Index

Please note that index links to approximate location of each term.

A

Abbati, Arnaud, 117

ABI (application binary interface), 128

Activity Monitor tool, 64

adware

adware-related hijacks and injections, 5456

Bitdefender Adware Removal Tool, 49

Crossrider, 43

5mLen, 70, 8081

Pitchofcase, 40

aevt_decompile decompiler, 87

Amnesty International, 63

analysis. See dynamic analysis; static analysis

analysis tool detection

detecting debugger, 209210

preventing debugging, 210211

targeting security tools, 208209

analyzing EvilQuest malware

anti-analysis logic, 233242

command line parameters, 231233

confirming file type, 223224

extracting contents, 224225

extracting embedded information, 229231

file encryption logic, 275277

file exfiltration logic, 271275

infection vector, 221223

local viral infection logic, 253263

persistence, 243252

remote communications logic, 263271

repersistence logic, 252253

Suspicious Package utility, 225228

analyzing scripts

AppleScript, 8288

bash shell scripts, 7678

Perl scripts, 8889

Python scripts, 7882

anti-analysis logic, 176177

anti-dynamic-analysis approaches, 204216

anti-static-analysis approaches, 188204

environmentally generated keys, 216217

EvilQuest malware, 233242

debugging-thwarting logic, 234238

obfuscated strings, 238242

virtual machine-thwarting logic, 233234

overview, 187

anti-dynamic-analysis approaches

analysis tool detection, 208211

detecting debugger, 209210

preventing debugging, 210211

targeting security tools, 208209

bypassing, 211216

execution environment, modifying, 213

modifying instruction pointer, 214215

modifying register value, 216

patching binary image, 213214

virtual machine detection, 204207

counting logical and physical CPUs, 206

MAC address, checking, 207

overview, 204205

SIP status, 208

system model name, checking, 205206

anti-infection protection mechanisms

application notarization requirements, 45

File Quarantine, 4

Gatekeeper, 4

anti-static-analysis approaches

code-level obfuscations, 199204

binary encryptors, 202204

overview, 199201

packers, 201202

string-based obfuscation, 188199

encrypted strings, 189191

finding deobfuscation code, 193194

forcing malware to execute decryption routine, 197199

locating obfuscated strings, 191192

sensitive strings disguised as constants, 188189

via Hopper script, 194196

Apparency application, 9192

append_ei function, EvilQuest malware, 257259

Appify tool, 115, 116117

Apple Disk Images (.dmg), 72

AppleJeus malware, 7576, 135, 151152

AppleScript, 8288

Apple Silicon, 102, 126

application binary interface (ABI), 128

application bundles

Contents/_CodeSignature file, 93

Contents/ directory, 93

Contents/Info.plist file, 9395

Contents/MacOS directory, 93

Contents/Resources directory, 93

defined, 91

WindTail malware, 9195

applications

Apparency application, 9192

application bundles, 9195

application notarization requirements, 45

cracked, 910

fake, 78

pirated, 910

trojanized, 89

Art of Computer Virus Research and Defense, The (Szor), 253

assembly, 126130

calling conventions, 127128

defined, 126

instructions, 127

objc_msgSend function, 128130

overview, 126

registers, 126127

assembly (ASM) mode, Hopper, 146

B

backtrace command, LLDB debugger, 175

bash shell scripts, 7678

binary analysis

extracting nonbinary components, 116122

Mach-O binary file format, 99114

classifying, 107114

data segments, 106107

header, 100103

load commands, 103106

overview, 99100

tools used to build binaries, 115116

binary encryptors, 202204

binary modifications, 4243

BirdMiner malware, 10, 56, 155156

BitcoinMagazine-Quidax _InterviewQuestions_2018 document, 51

Bitdefender Adware Removal Tool, 49

breakpoint command, LLDB debugger, 174

breakpoint delete command, LLDB debugger, 174

breakpoint enable/disable command, LLDB debugger, 174

breakpoint list command, LLDB debugger, 174

breakpoint modify command, LLDB debugger, 174

breakpoints

adding commands to, 173174

conditionally triggering, 172173

defined, 170

managing, 174

overview, 170171

setting on method names, 172

brute-forcing, 17

__bss section, Mach-O binary __DATA segment, 106

Bundlore malware, 117

C

calling conventions, assembly, 127128

capabilities

adware-related hijacks and injections, 5456

categorizing, 4748

cryptocurrency miners, 5657

defined, 1

file encryption, 6162

memory execution, 5859

privilege escalation

root privileges, 5254

sandboxes, 5051

reconnaissance logic, 4849

remote download/upload, 5961

remote process, 58

remote shells, 5758

spyware, 6465

stealth, 6264

surveys, 4850

carve_target function, EvilQuest malware, 276

C/C++ disassembly, 135137

certificate file exfiltration, 272275

CFG (control flow graph) mode, Hopper, 146

CFStringGetCString function, 137

Checkm8 exploit, 20

class-dump utility, 113114

code-level obfuscations

binary encryptors, 202204

defined, 188

overview, 199201

packers, 201202

code-signing authorities, 109

codesign utility, 108111

Cohen, Frederick, 253

ColdRoot malware, 154

commands, adding to breakpoints, 173174

construct_plist_path function, EvilQuest malware, 251

__const section, Mach-O binary __TEXT segment, 106

Contents/_CodeSignature file, 93

Contents/ directory, 93

Contents/Info.plist file, 9395

Contents/MacOS directory, 93

Contents/Resources directory, 93

continue command, LLDB debugger, 169

control flow disassembly, 137139

control flow graph (CFG) mode, Hopper, 146

CookieMiner malware, 56, 157

CPUMeaner malware, 56, 7374

cputype member, Mach-O header, 101

cracked applications, 910

CreativeUpdate malware, 16, 56, 109, 117118

cron jobs, 3233

cross-references, Hopper, 144145

Crossrider adware, 43

cryptocurrency

cryptocurrency file exfiltration, 272275

uncovering cryptocurrency mining in App Store app, 180185

cryptocurrency miners, 5657

_cstring section, Mach-O binary __TEXT segment, 106

CTRL-C command, LLDB debugger, 169

custom URL schemes, 1013

Cylance antivirus firm, 59

D

Dacls backdoor malware, 133134, 159160

DarthMiner malware, 56

__data section, Mach-O binary __DATA segment, 106

__DATA segment, Mach-O binary file format, 104, 107

dataWithBytes:length: method, Objective-C disassembly, 130

debugging

LLDB debugger, 167180

breakpoints, 170174

controlling execution, 169170

displaying runtime information, 174176

modifying process state, 176178

overview, 167168

scripts, 178180

starting session, 168169

overview, 165

power of, 166167

uncovering cryptocurrency mining in App Store app, 180185

debugging-thwarting logic, 234238

decompilation, 139140

Decompiler tool, 80

Devadoss, Dinesh, 222, 275

DevilRobber malware, 84

directory listing exfiltration, 271272

disassembly

C/C++, 135137

control flow, 137139

Objective-C, 130133

Swift, 133135

display modes, Hopper, 145146

distribution packaging, extracting malicious files from

Apple Disk Images, 72

packages, 7376

.dmg (Apple Disk Images) file extension, 72

.docm file extension, 8990

Dok malware, 5

DoubleFantasy malware, 194196

Dummy malware, 57

dumping (printing), debugging process, 166167, 174

DYLD_* environment variables, 3536

dylibs. See dynamic libraries

dynamic analysis

debugging, 165185

LLDB debugger, 167180

overview, 165

power of, 166167

scripts, 178180

uncovering cryptocurrency mining in App Store app, 180185

defined, 67

file monitoring, 153156

FileMonitor utility, 155156

fs_usage utility, 154155

overview, 153154

network monitoring, 157163

Netiquette utility, 159160

network status monitors, 158159

