Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive
related to July 2009 Ürümqi riots in China (Samples included)
Archived: 2026-04-05 17:18:08 UTC
Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots
in China (Samples included)
The recently discovered Backdoor for Mac Olyx (Criminals gain control over Mac with BackDoor.Olyx)  was
used for targeted attacks (or what it appears to be), which is not surprising. As Microsoft pointed out, in addition
to malware, the package contains an html page and photos from a Wikipedia page for events dated July 5, 2009,
however it appears that all photos relate to one event - July 2009 Ürümqi riots in China. 
"Government censors disabled keyword searches for "Urumqi", and blocked access to Facebook and
Twitter as well as local alternatives Fanfou and Youku. Chinese news sites mainly fed from Xinhua
news service for updates about the rioting in Urumqi, comments features on websites were disabled on
some stories to prevent negative posts about the lack of news. Internet connections in Urumqi were
reportedly down.Many unauthorized postings on local sites and Google were said to have been
"harmonised" by government censors, and emails containing terms related to the riots were blocked or
edited to prevent discord."
Perhaps the trojans found in the package Ghostnet backdoor as Backdoor:Win32/Remosh.A. and the new
Backdoor:MacOS_X/Olyx.A were destined for a Chinese human rights activist, as he/she would be likely to be
interested in this particular event update. In addition, it is known that many of the Gh0stnet targets were  human
rights activists.
  General File Information
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
Page 1 of 8

MD5: 93a9b55bb66d0ff80676232818d5952f
File Type: Mach-O I386
Malware: Backdoor.Olyx
MD5: f65fbeb945348ad2e1a123ef5cee65d3
File Type: Windows PE EXE
Malware: Ghostnet backdoor
Download
Additional information and Analysis links
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
Page 2 of 8

----------------------------------------------------------------------
Microsoft Malware Protection center posted an excellent analysis with a lot of details, which you can find at the
link below: Backdoor Olyx - is it malware on a mission for Mac?
Original report of Olyx backdoor by Dr.Web Criminals gain control over Mac with BackDoor.Olyx
MD5: 93a9b55bb66d0ff80676232818d5952f
File Type: Mach-O I386
Malware: Backdoor.Olyx
I am not a Mac or RE expert, I just made a few screenshots of the disassembled Mach-O file with Microsoft
comments, which I thought were relevant. Please correct me if needed :)
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
Page 3 of 8

MD5: f65fbeb945348ad2e1a123ef5cee65d3
File Type: Windows PE EXE
Malware: Ghostnet backdoor
Anubis Analysis  http://anubis.iseclab.org/?
action=result&task_id=1ae9dcbf36d882e541d8fa26d533a9d39&format=html
Here is a screenshot of the certificate, which was revoked and some strings from the binary
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
Page 4 of 8

http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
Page 5 of 8

Automated Scans
Current events 2009 July 5
Submission date:2011-07-27 05:07:51 (UTC)
Result:19 /43 (44.2%)
http://www.virustotal.com/file-scan/report.html?
id=a5c1b89b26007f4672409e0e7a3ab85135a0ffc01c74c4b6d49084da7fe9def5-1311743271
AhnLab-V3     2011.07.27.00     2011.07.27     MacOS_X/Olyx
Avast     4.8.1351.0     2011.07.26     MacOS:Olyx [Trj]
Avast5     5.0.677.0     2011.07.26     MacOS:Olyx [Trj]
BitDefender     7.2     2011.07.27     MAC.OSX.Backdoor.Olyx.A
Comodo     9524     2011.07.27     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.07.27     BackDoor.Olyx.1
Emsisoft     5.1.0.8     2011.07.27     Backdoor.OSX.Olyx!IK
F-Secure     9.0.16440.0     2011.07.27     Backdoor:OSX/Olyx.A
GData     22     2011.07.27     MAC.OSX.Backdoor.Olyx.A
Ikarus     T3.1.1.104.0     2011.07.27     Backdoor.OSX.Olyx
Kaspersky     9.0.0.837     2011.07.27     Backdoor.OSX.Olyx.a
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
Page 6 of 8

Microsoft     1.7104     2011.07.26     Backdoor:MacOS_X/Olyx.A
NOD32     6327     2011.07.27     OSX/Olyx.A
PCTools     8.0.0.5     2011.07.27     Backdoor.Olyx
Sophos     4.67.0     2011.07.27     OSX/Bckdr-RID
Symantec     20111.1.0.186     2011.07.27     Backdoor.Olyx
TrendMicro-HouseCall     9.200.0.1012     2011.07.27     OSX_OLYX.WA
VBA32     3.12.16.4     2011.07.26     BackDoor.OSX.Generic
VirusBuster     14.0.140.0     2011.07.26     Backdoor.OSX.Olyx.A
Additional information
Show all
MD5   : 93a9b55bb66d0ff80676232818d5952f
Video-Current events 2009 July 5.exe  - WINDOWS BINARY Submission date:2011-07-27 05:00:39 (UTC)
Result:19/ 43 (44.2%)
http://www.virustotal.com/file-scan/report.html?
id=d2f45192f22ef62a694facd0604b12c8c748ac94a6d8a2913f4beec7f04be1c1-1311742839
AhnLab-V3    2011.07.27.00    2011.07.27    Win-Trojan/Olyx.205480
AntiVir    7.11.12.130    2011.07.27    BDS/Olyx.A
BitDefender    7.2    2011.07.27    Backdoor.Wolyx.A
Comodo    9524    2011.07.27    TrojWare.Win32.Magania.~AD
DrWeb    5.0.2.03300    2011.07.27    Trojan.PWS.Multi.228
Emsisoft    5.1.0.8    2011.07.27    Trojan-PWS.Win32.Hangame.cl!IK
eSafe    7.0.17.0    2011.07.26    Win32.Backdoor.Troja
GData    22    2011.07.27    Backdoor.Wolyx.A
Ikarus    T3.1.1.104.0    2011.07.27    Trojan-PWS.Win32.Hangame.cl
McAfee    5.400.0.1158    2011.07.27    Artemis!F65FBEB94534
McAfee-GW-Edition    2010.1D    2011.07.26    Heuristic.BehavesLike.Win32.AdSpyware.A
Microsoft    1.7104    2011.07.26    Backdoor:Win32/Wolyx.A
NOD32    6327    2011.07.27    Win32/Delf.OBY
Panda    10.0.3.5    2011.07.26    Suspicious file
PCTools    8.0.0.5    2011.07.27    Backdoor.Trojan
Symantec    20111.1.0.186    2011.07.27    Backdoor.Trojan
TrendMicro-HouseCall    9.200.0.1012    2011.07.27    BKDR_WOLYX.WA
VIPRE    9978    2011.07.27    Trojan.Win32.Generic.pak!cobra
VirusBuster    14.0.140.0    2011.07.26    Backdoor.Wolyx!YVAf5CV8Y34
MD5   : f65fbeb945348ad2e1a123ef5cee65d3
Anubis Analysis
http://anubis.iseclab.org/?action=result&task_id=1ae9dcbf36d882e541d8fa26d533a9d39&format=html
Traffic
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
Page 7 of 8

121.254.173.57
Host reachable, 234 ms. average
121.254.128.0 - 121.254.255.255
Korea Internet Data Center Inc.
Korea, Republic of
Yunmi Lee
ip@kidc.net
KIDC Bldg, 261-1, Nonhyun-dong, Kangnam-ku, Seoul
phone: +82-2-6440-2925
fax: +82-2-6440-2909
Source: http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
Page 8 of 8