Apple Mac Trojans
A newly identified Mac OS X Trojan bundles a component that leverages the processing power of video cards (GPUs) to generate Bitcoins, a popular type of virtual currency.
The new Trojan known as OSX/Miner-D, nicknamed “DevilRobber” by antivirus vendors, is being distributed together with several software applications via BitTorrent sites.
“This malware is complex, and performs many operations,” security researchers from Mac antivirus vendor Intego warned. “It is a combination of several types of malware: It is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers,” they explained. The software is being distributed through torrent sites. It installs a Java-based application called “DiabloMiner” that uses your Mac’s graphics processing unit (GPU) to generate Bitcoins.
The Bitcoin mining program that DevilRobber installs on infected computers is called DiabloMiner and is a legitimate Java-based application used in the virtual currency’s production. As this application is Java based, it will run on Windows, Solaris and Linux computers.
The first sign of infection is if your Mac suddenly becomes sluggish, Graham Cluley of Sophos wrote in a blog post.
“It’s becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software,” he wrote.
The DevilRobber trojan steals processing power, which can lead to slow computer performance, as well as actual Bitcoins, which are kept in virtual wallets on the victim’s machine.
“OSX/Miner-D [DevilRobber] also spies on you by taking screen captures and stealing your usernames and passwords,” warned Graham Cluley, a senior technology consultant at antivirus vendor Sophos.
“In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history and .bash_history,” he added.
So far, the Trojan has been detected in a BitTorrent download for GraphicConverter version 7.4, an image editing application for Mac OS X. However, this doesn’t mean that there aren’t similarly Trojanized torrents out there.
“Clearly, Mac users — like their Windows cousins — should practice safe computing and only download software from official websites and legitimate download services,” Cluley said. He also stressed that Mac users should install an antivirus program, which is not hard to do and costs nothing.
There are several providers of free antivirus solutions for Mac and all of their solutions are more capable than Mac OS X’s default anti-malware defense mechanism, which some Trojans already bypass or even disable.
The latest patch from Microsoft Security Essentials and other Mac AV providers will detect this DevilRobber. I suggest you go one step further and use ESET NOD32.
Bitcoin is a form of virtual cash that can be exchanged by users without the need for an intermediary bank or payment service. Bitcoins are actually cryptographic hashes that get generated piece by piece using specialized programs like DiabloMiner, according to a public algorithm.
Bitcoin is a decentralized, highly controversial virtual currency that was formed by programmers in 2009. The currency is generated by programming computers to calculate highly complex math problems; the more computing power you have, the faster you can create Bitcoins. This is why Bitcoin rigs often look like massive sculptures of connected servers.
Ideally, Bitcoin resolves issues inherent in traditional currencies, like double-spending, inflation, corruption, and inept monetary authorities. But in reality, the effort is being undermined by security issues like exchange breaches, account theft, and pure FUD.
In the past we’ve also heard of Twitter-based Bitcoin bots and months ago, Symantec predicted the spawn of botnets used to mine Bitcoins.
One Bitcoin is currently valued at around US$3.20, and it is a good source of profit for both Bitcoin miners, who legitimately use their computer resources to generate them, and cybercriminals who steal them.
How Windows gets malware
When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java, Adobe Reader/Acrobat and Adobe Flash. This is revealed by a survey conducted by CSIS Security Group A/S. This group has been collecting data for 3 months on actual infections of computers by drive-by attacks on browsers. Drive-by attacks are when you go to an innocent website and get a virus anyway. This is typically from ads or hacked links.
Basis of the study
CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.
The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk.
CSIS monitored more than 50 different exploit kits on 44 unique servers / IP addresses. Figures come from the underlying statistical modules, thereby ensuring an as precise overview of the threat landscape as possible. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates.
Among the vulnerabilities we have observed abused by the monitored exploit kits, we find:
CVE-2010-1885 Microsoft Help & Support HCP
CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2008-0655 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
CVE-2004-0549 ShowModalDialog method and modifying the location to execute code
The report above describes those operating systems, browsers, and applications that are vulnerable in the real world scenarios they have observed. Here it is slimmed down:
Internet Explorer is the worst offending browser. Mozilla is second.
Windows XP, Windows 7, and Windows Vista are the worst offending operating systems.
Java, Adobe Reader, and Adobe Flash are the worst offending applications.
Salient point is that, fully updated and patched installs let 70% of the infections through. Mainly because the technology is reactive. Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits) All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.
Conclusion: 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages:
Java JRE 37%
Adobe Reader/Acrobat 32%
Adobe Flash 16%
MS Internet Explorer 10%
Windows HCP (Help) 3%
Apple Quicktime 2%
For the sake of security, I would not run Java, Adobe anything or Internet Exploiter.
We don’t want you getting viruses because it’s difficult to remove and more importantly, expensive and time consuming.
1. Uninstall java. Most end users never have a need for it and don’t update it.
2. Use Chrome to read PDFs or use Foxit. No need for Adobe, but to be fair Adobe’s new sandbox model in version X is resistant to viral infections and exploits.
3. Update flash as often as it says or switch to Chrome.
4. Use ESET NOD32 & HitmanPro for protection
Adobe Pushes Update
How can anyone stay on top of all the attack vectors on a Windows computer? Every machine I touch these days, never gets consistently updated, especially if it is a personal computer. Today I find that Adobe pushes an unscheduled security update.
“As expected, Adobe today released a security update for its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the RSA cyber attack was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability.“
Also, this just in. “Software maker Adobe Systems has launched Flash Player 11 and Adobe AIR 3 even as the industry is shifting to HTML 5 on the Web that lessens the reliance of developers on Flash.” Flash Player 11 and AIR 3 are scheduled for release in early October. Adobe didn’t give the date, but you should expect release at Adobe’s annual Max conference, between 1 and 5 October. Both support full hardware acceleration for 2D and 3D graphics, which Adobe claims provides rendering performance 1,000 times faster than Flash Player 10 and AIR 2.
Do you know what Flash version you have installed? No? Then use Adobe’s version test page. You can also check here.
Once you have the current version, you may also wish to adjust your configuration. Flash’s settings are rather curious as the controls themselves aren’t located on the computer but are instead accessed through a Flash object hosted by Adobe.
Adobe: “The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer.”
Right-clicking a Flash object and selecting “Global Settings” opens a page to Adobe’s Flash Player Settings Manager.
Just as flaws in the ubiquitous Adobe Flash were exploited to infiltrate RSA Security and compromise the encryption keys used in RSA’s SecurID two-factor authentication tokens, Flash may also have been the Achilles heel of Diginotar.
Adobe Flash is nearly universal. With Adobe Flash Player software and browser plug-ins available for virtually every operating system and browser, this zero-day flaw could potentially impact 90 to 95 percent of the PCs in the world.
Andrew Storms, director of security operations for nCircle, connects the dots. “Adobe said that today’s bug ‘could be used to act on the user’s behalf with webmail providers.’ I think we can interpret this to mean that a successful attack using this zero-day bug could allow the attacker to access the user’s Gmail account.”
I implore you to patch Flash as soon as possible.
Unsolicited Skype Spam
Malware authors are using fake Skype profiles and robo-calls to drive you to infectious Web sites. It’s time for Skype to clean up its security act. While setting this evening at my office desk, I noticed a incoming call but with no ringtone on Skype, which I thought was a little odd.
Anyways, the incoming call said ‘usa.a1.online.alert.mac.win’ and with a title of ‘NOTIFICATION® URGENT ALERT‘. I ignored it for awhile and almost cancelled the thing, but decided to accept the phone call for the sake of curiosity and amusement.
On the other end, I heard a robotic voice telling me my PC security had been compromised, viruses were detected on my computer, and that I needed to visit some website to download software that would fix it. It then continually repeated this message until I hung up. Laughable, as I don’t run Windows, besides executable files do not function on my machine.
I thought: Skype voice spam. That’s a new one. And then I thought: Oh god, is that what we’re all in for from now on?
Remember the days when telemarketers used to call your home phone number at all hours of the night? This was especially irritating until you realized a “do not call” list existed. Shortly I answered, the recording began. Informing me of a serious computer virus that had attacked my system, the recording offered a solution that I could goto some website to repair. The moral of the story: If you receive a call from someone who you cannot immediately identify, be aware. There is no apparent harm done in answering these calls, besides time wasted, but at least you know now that they exist. Check out Skype’s security advice for more information on how to best protect yourself.
Here is a snapshot of the popup:
I also made a recording of the message, sorry for the poor quality, but you can still make it out. rec-20110920-18:57:38
After doing some research, this sort of thing has been on-going for years, and I suspect it will become even more prevalent now that Microsoft is taking ownership of Skype. Looking at Skype’s blog there is some mention of it: http://blogs.skype.com/security/2010/03/an_update_on_spam_on_skype.html
Skype’s consumer forum also mentions it as well: http://forum.skype.com/index.php?showtopic=814469
It turns out I am not alone in receiving this call. There have been a string of users on who’d received similar calls. Apparently, visitors that did visit the website as instructed, were prompted to download “security software” that would infect their PCs with malware.
A responder wrote:
Do NOT go to the site! I downloaded the program onto a safe computer (no Internet, and some fake contacts, emails, and a few fake passwords saved in Firefox.) I then went to monitor it and it was taking the passwords, emails, and contacts and trying to send them to a weird website. I wasn’t able to get [to the site], as it crashed the computer. When I got it back up [the software] turned Windows to frappe and nothing worked right. Happily that was a isolated computer with a backup Windows disk, so I was able to restore it.
Well, isn’t that special. Skype has infiltrated the newbies camp in sufficient numbers to become an attractive target for this kind of thing. What’s troubling me is that it’s unclear what Skype is doing to stop this problem. Skype support is notoriously hard to contact – a problem, I think, for a service that charges actual money – and that is something that needs to change. Paying customers (like me) deserve actual support, not FAQs and a “feedback” option.
I find it ironic this happened after Microsoft announced its intention to buy Skype. I doubt those two things are related, nah.
Skype security – or lack thereof – is now yet another thing we need to worry about. Let’s hope voice spam doesn’t turn into the next malware epidemic.
In closing, do not answer this type of messages or go the website it tells you to go to. To avoid receiving any calls like this, you can adjust your privacy to not receive any call from a person outside your contact list, to do this open Tools > Options > Privacy > Show Advanced Options and adjust your settings accordingly.
Windows Patch Tuesday – August 2011
On Tuesday, August 9 at 10AM PDT Microsoft plans to patch 22 vulnerabilities for Internet Explorer, Windows, Visio and Visual Studio as part of the August Patch Tuesday release.
Microsoft will release 13 security bulletins, two of which are rated “critical,” the company said Aug. 4. Nine were rated as “important” and the final two were listed as “moderate” according to the preview announcement.
Even though there are more bulletins than the July update, the number of vulnerabilities remained the same, which is unusual, considering Microsoft recently has been alternating large updates with small ones. August was expected to be a heavy month.
Considering there were 16 bulletins fixing 34 vulnerabilities in June and 17 bulletins fixing 64 bugs in April, 22 vulnerabilities across 13 bulletins doesn’t sound so big, after all. Even so, IT administrators still have a lot of work ahead of them, as they may still be dealing with the 78 patches from Oracle’s July Critical Patch Update on July 19 and Apple’s update for Mac OS X Lion on July 20, said Paul Henry, security and forensic analyst for Lumension. “Microsoft is making IT admins earn their Labor Day holiday,” Henry said.
The bi-monthly update for Internet Explorer is rated as critical and is most likely the one administrators should deploy first, Storms said. The IE update is critical for all platforms and applies to all versions, from IE 6 through 9 on Windows 7, Vista, XP, 2003 and 2008, according to Microsoft. This would be the second update for IE9 in less than five months since its release.
Two of the 13 bulletins are rated “critical,” Microsoft’s highest severity rating. Microsoft Windows users will want to pay special attention to the Internet Explorer bulletin because the issues can expose users to drive-by download attacks via the browser. The update fixes flaws that introduce remote code execution risks on all versions of Internet Explorer, including the newest IE 9. ”If left unpatched, attackers could use this vulnerability to remotely take control of victims’ systems,” said Wolfgang Kandek, CTO for Qualys.
Since the preview announcement doesn’t provide any details on what the actual flaw is being patched, users should limit their use of Internet Explorer to only visit trusted sites and be careful about clicking on links, said Marcus Carey, a security researcher for Rapid7. Servers should never be used to browse the Internet, but many organizations do so anyway, and “compromise their crown jewels,” Carey said.
Concerned users should consider using an alternate browser, such as Firefox or Chrome, until the patches are live, according to Carey. I say quit using Internet Exploiter altogether.
“While multiple browsers can be an administrative headache at times, it comes in handy in situations like this,” said Carey.
The other critical bulletin addresses flaws in the two newest versions of Microsoft’s server operating system, Windows Server 2008 and Server 2008 R2. While Server 2003 has the same vulnerability, Microsoft said the update was only “important” for that version.
“Server administrators should apply patches immediately as this vulnerability also leads to remote code execution,” said Kandek.
Nine bulletins are specific to Windows vulnerabilities, but five of them won’t apply to Windows XP. One of the bulletins addresses issues in Windows 7 and Server 2008 R2, the latest versions of the desktop and server software. Considering Vista shares a lot of code with Windows 7, it was a little puzzling that the bulletin did not patch Vista, according to Storms.
Microsoft is expected to update .NET framework, Visual Studio 2005 development tool and all supported versions of Visio. Microsoft also patched a DLL vulnerability in Visio last month that could have been exploited with a remote code execution attack.
“We have seen other Visio vulnerabilities fairly recently and recommend including the software in your regular patching cycle and/or have users not using that software remove it from their systems,” Kandek said.
A good point is made, if you not using a particular piece of software then remove it.
Another point, JavaScript and Flash are known two ways to infect your computer. I block them by default and maintain a white-list of sites that I allow them to function.
- Disabling JavaScript and Flash for untrustworthy sites. This will help to reduce possible attack vectors for these Trojans, and hence reduce the possibility of you ever seeing ‘Your PC is infected with malicious software and browse couldn’t be launched’ on your browser. Most web browsers will allow you to disable these options by default.
- Keeping your web browser updated. Updates will often fix security loopholes that are exploited to force malicious security programs like Trojans onto your PC.
- Avoiding downloads of anti-virus or anti-spyware programs from non-reputable sources. Many rogue security programs are widely-distributed through generalistdownload storehouse websites, and most will even have their own professional-looking home websites. Verify the integrity of an anti-malware program through multiple sources, beforehand. I highly recommend ESET’s offering.
Your Computer Appears to Be Infected
Google has begun warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.
Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.
Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.
Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.
The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites.
Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification at the top of victims’ Google search results; it includes links to resources to help remove the infection.
Google should be applauded for alerting users, but the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools.
Here is the link with explanation: http://www.google.com/support/websearch/bin/answer.py?answer=1182191
A warning appears at the top of the search results page when we believe that the computer you’re using is infected with malicious software, also known as “malware.” Malware can be used to intercept your computer’s connection to Google and other sites. When Google’s system detects that a connection has been intercepted, it’s likely that the computer was previously infected with malicious software.
An infected computer can result in deleted data, stolen personal information, and a slower connection to many websites. We showed you the warning so that you can scan your computer and take any necessary action to protect yourself.
I understand how the link on Google’s warning essentially goes against all the things we’ve been taught to ignore online. It may not be a pop-up, but it’s also not something we went looking for. However, if I saw the warning… knowing that it’s not wise to click anything. I might be more prone to run my anti-virus or go to a security site to see if I could find anything on it. Naturally, having the warning on a Google search page would make me leary of searching for the information on that page.
The other thing we have to remember – is that these users are most likely ones that don’t know to not click on things. They’ll happily click it – and, for a change, be directed to something that will help them. Now yes, this can start to be spoofed and lead to bad things too – but again, remember, these people are already clicking links they’re told to… they’re going to be infected regardless. So what’s wrong with actually getting them to click something that will actually help them for a change?
Honestly, I think more of these types of things should be done. Users need to be better educated and learn how to protect themselves online. However, it’s nice to see others trying to make the internet safer instead of leaving all the responsibility on the user (who in most cases doesn’t even know the basics when it comes be online security).
While I’m grateful to Google for making the effort, the malware I’ve seen causing Google search redirections is _not_ simple to remove. Suggesting to users that they can just download a tool and get rid of it is doing them a disservice.
Despite Google’s intent, I have to side with the argument for consistency in dealing with my users. I have invested a lot of time and energy in getting them to not click links that appear to promise to solve problems–especially problems that are not apparent or that users might not understand.
So, I have just sent a notice to all users on my list that, should they see the Google alert message, to NOT click the clink, but to close the browser and then call for IT help. And no telling how quickly the scareware writers will mimic Google’s message, with their own destination to other malware embedded in the learn-how-to-fix-this link.
Everyone who gets this warning also needs to be aware that every password they’ve typed since infection now belongs to the criminals – e-mail, banking, etc. If Google has to inform users that they’re infected, what do you think the odds are that they have clean, restorable backups?
The ONLY way to guarantee that all bots are eliminated is to re-install the OS and apps from scratch. Take time to think about what you are doing and what can go wrong. Be particularly careful not to infect other systems or flash drives as you work.
Back up important data files. Make a drive image which can be searched for data files you forgot to back up. In general, do not recover old program files. Be sure to bring up the new system behind a hardware firewall / router until you get your security patches in place.
Allow me to repeat for emphasis the fact that: A FULL OS RE-INSTALL IS REQUIRED TO RECOVER FROM MODERN MALWARE and as I know very well, OS re-installs can be confusing and tedious. No, there is no easy way around this.
While the Microsoft Malicious Software Removal Tool has “removal” right up there in the title, and older malware might be removed, expecting that is a bad bet. Many or even most modern malwares simply cannot be “removed” in the sense of returning the original computer state. Once a bot is in place, it can modify any file, and there is no way to know what has been done, so there is no way to reverse it.
It’s usually some variation of the TDL4 bootkit/rootkit, and careless attempts to clean it up can leave a computer unbootable or result in irretrievable data loss. I’ve never yet seen a PC with this infection have just _one_ malware kit installed either, since they generally keep downloading botnet components.
The correct response to malware is to re-install the OS and apps. Remember that the malware in question is malicious because it modifies search results returned by Google. So we can assume that it has 100% control over the DOM presented by Google. In fact, it wouldn’t surprise me if the malware gets an “update” to simply hide this message.
Stay safe!
Online banking security
A judge in Maine has ruled that a bank that allowed hackers to steal more than $300,000 from a customer’s online account isn’t responsible for the lost money, saying the customer should have done more to protect the account credentials.
Magistrate Judge John Rich sided with Ocean Bank in recommending that the U.S. District Court in Maine grant the bank’s motions for a summary dismissal of a complaint filed by Patco Construction Company. The ruling was reported earlier this month.
The case raises questions about how much security banks and other financial institutions may be reasonably required to provide commercial customers. It could set a precedent for liability in circumstances where customer systems are hacked and banking credentials are stolen. Small and medium-sized businesses around the United States have lost hundreds of millions of dollars in recent years to such activity, known as fraudulent ACH (Automated Clearing House) transfers. (more…)
Gmail – LinkedIn Assault
Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”
The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.
Google said “the goal of this effort seems to have been to monitor the contents of targeted users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)”
This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution.
To my mind, the most valuable content in the Google Blog entry is a footnote that points to the Contagio Malware Dump blog, an incredibly detailed and insightful (if slightly dangerous) resource for information on targeted attacks. It’s worth noting that Google relied on Contagio to reconstruct how the attacks took place, and the author –blogger Mila Parkour— first wrote about these attacks almost four months ago.
Most of targeted email attacks chronicled on Parkour’s blog involve poisoned file attachments that exploit zero-day software flaws in programs like Adobe Flash or Microsoft Word. This campaign also encouraged people to click a link to download a file, but the file was instead an HTML page that mimicked Gmail’s login page. The scam page also was custom-coded to fill in the target’s Gmail username. Contagiodump has a proof-of-concept page available at this link that shows the exact attack, except populated with “JDoe” in the username field.
Parkour also published an informative graphic highlighting the differences between the fake Google login page and the legitimate page at https://mail.google.com.
Some readers may think they’re not important enough to warrant targeted phishing attacks such as these, but the truth is that such phishing attacks can be automated quite easily. I’d be willing to bet that it won’t be long before more traditional, financially-motivated cyber crooks start incorporating these techniques in their scam emails.
Along these lines comes a blog post today from security vendor Trusteer, which warned that scam artists are once again using cleverly disguised LinkedIn invites to foist password-stealing malicious software. Trusteer said this latest attack started with a simple connect request via email that was made to look it came from another user of the social networking service. Users who click the link are redirected to a site in Russia outfitted with a version of the Blackhole Exploit Pack, which tries to silently install a copy of the ZeuS trojan by heaving a kitchen sink full of browser exploits at visitors.
The image below, taken from Trusteer’s blog, shows the booby-trapped LinkedIn request on the top; the image below is what a legitimate LinkedIn request looks like. Would you have been able to tell them apart?
Here are a few simple tips that can help you avoid becoming the next victim of these attack methods:
- Keep your software up-to-date. Legitimate, high-traffic Web sites get hacked all the time and seeded with exploit kits. Take advantage of programs like Secunia’s Personal Software Inspector or Filehippo’s Update Checker to stay abreast of the latest security updates.
- Be extremely judicious about clicking links in emails. Try to avoid responding to invites by clicking links in emails. I notice that Twitter has now started sending emails when someone re-tweets your posts: Avoid clicking on those as well. It’s safest to manage these accounts by visiting the sites manually, preferably using a bookmark as opposed to typing these site names into a browser address bar.
- Pay close attention to what’s in the address bar: Checking this area can prevent many email-based attacks. Staying vigilant here can also block far more stealthy attacks, such as tabnabbing.
- Consider using an email client, such as Mozilla’s Thunderbird, to handle your messages. It’s a good idea to have emails displayed in plain text instead of allowing HTML code to be displayed in emails by default.
Apple MacDefender Malware
Apple is planning to release an update specifically designed to protect users against the MacDefender malware that has been circulating for the last couple of weeks. The update for Mac OS X will automatically find and remove the malware on an infected machine and also will warn users if another infection attempt is detected. Malware for OSX was inevitable due to it’s market share penetration.
While viruses exist, there are relatively few of them compared to other forms of malware. (This is not only true for Macs, but also for Windows.) Today’s malware uses different techniques, and the goal is different. Rather than writing malware just for the fun of infecting computers, the malware that spreads now is written by cyber-criminals to make money. Viruses don’t make money, but Trojan horses, which can install malicious software to take control of computers, can.
A prediction was made whereby Mac’s would start being targeted when they reached 16% of market share, which has happened recently in three countries. Last week, security researchers pointed to a construction kit for creating Trojans for the Mac OS X as a major issue for Mac users. Currently, three countries — Switzerland, Luxembourg and the United States — have Mac market share
“The kit is being sold under the name Weyland-Yutani Bot and it is the first of its kind to hit the Mac OS platform,” Peter Kruse, partner and security specialist at security firm CSIS, writes in a blog post. “CSIS finds this crimekit to be quite disturbing news since Mac OS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years.”
- http://www.eset.com/us/home/cybersecurity-for-mac
- Does ESET Cybersecurity for Mac protect against the MacDefender malware?
But even still, with AV software installed doesn’t make your computer the bastion of security. AV software still works on a reactive basis, there still is no real proactive security. AV heuristics are crap, they don’t detect anything.
Signatures still need to be updated and pushed out, and can be avoided. Especially by morphing software, the new generations of trojan and bot software are much more advanced than any AV system.
What’s interesting is that instructions has turned up, from Apple, to support representatives, whereby Apple, does not want them helping end-users get rid of a wave of malware. It will inform users not to install it though… I guess Apple sees it as thrird-party software…
The document (shown below) provides specific instructions for support personnel to follow when dealing with a customer who has called AppleCare to request help with this specific attack.
The planned update from Apple is a rare move by the company, whose users until quite recently haven’t had to contend with much of a malware problem. The MacDefender scareware attack emerged in early May and is being used by attackers to trick users into downloading and installing a malicious application. Like other scareware attacks, MacDefender tells users that they have a piece of malware on their machine and they need to install MacDefender to help remedy the problem.
Of course, the download is malware itself and has the aim of stealing users’ credit card information. Apple is telling concerned users that if they notice an infection attempt, they should try to close their browser or even force quit the application and then delete the installer.
“A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender “anti-virus” software to solve the issue,” Apple said in its advisory on the MacDefender issue. This ‘anti-virus’ software is malware (i.e. malicious software). Its ultimate goal is to get the user’s credit card information which may be used for fraudulent purposes.
“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”
The good news is that the MacDefender malware is not particularly difficult to uninstall and doesn’t remain persistent on the machine after you attempt to delete, as some Windows-based malware will. Here are the steps that Apple recommends for users who have been infected by MacDefender:
- Move or close the Scan Window
- Go to the Utilities folder in the Applications folder and launch Activity Monitor
- Choose All Processes from the pop up menu in the upper right corner of the window
- Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
- Click the Quit Process button in the upper left corner of the window and select Quit
- Quit Activity Monitor application
- Open the Applications folder
- Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
- Drag to Trash, and empty Trash
Apple said that the MacDefender attack is exploiting machines running OS X 10.4, 10.5 and 10.6. The company did not specify when the update will be available, but said that it will be delivered through the Software Update mechanism or the Support Downloads Web site.
In addition to the emergence of MacDefender, May saw the release of a Mac crimeware kit that is designed to help attackers build attack tools specifically for OS X.
This is about one of those “social engineering” attacks where an alarming message is popped up asking the user to prevent infection by installing something and btw please give your root password… It is strange that Apple will not put its support reps in the position of determining whether or not there is an infection, helping to remove it and educating the customer. Won’t the customer be really ticked off when they find out??? When the business depends on the customers’ love that does not make much sense.
UPDATE
The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called ‘Mac Guard’ installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases.
The software only automatically installs itself if you are using Safari and you have it configured to automatically open “safe” downloads. This is considered pretty bad practice and I do hope that Apple change this default as it is the simplest way to prevent this sort of thing propogating automatically.The thing to do here is, turn off download safe files in Safari.
Conclusion: This just gives Apple one more reason to force all application installs via the app store in future versions of the OS. The other reason of course is money.
Let’s review the evolution of this threat briefly to see where we’ve been.
May 2, 2011: The first widely distributed fake security tool for OS X is being spread through poisoned Google Image search results, seemingly targeting random keywords and the death of Osama bin Laden. It displays a fake JavaScript popup pretending to be a Windows XP anti-virus scanner telling you that your computer is infected.
May 6, 2011: At this point, we’re seeing new variants almost daily. Some of the new samples display random pornographic web pages to scare you and better convince you that your Mac is infected. We also sometimes see the name change from MacDefender to Mac Security.
May 7, 2011: A massive uptick in the success of SEO poisoning related to Mother’s Day Google searches results in a large increase in the infection rate. This version ditches the Windows XP fake JavaScript screen and substitutes a very professional looking fake Finder that “detects” malware on your Mac.
May 15, 2011: We begin seeing the first attempts to obfuscate the content inside the malware to disguise its functionality. Early versions had the registration codes embedded in plain text, but now the registration codes are encoded so they are more difficult to discover.
All of these original variants still prompted the user for their Administrator password to install the malware. As Apple advises in their knowledge base article on the topic, this is a warning sign and an excellent opportunity to abort the installation.
May 25, 2011: Just like in the Windows versions, the latest variants seen today (OSX/FakeAvDl-A) no longer require administrative credentials. They now install into areas of the system that only require standard user privilege. In other words, the attacks no longer ask for an admin password. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases.
Windows security wanes, while Malware waxes on four million websites
For Windows users there is a another problem that has been circulating around the web of late. Yea what else is new. I find these reports rather comical, as being a Linux user they do not apply to me period. Out of the three big browsers out on the block, Google Chrome, Firefox and Internet Exploiter. Google Chrome should be the safest one to use these days on the web.
If you are however a strict user of Firefox already, then I highly recommend the use of Firefox and the NoScript addon and your problem will be fixed. You’ll never even see the attack page in the first place. It’ll just be blank. Note to first-time users of NoScript: It is a WHITELIST, not a blacklist. Some sites are programmed into it, but 90% of them are not. You will have to approve various sites yourself. Yes this may seem like a pain, but 5-seconds of pain beats a being infected.