network traffic monitors, 160163

overview, 157158

overview, 149150

process monitoring, 150153

overview, 150151

ProcessMonitor utility, 151153

dynamic libraries (dylibs), 3439

DYLD_* environment variables, 3536

dylib hijacking, 3739

dylib proxying, 3637

overview, 3435

E

EFI (Extensible Firmware Interface) exploits, 20

ei_carver_main function, EvilQuest malware, 275

ei_forensic_sendfile function, EvilQuest malware, 274

ei_forensic_thread function, EvilQuest malware, 271

ei_loader_main function, EvilQuest malware, 254

ei_pers_thread function, EvilQuest malware, 252

ei_rfind_cnc and ei_getip function, EvilQuest malware, 281

ei_selfretain_main function, EvilQuest malware, 249250

ei_str function, EvilQuest malware, 239240

8-bit registers, 127

eiht_get_update function, EvilQuest malware, 262263

Eleanor malware, 150151

Electron tool, 115116, 120

embedded information, extracting, 229231

Endpoint Security framework, 151

environmentally generated keys, 216217

Equation Group, 217

ESET antivirus company, 10

Esser, Stefan, 54

event monitor rules, 41

EvilQuest malware, 43, 52, 62, 215

analyzing

anti-analysis logic, 233242

command line parameters, 231233

confirming file type, 223224

extracting contents, 224225

extracting embedded information, 229231

file encryption logic, 275277

file exfiltration logic, 271275

infection vector, 221223

local viral infection logic, 253263

persistence, 243252

remote communications logic, 263271

repersistence logic, 252253

Suspicious Package utility, 225228

invoking string decryption routine, 197199

updates, 277281

exfiltration, 5961

certificate and cryptocurrency exfiltration, 272275

directory listing exfiltration, 271272

exploits

Checkm8, 1819

defined, 18

EFI, 1819

zero-day, 1819

Extensible Firmware Interface (EFI) exploits, 20

externally facing services, 1718

F

fake applications, 78

fake security alerts, 67

fake updates, 7

fat_header, Mach-O header, 102

52M_rj function, EvilQuest malware, 278

file command

identifying byte-compiled Python script with, 7071

identifying Office documents, 89

file encryption logic, 6162, 275277

file exfiltration logic, EvilQuest malware analysis

certificate and cryptocurrency file exfiltration, 272275

directory listing exfiltration, 271272

file monitoring

FileMonitor utility, 155156

fs_usage utility, 154155

overview, 153154

FileMonitor utility, 155156

File Quarantine, 4

filetype member, Mach-O header, 101

file utility, 228

EvilQuest malware, 223

Mach-O header, 103

WindTail malware, 71

FindCrypt plug-in, 194

FinFisher malware, 172

finish command, LLDB debugger, 169

FinSpy, 63

FireEye, 53

Flashback malware, 18

Flash zero-day, 19

FruitFly malware, 17, 64, 8889, 151

fs_usage utility, 12, 154155

G

garbage (spurious) instructions, 200

Gatekeeper, 4

get_mediator function, EvilQuest malware, 263265

get_targets function, EvilQuest malware, 254, 272274, 275

getDeviceSerial function, 135136, 137, 139

GMERA, 63

Grant, Ari, 172

GravityRAT malware, 118121

H

HackingTeam cyberespionage company, 19

Handbrake application, 16

handlers, AppleScript, 87

header, Mach-O binary file format, 100103

cputype member, 101

fat_header, 102

filetype member, 101

file utility and, 103

lipo tool and, 102103

magic member, 100101

offset member, 102

otool utility and, 101

hexadecimal mode, Hopper, 146

-h flag, Mach-O header, 101

Homebrew package manager, 6

Hopper, 125, 139

cross-references, 144145

Inspector view, 141142

Proc view, 142

reverse engineering with, 140146

creating binary to analyze, 140141

display modes, 145146

interface, 141143

loading binary, 141

viewing disassembly, 143145

string-based obfuscation via Hopper script, 194196

Str view, 142

hostname command, 89

