mac and helps SilverInstaller keep track of which machine the installer has been run on.<\/p>\n

In the last few days, the people or person behind SilverInstaller has already changed a few things:<\/p>\n

    \n
  1. The subdomain previously used by the dropper and payload to download their contents from “http:\/\/i<\/strong>.silvinst.com” has been changed in some cases to “http:\/\/t<\/strong>.silvinst.com.”<\/li>\n
  2. The “act” payload in some cases is now signed with an adhoc\u00a0identifier and not a Developer ID certificate.<\/li>\n<\/ol>\n

    Websites that these installers have been found on are extratorrent.cc and k2s.cc. Clicking on those pages will result in pop-ups and redirects that feed the fake Flash Player installers.<\/p>\n

    Apart from the observations mentioned in the previous article, we note that the dropper does not collect User ID’s (UID’s).<\/p>\n

    \n
    \n
    \n
    \n
    \n
    \n
    \n
    \n
    \n
    \n
    \n
    \n
    \n
    $ ls -la FlashPlayer_XX.X\/base.pkg\/Scripts\/<\/span><\/div>\n
    total 48<\/span><\/div>\n
    drwxr-xr-x \u00a08 user\u00a0 admin \u00a0272 Oct 18 15:27 .<\/span><\/div>\n
    drwxr-xr-x \u00a06 user\u00a0 staff \u00a0204 Oct 18 15:27 ..<\/span><\/div>\n
    -rw-r–r– \u00a01 user\u00a0 admin \u00a0 36 Oct 17 23:35 27b86b7f-e4c5-4a4c-a56f-b54b3a423617<\/span><\/div>\n
    -rw-r–r– \u00a01 user\u00a0 admin \u00a0 36 Oct 17 23:35 51ef332f-6ed2-4574-aea5-6f8788661b68<\/span><\/div>\n
    -rw-r–r– \u00a01 user\u00a0 admin \u00a0 36 Oct 17 23:35 b45bfc63-465d-426c-8bad-f1d0dea3d202<\/span><\/div>\n
    -rw-r–r– \u00a01 user\u00a0 admin \u00a0 36 Oct 17 23:35 eaf2e7d6-f6c3-4f91-9428-cb10eb4e3cea<\/span><\/div>\n
    -rw-r–r– \u00a01 user\u00a0 admin \u00a0 36 Oct 17 23:35 f7a5b00e-fd20-45f9-9c90-7ac8a128f31f<\/span><\/div>\n
    -rwxr-xr-x \u00a01 user\u00a0 admin \u00a0595 Oct 17 23:35 postinstall<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/blockquote>\n<\/div>\n<\/div>\n<\/div>\n<\/blockquote>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/blockquote>\n
    \n

    We now know that those are Generated User ID’s (GUID’s). The GUID hashes are collected, but at this time\u00a0the research team is unable to link these to existing users on an infected system. This goes for both physical users and hidden system process users.<\/p>\n<\/div>\n

    What can Mac users do\u00a0to protect their computers?<\/h3>\n

    The steps Mac users can take to protect\u00a0their Macs remains unchanged; only download software from a reliable\u00a0source.<\/p>\n

    Manually removing SilverInstaller<\/h3>\n

    The below list was\u00a0adjusted to reflect infection of a real Mac.\u00a0If infected, Mac users can manually remove the SilverInstaller\u00a0files to clean up the infection. From the Finder menu “Go,” select “Go to Folder” and copy\/paste the following path:<\/p>\n