DevilRobber trojan horse for Mac OS X discovered, controls GPU, steals user data

Posted by:
Date: Tuesday, November 1st, 2011, 04:42
Category: News, security, Software

While there may not be that many viruses out there for the Mac, there are still Trojan horse apps to make life a little bit harder.

Here’s another.

Per AppleInsider, a new Trojan horse hidden in a Mac OS X application can steal sensitive user data and take control of the computer’s GPU to generate Bitcoins, a form of currency used online.

In a report released on Saturday, security firm Sophos reported that DevilRobber, a Trojan horse that can steal sensitive user data, was found hidden inside copies of Graphic Converter 7.4 downloaded from bit-torrent file-sharing sites.

DevilRobber, also known as “OSX/Miner-D,” can steal usernames and passwords and is capable of spying on users by taking screenshots of their activity and sending the images online. In addition, the Trojan is able to run scripts that can copy information “regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history” to a dump.txt file.

The malware has also been found to search for “pthc” files, a term that is used to describe pre-teen hardcore pornography. It is not known at this time whether one of the secondary features of DevilRobber is to find traces of child abuse on affected computers.

Another unusual feature for the new Trojan is its capability of taking over a Mac’s GPU in order to generate Bitcoins, a digital currency that can be used to perform online instant payments without the oversight of a banking authority.

Users generate Bitcoins on personal computers after installing Bitcoin Miner, an application that’s compatible with Mac, Windows and Linux systems. Once obtained, Bitcoins are stored in the user’s digital wallet and can be used for future online payments. Bitcoins can also be exchanged for actual currency with the current exchange rate reportedly valuing one Bitcoin at US$3.20.

In addition to harnessing the power of the GPU to generate more Bitcoins, DevilRobber can also steal the user’s existing Bitcoin wallet if it finds the appropriate files.

Sophos suggests users be aware of signs that point to a malware attack. For example, a malware attack can result in the slowdown of overall computing performance, with affected users reporting sluggishness as the Trojan steals GPU resources for mining purposes.

In order to avoid unwanted DevilRobber installations, Mac users are advised to refrain from downloading software via untrusted sources, even if they appear to be legitimate. It is not known at this time whether other Mac applications available on torrent sites come bundled with the new Trojan horse.

Apple has yet to acknowledge the new threat, though common anti-virus programs are able to detect DevilRobber.

The new malware is the most recent in a wave of programs targeting an increasing number of Mac owners. Apple recently cleared a threat from a non-functional Chinese Trojan horse that disguised itself as a PDF download.

Recently various instances of a different, more advanced malware program emerged. “Flashback” posed as an Adobe Flash installer, with a later upgraded version programmed to disable the default OS X anti-malware protection thus leaving systems vulnerable to subsequent attacks.

Stay tuned for additional details as they become available.

F-Secure identifies new Mac trojan masquerading as Flash Player update

Posted by:
Date: Thursday, October 20th, 2011, 02:28
Category: News, security, Software

Sometimes you get the feeling that that the security war never really ends.

Per Macworld, F-Secure has reported on a new, scarier-than-usual Mac Trojan horse masquerading as a Flash installer. The downside is that if you do fall victim to the Trojan, it disables your Mac’s automatic malware definition updates.

F-Secure, which has a report on the issue, has dubbed the new pest Trojan-Downloader:OSX/Flashback.C; Macworld reported on a previous version of the malware back in September. A Trojan horse works by fooling you into running it; in this case, Flashback disguises itself as an installer package for Flash Player.

The earlier incarnation of the Flashback Trojan horse sent information about your Mac back to a remote server, which was bad enough, but this new version disables the security definition updating mechanism Apple first introduced in Snow Leopard back in May; the same malware protection is included in Lion, too. If you install the rogue software, it prompts you for your administrator password. Enter that, and Flashback.C wipes out files necessary for the malware definition updating process to run properly.

By disabling the malware definitions update, Flashback.C attempts to ensure that your Mac won’t know about any update Apple releases to remove the malicious software. Notably, the Trojan horse bails and deletes itself if you have the Little Snitch app installed.

F-Secure offers removal instructions if you fear you’ve been infected; the fix involves deleting entries from your browsers’ .plist files. Check out F-Secure’s page if you’re concerned, but you only need to worry if you recently installed Flash Player from a download that you didn’t get from Adobe’s website.

If you’ve seen this trojan on your end or have any feedback on it, please let us know in the comments section.

Apple releases Security Update 2011-006 for Mac OS X 10.6, 10.7 operating systems

Posted by:
Date: Thursday, October 13th, 2011, 06:10
Category: News, security, Software

applelogo_silver

On Thursday, Apple also released Security Update 2011-006 for the Mac OS X 10.6 and 10.7 operating systems. The update, a 136 megabyte download, offers a series of fixes and changes detailed here.

Security Update 2011-006 requires Mac OS X 10.6.8 or later on the Mac OS X 10.6 end or Mac OS X 10.7.1 or later on the Mac OS X 10.7 end to install and run.