--ignrp command line parameter, EvilQuest malware, 233

I

infection vectors

anti-infection protection mechanisms, 45

cracked applications, 910

custom URL schemes, 1013

defined, 1

EvilQuest malware, 221223

exploits, 1820

externally facing services, 1718

fake applications, 78

fake security alerts, 67

fake updates, 7

malicious emails, 56

Office macros, 1415

overview, 34

physical attacks, 19

pirated applications, 910

supply chain attacks, 16

trojanized applications, 89

Xcode projects, 1516

Info.plist file

defined, 11

WindTail malware, 9395

Inspector view, Hopper, 141142

Intego security company, 7

interactive shells, 57

IOServiceGetMatchingService function, 136137

IPStorm malware, 1718

Iran Threats blog, 49

is_debugging function, EvilQuest malware, 235236

is_executable function, EvilQuest malware, 255257

iWorm malware, 10

J

jobs, 33

K

KeRanger ransomware, 61, 213215

keychains, 49

kill _unwanted function, EvilQuest malware, 244

KnockKnock open source utility, 4445

Komplex malware, 58, 130, 138, 210

L

launch agents, 2632

launch daemons, 2632

Lazarus Group, 58, 61, 91, 133, 217

AppleJeus, 7576, 135, 151152

Dacls backdoor malware, 133134, 159160

JMTTrader.app, 89

LC_LOAD_DYLIB load command, Mach-O binary file format, 105106

LC_MAIN load command, Mach-O binary file format, 104105

LC_SEGMENT_64 load command, Mach-O binary file format, 104

lfsc_dirlist function, EvilQuest malware, 272

__LINKEDIT segment, Mach-O binary file format, 104

lipo tool, Mach-O header, 102103

Little Snitch firewall, 49, 209

LLDB debugger

breakpoints, 170174

adding commands to, 173174

conditionally triggering, 172173

defined, 170

managing, 174

overview, 170171

setting on method names, 172

controlling execution, 169170

examining runtime information, 174176

modifying process state, 176178

overview, 167168

starting session, 168169

load commands, Mach-O binary file format

LC_LOAD_DYLIB, 105106

LC_MAIN, 104105

LC_SEGMENT_64, 104

overview, 103104

local viral infection logic

checking which files to infect, 255257

EvilQuest malware analysis, 253263

executing original code of infected file, 262263

executing and repersisting from infected files, 260262

infecting target files, 257260

listing candidate files for infection, 254

overview, 253254

login items, 2426

login/logout hooks, 34

LoudMiner malware, 10

lsof utility, 159

M

MacDownloader malware, 49, 60

Mach-O binary file format, 76, 95

classifying, 107114

code-signing information, 109111

hashes, 107109

Objective-C class information, 113114

strings, 112113

header, 100103

cputype member, 101

fat_header, 102

filetype member, 101

file utility and, 103

lipo tool and, 102103

magic member, 100101

offset member, 102

otool utility and, 101

load commands, 103106

LC_LOAD_DYLIB, 105106

LC_MAIN, 104105

LC_SEGMENT_64, 104

overview, 103104

overview, 99100

segments, 106107

__DATA segment, 107

__TEXT segment, 107

__LINKEDIT segment, 104

MachOView utility, 101

mach port, 136

macOS Catalina (10.15), 45

MacRansom, 205206

macros

extracting, 8990

macro-based attacks, 1415

MacUpdate website, 56, 117

magic member, Mach-O header, 100101

malicious emails, 56

Malwarebytes, 54

Mami malware, 166

MD5 hash, 107108

memory execution, 5859

memory write command, LLDB debugger, 177178

MH_BUNDLE (0x8) value, Mach-O header, 101

MH_DYLIB (0x6) value, Mach-O header, 101

MH_EXECUTE (0x2) value, Mach-O header, 101

MinerGate, 118

mnemonics, assembly instructions, 127

Mokes malware, 64, 159

Mughthesec malware, 54, 207, 213

N

name mangling, 133, 135

Netcat utility, 150

Netiquette utility, 60, 159160

netstat utility, 158

nettop utility, 158

NetWire malware, 191192

network monitoring

Netiquette utility, 159160