You can also disable proxies in the connections tab of your browser under advanced settings. LizaMoon uses a proxy server to redirect your browser. Disabling the proxy eliminates the popups and allow you to download a scanning tool like ESET’s online scanner tool or HitManPro’s scanner.
A new bit of malware has been making headway across the Internet, but is it really that big of a deal? You’ve probably seen the news that “Lizamoon,” an SQL injection attack designed to point your browser to a piece of fake security malware, had infected hundreds of thousands of pages across the Internet. And this includes links found within Apple’s iTunes itself… to a degree.
But here’s the deal: In order for the script to have any noticeable effect on your computer, you have to agree to allow it to work its unhealthy magic on your system, according to WebSense (video below).
LizaMoon example video and explanation
Simply visiting a site with injected code only redirects your browser to another site, and the social engineering takes over from there.
The simple solution: Don’t install unknown files! The more complex solution: Know what antivirus programs already exist on your system, and know what they look like when they scan for and find files. If something says you have malware on your system, and this something looks nothing like applications you already have on your system, be suspicious!
In this case, a successful Lizamoon redirect takes you to a dummy pages that looks as if a large antivirus/anti-malware scan is taking place on your computer. Go figure, the scan finishes quite quickly, and a user is alerted that his or her machine might be compromised by various Trojan horse attacks and other cleverly titled malware. If a user is still playing ball, he or she can click on the simulated option to “remove” these malware apps, which then pulls up a simple download window for a “malware-removing” executable.
Still with us? Here’s the deal: If you push some common sense into the mix, you’ll notice that this entire process seems a bit fishy to begin with. Step one: A virus scan for Windows Explorer appears in your browser window. Step two: It finishes in lightning speed. Step three: You have to download a file–apparently via Windows Explorer, but using your browser’s standard download file prompt–to finish the deal.
In short, Lizamoon can’t do a thing to your system unless you let it. So if you see sort of popup like the one’s I am showing here, do not click on anything! Just turn off your computer and reboot. If your already running a ESET NOD32 and or OpenDNS then you shouldn’t be able to visit any site that is compromised.
The SQL injection attack on the initial site you were visiting, which itself prompts the redirect to the bogus scanning site, only works on this first web site. Lizamoon doesn’t hang out in your browser, or continually redirect you to fake sites, or install itself on your computer in a manner that doesn’t first require you to perform the action yourself.
So what has Lizamoon taught consumers? Don’t let your browser con you into thinking that some kind of action is magically happening on your system, don’t trust this magical action if it takes less than 30 seconds to do or looks otherwise unknown to you, and run an up-to-date virus-scanner in the background of your system. Ta-da: Lizamoon defeated.
When you get hit by the infected website and are referred two things happen, you get hit with a popup box, and you lose control of both your browser and ctrl+alt+del functions. As with all browser windows you have the option to hit the red X to close everything down, but not this baby, touch anything on this baby and you spark up what is now a computer hijackers website. For those few moments the only solution is a log off or reboot. Blocking the hijacker with your firewall is a waste of time. The infection is designed to refer you to several thousand backup addresses that refers you to thousands of ever changing country specific domains like .ms, or .uk. The worst part is the address in the browser address bar is not the address of the web page you are looking at, the web page isn’t in .uk or .us but in Russia. The penultimate hop to the hijacker is a secure firewall server in the USA. The only way of shutting these hijackers out of your computer is by blocking the CIDR address of 212.124.96.0/19 with your firewall.
Don’t know which bothers me the most; the problem or people trying to turn a profit from it. If you run Windows simply hit the power button; after shut down, restart in safe mode and run restore. The malware is gone.
Those who want a secure operating system are better off just leaving Microsoft altogether, not to mention cost savings and other commonly-stated advantages as you do NOT have to purchase additional software to make Windows function safely. Windows does not seem to impress people all that much.
Linux is becoming dominant not just in phones but on desktops too. One adoption curve drives the other and people who own an Apple or Google phone sooner or later rethink their desktop operating system (a personal observation).
