• An OS X Virus I Can’t Figure Out

    by  • 2013/05/28 • Apple, iOS, OSX, Thoughts • 4 Comments

    The past couple months at work I have been tracking something that I can’t figure out. I believe it to be an iOS or OS X virus that is in the wild that I have yet to find anything that detects. Here is the information I know about it and I’m putting it out here in hopes that someone else has run into the same thing and may know more information than I do.

    The reason these flags have been brought to my attention is because the suspected infected clients use P2P to download a payload from a server. Our network flags the P2P traffic which is what alerted me to the abnormal traffic.

    Clients
    All of the clients have been either iOS (iPhones and iPads) or Apple laptops running OS X.
    To my knowledge there haven’t been any Windows clients flagged for the same P2P traffic.

    What’s in common
    The main thing in common is all of the clients are initiating a P2P connection to the host update.alyac.co.kr:6969 or IP address 125.140.132.205 which both belong to a Korean antivirus company.
    All of the clients show the agent to be libtorrent.
    All users don’t seem particularly tech savvy and no common software was found between all of the computers/phones/tablets. In most cases the software installed seemed very minimal. I did not have the opportunity to gather browser history on the clients.

    What else is weird
    The requests happen in batches. The first week I noticed them there were 3-4 in that week. A little time passed and I had another 2 hits just days apart. Now I get smaller sporadic hits.

    What I have found
    I have wireshark dumps from the P2P traffic but I can’t decipher any meaningful information from them besides the actual connection being made. Email me if you want to have a look.
    I also found that the Alyac servers were hacked back in 2011 but I can’t find much else about the company or domain.

    So I am posting this for anyone with more information to help me track down what is happening. I find it too coincidental that P2P traffic is going to a random Korean website when the users don’t appear to have any P2P traffic installed. Please leave a comment if you’ve seen something similar or have any other information on what may be happening.

    About

    Avid learner with a passion for technology and people. He is always trying new things or taking something apart to make it better.

    http://1n73r.net

    4 Responses to An OS X Virus I Can’t Figure Out

    1. Bob
      2014/03/13 at 15:12

      I have the same type of traffic coming from a Windows 8.1 x64 bit client so it isn’t limited to just OSX FWIW

    2. glmeece
      2014/05/29 at 15:15

      Did you ever figure this out? It does seem to be pinging some kind of antivirus site. Here’s part of the site listing what I assume are either updates or app-submitted reports:

      http://liveupdate.alyac.co.kr/update/free/BD/BDInfo.txt

      When I look up this software, it seems to be entirely a Windows and Android product, which is the direct inverse of your user population. This is a head-scratcher!

      • 2014/05/29 at 15:24

        No I didn’t. The machines that were having the problem all left for the summer (students) and in the fall I never had the problem again.

        • glmeece
          2014/05/29 at 15:34

          Sometimes its nice when a problem like that just works itself out. Still, frustrating to not find the origin.

          I toured your campus with my daughter a few years back. She ended up going to Biola instead. :-)

    Leave a Reply

    Your email address will not be published. Required fields are marked *