network status monitors, 158159

network traffic monitors, 160163

overview, 157158

nexti command, LLDB debugger, 169

nm utility, EvilQuest malware, 229

nonbinary analysis

analyzing scripts, 7689

AppleScript, 8288

bash shell scripts, 7678

Perl scripts, 8889

Python scripts, 7882

applications, 9195

extracting malicious files from distribution packaging, 7276

Apple Disk Images, 72

packages, 7376

identifying file types, 7072

Office documents, 8991

overview, 6970

non-interactive shells, 57

nonoperations (NOPs), 200

NSData class method, Objective-C disassembly, 131132

NSData object, 131132

NSTask launch method, 134

Nygard, Steve, 113

O

obfuscated scripts, 199204

obfuscated strings

EvilQuest malware, 197199, 238242

locating, 191192

__objc_* section, Mach-O binary __DATA segment, 106

objc_msgSend function, 172, 178179, 182183, 193

assembly, 128130

Swift disassembly, 133

Objective-C disassembly, 130133

Office macros

extracting, 8990

macro-based attacks, 1415

offset member, Mach-O header, 102

oletools toolset, 8990

olevba utility, 8990

operands, 127

organizationally unique identifier (OUI), 207, 213

osadecompile command, 82

OSAMiner malware, 56, 8588

OS X Leopard, 4

OS X Mountain Lion, 4

otool utility, 101102, 105

OUI (organizationally unique identifier), 207, 213

P

packages (.pkg), 7376

packers, 201202

patch binary

disassembling, 231

extracting embedded information from, 229231

periodic scripts, 3334

Perl scripts, 8889

persist_executable_frombundle function, EvilQuest malware, 261

persist_executable function, EvilQuest malware, 246

persistence

application and binary modifications, 4243

defined, 1, 23

dynamic libraries, 3439

DYLD_* environment variables, 3536

dylib hijacking, 3739

dylib proxying, 3637

overview, 3435

event monitor rules, 41

EvilQuest malware analysis, 243252

copies as launch items, 247249

copy operation, 246247

killing unwanted processes, 244246

overview, 243244

starting launch items, 249252

KnockKnock open source utility, 4445

launch agents, 2632

launch daemons, 2632

login items, 2426

login/logout hooks, 34

overview, 2324

plug-ins, 3940

relaunch applications, 4142

scheduling mechanisms, 3234

cron jobs, 3233

at jobs, 33

periodic scripts, 3334

scripts, 41

physical attacks, 19

Pirate Bay website, 10

pirated applications, 910

Pirrit malware, 102, 200201, 208

Pitchofcase adware, 40

.pkg (packages), 7376

pkgutil utility, EvilQuest malware, 225

Platypus tool, 7677, 115, 117118

plug-ins, 3940

prevent_trace function, EvilQuest malware, 237238

print command, LLDB debugger, 175

printing (dumping), debugging process, 166167, 174

privilege escalation

root privileges, 5254

sandboxes, 5051

process monitoring

overview, 150151

ProcessMonitor utility, 151153

Proc view, Hopper, 142

Proton malware, 16, 49, 208209

pseudocode mode, Hopper, 146

ptrace system call, preventing debugging with, 210211

PyInstaller Extractor tool, 119

PyInstaller tool, 115, 119

Python scripts, 7882

R

ransomware. See also EvilQuest malware

defined, 23

KeRanger ransomware, 61, 213215

RBP register, 127

RCX register, 131132

RDX register, 131132, 231

react_exec function, EvilQuest malware, 266267

react_host function, EvilQuest malware, 270

react_keys function, EvilQuest malware, 269

react_ping function, EvilQuest malware, 270, 280

react_sav function, EvilQuest malware, 268

react_scmd function, EvilQuest malware, 270271

react_start function, EvilQuest malware, 268

react_updatesettings function, EvilQuest malware, 281

Reaves, Jason, 277

reconnaissance logic, 4849

Reed, Thomas, 43, 54, 207, 222

registers

assembly, 126127

R8 register, 269

R9 register, 183

RAX register, 31, 126128, 130131, 136137, 175177, 190, 200, 211, 216, 236, 248, 239

