The Latest in IT Security



We come across a fake FlashPlayer.pkg installer for Mac:

Once installed, the trojan add entries to the hosts file to hijack users visiting various Google sites (e.g.,,, etc) to the IP address, which is located in Netherlands.

The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.

As an example, this is what looks like on a normal, uninfected system:

trojan_bash_qhost_wb_google_tw_clean (68k image)

In contrast, this is what looks like on an infected system:

trojan_bash_qhost_wb_google_tw_infected_system (72k image)

When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.

Here’s a search request on the real site on a clean system:

trojan_bash_qhost_wb_google_tw_clean_searches (169k image)

And here’s the same request on an infected system:

trojan_bash_qhost_wb_google_tw_infected_system_searches (250k image)

Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server:

trojan_bash_qhost_wb_google_tw_infected_system_search_source (173k image)

At the time of writing, the pop-up pages aren’t displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.

The other remote server returning fake search requests appears to be still active.

We detect this trojan as Trojan:BASH/QHost.WB.


Analysis by – Brod

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments