Flashback trojan changes tactics, can now install on your Mac without a password

Posted by:
Date: Monday, April 2nd, 2012, 15:43
Category: News, security, Software

Well, you’ve gotta admit, they’re persistent.

Per Macworld and F-Secure, the Flashback Mac trojan uncovered by security firm Intego last year can now infect your computer from little more than a visit to a website.

Originally, Flashback masqueraded as an installer for Adobe’s Flash Player. Since then, the malware has changed tacks at last once since then, instead pretending to be a Mac software update or a Java updater.

The latest variant, discovered by security researchers at F-Secure and dubbed OSX/Flashback.K, takes advantage of a weakness in Java SE6. That vulnerability, identified as CVE-2012-0507, allows the malware to install itself from a malicious website the user visits, without needing the user to enter an administrator’s password.

No fix is currently available for this vulnerability on the Mac, although the hole was patched in Java for Windows back in February. Unfortunately, Apple has long been criticized for lagging behind Windows when it comes to updating Java for security patches. However, given that Apple rolls out updates every few months, it seems likely that the company will distribute a patch in the not too distant future.

Until then, F-Secure suggests users deactivate Java on their Macs. The company has also given instructions for checking if your system is currently infected by the Flashback Trojan.

It’s also worth noting that the Java vulnerability has recently been included in the popular BlackHole exploit kit used by many attackers.

While there’s no need for widespread panic, the fact that this latest version of the malware can install itself without the user’s password is enough of a reason for concern that some precautions are necessary. Disabling Java is a good step, but the first line of defense is, as always, to be cognizant of the websites you visit and use common sense.

Stay tuned fora additional details as they become available.

Swedish security firm’s video demonstrates simplicity of bypassing iOS, Android passcodes, reaping data from stolen devices

Posted by:
Date: Wednesday, March 28th, 2012, 07:15
Category: iPad, iPhone, iPod, security

The goal isn’t to make you paranoid (which, according to the movie “End of Days”, is just reality on a finer scale), but to help show you what’s out there.

Per Forbes, Swedish security firm Micro Systemation has posted the following video as to how quickly both iOS and Android-based devices can be cracked, the firm’s XRY 6.2 software suite cracking the device’s passcode, dumping its data to a Windows PC, decrypting it and showing tender morsels of information such as the user’s GPS location, files, call logs, contacts, messages, even a log of its keystrokes.
The report said the firm uses the same kind of exploits that jailbreakers use to gain access to the phone. Once inside, they have access to just about everything.

Take a gander at the video and try to be careful out there:



As always, please let us know what’s on your mind via the comments.

Security firm finds hole in iOS 5.1 that could lead to URL spoofing

Posted by:
Date: Friday, March 23rd, 2012, 06:45
Category: iPad, iPhone, iPod, News, security

safarilogo.jpg

Well, this is the reason they write updates.

Per AppleInsider, a newly-discovered mobile Safari web browser vulnerability allows a malicious website to display a URL that is different than the website’s actual address, and can trick users into handing over sensitive personal information.

The issue, first discovered by security firm Major Security, is an error in how Apple’s mobile Safari app in iOS 5.1 handles URLs when using javascript’s window.open() method that can be exploited by malicious sites to display custom URLs.

“This can be exploited to potentially trick users into supplying sensitive information to a malicious web site,” Major Security explains, “because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.”

The exploit was tested on an iPhone 4, iPhone 4S, iPad 2 and third-generation iPad running iOS 5.1, and it seems that any iDevice running Apple’s latest mobile OS is affected by the vulnerability. Users can test the vulnerability themselves by visiting this web site from a mobile device. After a user clicks the “demo” button on the test page, Safari will open a new window which shows “http://www.apple.com” in the address bar, but that URL is in fact being displayed through an iframe being hosted by Major Security’s servers.

By spoofing a URL and adding some convincing images to a malicious site, users can easily be tricked into thinking they are visiting a legitimate website such as Apple’s online store.

The vulnerability was originally found in iOS 5.0 and reproduced on iOS 5.1 earlier in March. Apple was made aware of the issue on March 1 and posted an advisory regarding the matter on March 20. A patch has yet to be pushed out, though the iPhone maker is expected to do so in the near future.

Stay tuned for additional details as they become available.

New Flashback malware variant strain discovered, infection tactic changes approach

Posted by:
Date: Thursday, March 8th, 2012, 10:34
Category: News, security

When in doubt, try something new.

Per Macworld, a new variant of the password-stealing Flashback malware aimed at Macs has emerged, the new software attempting to install itself after a user visits an infected website, according to new research.

Flashback, discovered by security vendor Intego last September, is engineered to steal passwords for websites, including financial sites. Since its emergence, several variants have appeared showing its authors’ innovation.

The first version of Flashback tried to trick users into installing it by masquerading as Adobe’s Flash Player. Later versions checked to see if the Apple computer in question had an unpatched version of Java with two software vulnerabilities.

If the computer was running unpatched Java, Flashback automatically installed itself. If the Java attack didn’t work, Flashback then presented itself as an Apple update with a self-signed security certificate.

The latest “Flashback.N” version spotted by Intego tries to infect the computer after a person has visited an infected Web page. The tactic is often referred to as a drive-by download. Much of the drive-by download malware for Windows can infect a computer without any action by the user merely by visiting the tampered website.

Users get a bit more warning with Flashback.N. Upon hitting the infected website, Flashback.N shows a “Software Update” dialog box similar to the legitimate Apple one and asks for a user’s password.

On its blog, Intego described the installation procedure as “somewhat odd,” as the website, that has been rigged to deliver the malware, displays Apple’s multicolored spinning gear for a while before the dialog box appears. Flashback then injects itself into the Safari browser and starts sniffing data traffic for passwords.

Earlier this week, Intego found that Flashback was using Twitter as a command-and-control mechanism. Other botnets have also used Twitter to post commands or directions to new commands.

The Flashback malware queries Twitter for 12-character hashtag composed of seemingly random characters, according to an Intego blog post. The strings are actually generated using 128-bit RC4 encryption and are composed of four characters for the day, four for the month and four for the year.

As always, look before you leap in terms of the sites you visit, keep your Mac OS X operating system updated and whoever would like to contribute to a piranha-filled pool to hurl the Flashback malware creators into upon their discovery, we welcome your contributions.

Intego announces discovery of “Flashback.G” trojan variant, advises caution

Posted by:
Date: Thursday, February 23rd, 2012, 12:21
Category: News, security, Software

On Thursday, security firm Intego announced that it has discovered more strains of the Flashback Trojan horse. The company says that “many Mac users have been infected by this malware,” especially the latest variant, Flashback.G.

Per Macworld, Intego describes three unique methods that the Trojan horse uses to infect Macs: It attempts to exploit a pair of Java vulnerabilities in sequence, which the company says allows infection with no further user intervention. Failing those two approaches, resorts to social engineering. In that last case, the applet presents a self-signed digital certificate, falsely claiming that the certificate is “signed by Apple Inc”; if you click Continue, the malware installs itself.

To fall victim to the Flashback Trojan horse, you first need to run software. By definition, Trojan horses disguise themselves as other kinds of software, tricking the user into, say, double-clicking an icon to launch a new download—thereby infecting themselves. Note, however, that if you’re still running Snow Leopard and your Java installation isn’t current, a maliciously-coded webpage could cause the malware to install without further intervention on your part, depending on your browser’s security settings.

According to Intego, the latest Flashback.G variant can inject code into Web browsers and other applications that connect to the Internet, often causing them to crash. It attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other ways.

As part of its installation process, the malware puts an invisible file in the /Users/Shared/ folder; that file’s name is variable, but it uses a .so extension. Other files the malware creates include /Users/Shared/.svcdmp, ~/.MACOSX/environment.plist, and ~/Library/Logs/vmLog. It also places a Java applet in ~/Library/Caches.

Intego has stated that its VirusBarrier X6 software can detect Flashback if it’s installed, and even prevent it from installing in the first place.

If you suspect you’ve already been infected, you can check by launching Terminal (in /Applications/Utilities/) and pasting in the code below, and pressing Return:

ls /Users/Shared/.*.so
If the response you see in Terminal includes “No such file or directory,” you’re in the clear. If you instead see a list of one or more files with a .so extension and no “no such file” declaration, you may well have fallen victim to the malware.

If you do find that you’re infected, removing the files referenced above or installing antivirus software like Intego’s should remove any traces of Flashback.

If you’ve seen this trojan on your end or tried this fix, please let us know in the comments.

Adobe releases Shockwave Player 11.6.4r634, claims identification of nine critical security flaws

Posted by:
Date: Wednesday, February 15th, 2012, 09:03
Category: News, security, Software

It wasn’t the most exciting update in the universe yesterday, but if Adobe recommends you snag it and calls snagging it “critical”, then that’s a good indication of things.

Per MacNN, Adobe released Shockwave Player 11.6.4r634 on Tuesday, the new version following Adobe’s identification of nine “critical” vulnerabilities in Shockwave Player 11.6.3.633 and earlier versions for the Mac and Windows platforms that could allow attackers to run malicious code on the affected systems.

The company is advising all users to update to the latest version for their system version, but only the new v11.6.4.634 is protected from the vulnerabilities, which revolve around a memory corruption issue in Shockwave 3D assets.

Adobe’s Flash and Shockwave browser plug-ins suffered numerous security issues over the course of 2011, resulting in frequent patches and updates. The latest version of Shockwave addresses a heap overflow vulnerability as well, but all nine patched vulnerabilities give attackers the ability to execute code on affected machines.

Shockwave Player 11.6.4r634 is an 11.1 megabyte download and requires Mac OS X 10.4 or later to install and run.

If you’ve tried the new version and have any kind of feedback to offer, please let us know in the comments.

Twitter acquires security firm Dasient

Posted by:
Date: Tuesday, January 24th, 2012, 11:48
Category: News, security

It never hurts to be a bit more secure.

Per Macworld, Twitter has announced that the company acquired Internet security firm Dasient.

Dasient, which describes itself as a cloud-based Web antimalware technology company, introduced in 2010 a service to protect advertisement networks and publishers from malicious ads. The company announced the acquisition via its blog on Monday.

Before that in 2009, the company launched its web antimalware platform, capable of scanning URLs (uniform resource locators) and websites for the presence of harmful content.

The acquisition fits with Twitter’s plans to expand revenue from advertising including promoted Twitter messages and accounts.

By joining Twitter, Dasient will be able to apply its technology and team to the world’s largest real-time information network, Daswani said. The Dasient team is joining Twitter’s “revenue engineering” team, he said.

Twitter said in a message that “Dasient is joining the flock!”, and referred to Daswani’s blog post. Financial details were not disclosed. Twitter did not immediately respond to a request for information on how it plans to use Dasient’s technology and services.

As part of the merger, Dasient is winding down its business and is no longer able to accept new customers. The company, which was founded in 2008, was funded by Google Ventures among others.

Twitter acquired earlier this month Summify, a startup that summarizes content in people’s Google, Facebook and Twitter feeds and delivers a daily digest through email, on a website or to a user’s iPhone.

Stay tuned for additional details as they become available.

Intego warns of new, detailed phishing scam aimed at Apple’s user base

Posted by:
Date: Wednesday, December 28th, 2011, 05:02
Category: News, security

applelogo_silver

There’s a few things you can count on: death, taxes and various groups of wanders trying to get personal information from you via scams and phishing efforts.

Per AppleInsider, security firms have issued warnings regarding a new “well-crafted” phishing scam that attempts to fool customers into providing their AppleID billing information.

Intego posted an alert on the scam earlier this week, noting that the first emails appeared to have gone out on or around Christmas day. The phishing email purports to come from “appleid@id.apple.com” and informs recipients that their billing information records are “out of date.”

Customers are directed to click on a link to http://store.apple.com, but they are instead redirected to a “realistic-looking sign-in page,” according to the security firm’s report.

Though phishing scams targeting Apple customers are by no means new, this particular scam has attracted attention because it is unusually detailed in its efforts to deceive. The email makes use of the Apple logo and shading and employs better formatting than similar frauds in the past.

As a precautionary measure, users should remember not to click directly on links from email messages and instead navigate to the website in question on their own.

In August, scammers set out to trick Apple’s MobileMe subscribers into upgrading to the then-forthcoming iCloud service. Around the Thanksgiving holiday, another scam cropped up falsely advertising an iTunes gift certificate that was actually malware meant to pilfer passwords and other personal information.

Mac users were also the target of an elaborate hoax involving fake anti-virus software, usually dubbed MacDefender, earlier this year. The application would automatically download itself onto users’ computers in an attempt to obtain their credit card information. Russian police later found evidence tying the scam to online payment service Chronopay.

Stay tuned for additional details as they become available.

Security researcher Charlie Miller outs iOS code signing flaw, security hole

Posted by:
Date: Tuesday, November 8th, 2011, 05:46
Category: iOS, News, security, Software

It’s hard to say if it’s discouraging to see the iOS get spotted on assorted security failures or reassuring to see that security experts manage to notice these and bring them to the public’s attention.

According to Forbes, Mac hacker and researcher Charlie Miller has reportedly found a way to sneak malware into the App Store and subsequently onto any iOS device by exploiting a flaw in Apple’s restrictions on code signing, allowing the malware to steal user data and take control of certain iOS functions.

Miller explains that code signing restrictions allow only Apple’s approved commands to run in an iOS device’s memory, and submitted apps that violate these rules are not allowed on the App Store. However, he has found a method to bypass Apple’s security by exploiting a bug in iOS code signing that allows an app to download new unapproved commands from a remote computer.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” Miller said. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

The flaw was introduced when Apple released iOS 4.3, which increased browser speed by allowing javascript code from the internet to run on a much deeper level in a device’s memory than in previous iterations of the OS. Miller realized that in exchange for speed, Apple created a new exception for the web browser to run unapproved code. The researcher soon found a bug that allowed him to expand the flawed code beyond the browser, integrating it into apps downloaded from the App Store.

Miller created a proof-of-concept app called “Instastock” to showcase the vulnerability, which was submitted to and approved by Apple to be distributed via the App Store. The simple program appears to be an innocuous stock ticker, but it can leverage the code signing bug to communicate with Miller’s server to pull unauthorized commands onto the affected device. From there the program has the ability to send back user data including address book contacts, photos and other files, as well as initiate certain iOS functions like vibrating alerts.

The app has since been pulled and according to his Twitter account, Miller has reportedly been banned from the App Store and kicked out of the iOS Developer Program.

Miller, a former NSA analyst who now works for computer security firm Accuvant, is a prominent Apple researcher who previously exposed the MacBook battery vulnerability and a security hole in the mobile version of Safari.

The researcher has refused to publicly reveal the exploit, reportedly giving Apple time to come up with a fix, though he will announce the specifics at the SysCan conference in Taiwan next week.

Stay tuned for additional details as they become available.

Hackers unlock hidden panorama camera mode in iOS 5, post instructions on accessing it

Posted by:
Date: Tuesday, November 8th, 2011, 05:19
Category: iPhone, News, security

It’s the hidden features that tend to make a gadget that much cooler.

Per iDownloadBlog, a group of hackers have discovered a hidden panorama mode embedded within Apple’s Camera application on iOS 5, though the feature does not appear to be completed.

iOS hacker Conrad Kramer, who goes by the alias Conradev, revealed via a tweet on Monday that he had discovered a way to enable the hidden Panorama mode within Apple’s own app, as noted by iDownloadBlog. The feature, which appears to be in ongoing development by Apple, offers settings for a grid and HDR when creating a panorama photo.

According to Kramer, the mode is activated by setting the “EnableFirebreak” key to YES in a preference file within the mobile operating system.

Fellow jailbreak hacker Grant Paul, also known as Chpwn, posted screenshots and examples of the panorama mode. He also announced that a tweak enabling the feature has been submitted to the Cydia application storefront for jailbroken iPhones and should arrive sometime on Tuesday.

‘Jailbreaking’ is a process that opens up an iOS device to run unauthorized code and applications. Though the U.S. government has legalized the procedure, it does still void Apple’s warranty.

With the release of the iPhone 4S, iCloud and iOS 5 last month, jailbreak hackers have been kept busy. Paul recently publicized a tweak that brought limited Siri voice assistant functionality to the iPhone 4 and the fourth-generation iPod touch. Siri is currently only officially available on Apple’s new iPhone 4S.

In addition, a “hidden” Drop Box-like syncing feature was discovered last week in Mac OS X Lion that can be used to sync files across multiple Macs.

In August, notorious jailbreak hacker “Comex” revealed that he would be starting an internship with Apple. It is not immediately clear whether he is working specifically on iOS security, but some have speculated that the iPhone maker will put him to use on locking down its software.

If you’ve tried the panorama hack and have any feedback about it, please let us know in the comments.