RBP register, 127

RCX register, 131132

RDX register, 131132, 231

RSI register, 131132, 129, 136137, 179180, 193

RSP register, 127

modifying register value, 216

“scratch,” 136

register write command, LLDB debugger, 176177

relaunch applications, 4142

remote communications logic, EvilQuest malware analysis

get_mediator function, 263265

remote tasking logic, 265271

remote download/upload, 5961

remote process, 58

remote services, compromising, 1718

remote shells, 5758

remote tasking logic, EvilQuest malware, 265271

overview, 265266

react_exec function, 266267

react_host function, 270

react_keys function, 269

react_ping function, 270

react_sav function, 268

react_scmd function, 270271

react_start function, 268

repersistence logic, EvilQuest malware analysis, 252253

reverse engineering

creating binary to analyze, 140141

display modes, 145146

interface, 141143

loading binary, 141

viewing disassembly, 143145

Riordan, James, 217

root privileges, 5254

RSI register, 131132, 129, 136137, 179180, 193

RSP register, 127

run_audio and run_image function, EvilQuest malware, 281

run_daemon function, EvilQuest malware, 250251

run_target function, EvilQuest malware, 262263

run command, LLDB debugger, 169

run-only AppleScript files, 8487

runtime information, displaying, 174176

S

s_is_high_time function, EvilQuest malware, 275

Safe Finder, 5455

sandboxes, 5051

scheduling mechanisms

cron jobs, 3233

at jobs, 33

periodic scripts, 3334

Schneier, Bruce, 217

“scratch” registers, 136

Script Editor, 82, 84

scripts, 41

AppleScript, 8288

bash shell, 7678

Perl, 8889

Python, 7882

scutil command, 89

SDK files, 100101

segments, Mach-O binary file format, 106107

__DATA segment, 107

__TEXT segment, 107

__LINKEDIT segment, 104

set_important_files function, EvilQuest malware, 252253

setLaunchPath: method, Swift disassembly, 133

SHA-1 hash, 107108

Shlayer malware, 45, 116

Siggen malware, 7680, 9495

signing certificate, 109

--silent command line parameter, EvilQuest malware, 231232

SIP (System Integrity Protection) status, 169, 208

16-bit registers, 127

64-bit registers, 127

spurious (garbage) instructions, 200

spyware, 6465

stack, defined, 127

static analysis

assembly, 126130

binary analysis, 99122

extracting nonbinary components, 116122

Mach-O binary file format, 99114

tools used to build binaries, 115116

decompilation, 139140

defined, 67

disassembly, 130139

nonbinary analysis, 6995

analyzing scripts, 7689

applications, 9195

extracting malicious files from distribution packaging, 7276

identifying file types, 7072

Office documents, 8991

overview, 6970

reverse engineering with Hopper, 140146

stealth, 6264

stepi command, LLDB debugger, 169

stepping through, debugging process, 166

Stokes, Phil, 80, 85, 87, 277

string-based obfuscation

defined, 188

encrypted strings, 189191

finding deobfuscation code, 193194

forcing malware to execute decryption routine, 197199

locating obfuscated strings, 191192

sensitive strings disguised as constants, 188189

via Hopper script, 194196

strings

extracting embedded strings, 112113

obfuscated strings

EvilQuest malware, 197199, 238242

locating, 191192

strings utility

EvilQuest malware, 229230

WindTail malware, 112113

Str view, Hopper, 142

sudoers file, 54

supply chain attacks, 16

surveys, 4850

Suspicious Package utility, 7375, 225228

Swift disassembly, 133135

System Integrity Protection (SIP) status, 169, 208

Szor, Peter, 253

T

tcpdump utility, 160

team identifier, 109

__TEXT segment, Mach-O binary file format, 104, 106107

ThiefQuest malware, 278. See also EvilQuest malware

32-bit registers, 127

Thomas, Adam, 54

Tor utility, 150

Trend Micro, 15, 278279, 281

trojanized applications, 89

typosquatting, 6

U

universal binaries, 102

UPX packer, 201, 213

user-assisted infections. See also infection vectors

anti-infection protection mechanisms, 45

malicious emails, 56

/usr/bin/osascript command, AppleScript, 82

V

VBA (Visual Basic for Applications), 14

-v flag, Mach-O header, 101

Vilaça, Pedro, 202

virtual machine detection

counting logical and physical CPUs, 206

MAC address, checking, 207

overview, 204205

SIP status, checking, 208

system model name, checking, 205206

virtual machine-thwarting logic, 233234

viruses

checking which files to infect, 255257

defined, 253

infected files

executing and repersisting from, 260262

executing original code of, 262263

infecting target files, 257260

listing candidate files for infection, 254

VirusTotal antivirus scanning portal, 108

Visual Basic for Applications (VBA), 14

VMware, 207

VST Crack website, 10

W

Wacaw tool, 150

WhatsAppService.app, 7677

WhatsYourSign (WYS) tool, 7173

whoami command, 89

WindTail malware, 1013, 5961, 70, 9195

Info.plist file, 9395

key/value pairs, 94

strings utility, 112113

Wireshark application, 161163

writeconfig.xpc service, 53

writeToFile:atomically: method, Objective-C disassembly, 132

WYS (WhatsYourSign) tool, 7173

X

XAgent malware, 114

x/b command, LLDB debugger, 175

Xcode projects, 1516

XCSSET malware, 1516

x/i command, LLDB debugger, 175

x/s command, LLDB debugger, 175

XSLCmd malware, 53

Y

Yort malware, 91

Z

zero-day exploits, 1819

ZuRu malware, 106