Home / malware Trojan:MacOS_X/QHost.A
First posted on 31 August 2011.
Source: SecurityHomeAliases :
Trojan:MacOS_X/QHost.A is also known as Trojan.SH.QHost.GMU (VirusBuster), Trojan.Hosts.4737 (Dr.Web), Linux/Qhost.A trojan (ESET), Virus.Hosts (Ikarus), Trojan.BAT.Qhost.nh (Kaspersky), OSX/Qhosts (McAfee), Troj/QHost-CU (Sophos), Trojan.Chost (Symantec).
Explanation :
Trojan:MacOS_X/QHost.A is a malicious program that modifies the Hosts file to redirect specific websites to a predetermined IP address.
Top
Trojan:MacOS_X/QHost.A is a malicious program that modifies the Hosts file to redirect specific websites to a predetermined IP address.
Installation
Trojan:MacOS_X/QHost.A may arrive as the file "FlashPlayer.pkg", which poses as an installer of Adobe Flash Player for Mac.
The malicious bash script file "preinstall" is contained within the installer package file. It takes advantage of Apple's Mac OS X Installer packaging, which allows custom scripts to run during the installation process.
The package also contains "info.plist", which defines the installation requirement. The trojan requires root privileges to successfully run its payload.
Payload
Modifies Hosts file
Trojan:MacOS_X/QHost.A modifies the Hosts file found in the /private/etc/ folder. It redirects the following hosts to the IP address 91.224.160.26:
- google.ae
- google.as
- google.at
- google.az
- google.ba
- google.be
- google.bg
- google.bs
- google.ca
- google.cd
- google.ch
- google.co.ck
- google.co.id
- google.co.il
- google.co.in
- google.co.jp
- google.co.kr
- google.co.ls
- google.co.ma
- google.co.nz
- google.co.tz
- google.co.ug
- google.co.uk
- google.co.za
- google.co.zm
- google.com
- google.com.af
- google.com.gh
- google.com.hk
- google.com.jm
- google.com.mx
- google.com.my
- google.com.na
- google.com.nf
- google.com.ng
- google.com.np
- google.com.pr
- google.com.qa
- google.com.sg
- google.com.tj
- google.com.tw
- google.de
- google.dj
- google.dk
- google.dm
- google.ee
- google.fi
- google.fm
- google.fr
- google.ge
- google.gg
- google.gm
- google.gr
- google.ht
- google.ie
- google.im
- google.in
- google.it
- google.ki
- google.la
- google.li
- google.lv
- google.ma
- google.ms
- google.mu
- google.mw
- google.nl
- google.no
- google.nr
- google.nu
- google.pl
- google.pn
- google.pt
- google.ro
- google.ru
- google.rw
- google.sc
- google.se
- google.sh
- google.si
- google.sm
- google.sn
- google.st
- google.tl
- google.tm
- google.tt
- google.us
- google.vu
- google.ws
As a result, the remote server captures traffic from any of these hosts, and this may alter the results and content of the search page.
Analysis by Methusela Cebrian Ferrer
Last update 31 August 2011