1

Recently a lot of communications spread starting from this analysis: OSX/MaMi analysis

When I read this analysis, I found that 2 DNS servers are defined as default ones for the IP configuration:

82.163.143.135
82.163.142.137

I discovered that these 2 addresses belongs to an Israelian company:

GreenTeam Internet

(see: IP info)

who developped a product GreenTeamDNS to filter Internet accesses based on whitelist and blacklist upon DNS traffic requests. Thus, this software is clearly using DNS servers redirections.

I further tested these 2 addresses and they correctly reply as plain DNS servers or relays.

From your critical point of vue, which analysis is the right one?

Community
  • 1
dan
  • 3,033
  • 14
  • 34

1 Answers1

1

This might be new on Mac but seems to be older on Windows. See for example this analysis from 2015 about some malware which changed the DNS settings to ones from the same owner and which also talks about the same silently installed root CA certificate. To cite "Given the above I would say this is a potentially legitimate company (in the past) turned rogue.". See also this article about the DNSUnlocker adware family which uses also DNS servers in the IP block owned by GreenTeam Internet. Also, the way it is distributed does not really look like some benign software.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • The redirecting of `google-analytics` which could be seen as a spyware, is to: `dig www.google-analytics.com @82.163.143.172` → `82.163.143.94` which looks like an HTTP & HTTPS relay. If this was the case of 2 blocks (/24) of IP adresses used for illegal activity since 3 years, I suspect they should have been shut down. BTW, all these addresses are located in the London center. – dan Jan 19 '18 at 14:52
  • 1
    @danielAzuelos: see the reputation for example for 82.163.143.176: https://www.liveipmap.com/82.163.143.176. Or [here](https://malwaretips.com/blogs/ads-by-ghostify-removal/) for another report about ad injecting malware using these DNS. – Steffen Ullrich Jan 19 '18 at 16:21