If you’ve tried the security update and have any feedback to offer, please let us know in the comments.

Apple releases Security Update 2011-005

Posted by:
Date: Friday, September 9th, 2011, 14:20
Category: News, security, Software

applelogo_silver

On Friday, Apple also released Security Update 2011-005 for the Mac OS X 10.6 and 10.7 operating systems. The update, a 15.6 megabyte download, offers the following fixes and changes:

- Certificate Trust Policy:

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

Security Update 2011-005 requires Mac OS X 10.6.8 or later on the Mac OS X 10.6 end or Mac OS X 10.7.1 or later on the Mac OS X 10.7 end to install and run.

Apple posts two security-related job openings, looks to be closing holes where present

Posted by:
Date: Tuesday, September 6th, 2011, 04:53
Category: iPhone, News, security

applelogo_silver

If you keep losing an incredibly valuable intellectual property, it might be time to give your security a once-over.

Per PCmag.com, Apple posted two job openings on Thursday for managers of “New Product Security.” While it might be a coincidence that the positions opened up when they did, the job descriptions certainly sound like a response to Apple’s troubles of late for losing test gadgets:

“The candidate will be responsible for overseeing the protection of, and managing risks to, Apple’s unreleased products and related intellectual property,” said the post.

Apple representatives did not immediately respond to a request for comment.

Recently, an iPhone was taken into a San Francisco tequila bar in July by an unidentified Apple employee who somehow lost control of the device. The circumstances were strangely similar to an incident in April 2010, when another Apple employee lost an iPhone 4 prototype in a Bay Area beer garden.

San Francisco Police confirmed last Friday that they assisted an Apple security team to search a home in the city’s Bernal Heights neighborhood where Apple had electronically tracked the phone. The device wasn’t found there.

While it was easy to draw parallels between those two events, there were other signs that Apple’s problems went beyond iPhones. Apple is also apparently working to retrieve a prototype laptop that is in the possession of Carl Frega, a North Carolina resident who said he acquired the unreleased device via a Craigslist ad. He bought the machine thinking it was only good for spare parts.

On the same day that Apple posted the job openings, an Apple store customer was given internal company media and documents by accident after taking his computer in for service in Stamford, Conn. The customer said he was given a hard drive in addition to a computer that was being repaired with the spare drive containing a backup of the store’s internal file server.

This is significant because this is Apple, a company that has forged quite a reputation over the years for effectively keeping its secrets and sticking close to its message.

Stay tuned for additional details as they become available.

Apple gives internship to 19-year-old jailbreak prodigy

Posted by:
Date: Friday, August 26th, 2011, 04:46
Category: iPhone, News, security

If you’re a good enough hacker and sort of threaten Apple’s warranties to a certain degree, the company might just give you an internship.

According to his Twitter feed, 19-year old Nicholas Allegra, announced that he will start an internship with Apple “the week after next.” Allegra gained notoriety last year when, as a member of the iPhone Dev Team, he released a web-based JailbreakMe exploit for the iPhone 4.



Jailbreaking refers to the process of hacking iOS to allowed users to install custom software and tweaks without Apple’s permission. Performing a jailbreak can, however, void Apple’s warranty for the device.

Allegra made waves again last month when he released an updated version of JailbreakMe for iOS 4.3.3.

According to a profile on him by Forbes earlier this month, Allegra has been on leave from Brown University since last winter while looking for an internship.

The hacker expressed that he’s not sure why he has such a knack for circumventing Apple’s security measures. “It feels like editing an English paper,” Allegra said. “You just go through and look for errors. I don’t know why I seem to be so effective at it.”

Charlie Miller, a former National Security Agency analyst and one of the first people to hack the original iPhone in 2007, was impressed by Allegra’s hack. “I didn’t think anyone would be able to do what he’s done for years,” he said. “Now it’s been done by some kid we had never even heard of. He’s totally blown me away.”

Security researcher Dino Dai Zovi has compared Allegra’s hacking skills to those of government-sponsored “advanced-persistent threat” hackers. “He’s probably five years ahead of them,” he remarked.

Allegra taught himself to program when he was just 9 years old. “By the time I took a computer science class in high school, I already knew everything,” he said. As a self-professed Apple “fanboy,” he confessed that he hacks the iPhone because he likes the challenge.

“I didn’t come out of the same background as the rest of the security community,” he added. “So to them I seem to have come out of nowhere.”

Last year, the U.S. government approved an exemption that made it legal for iPhone owners to jailbreak and carrier unlock their devices.

Apple’s relationship with the jailbreak community has been likened to a game of cat and mouse. The iPhone Dev Team published a post, entitled “The coolest cat,” to their blog on Wednesday with an image of the iconic Tom and Jerry cat and mouse cartoon characters and the note “We loved the chase! Good luck, Steve.” The well-wishes were addressed to Apple co-founder Steve Jobs, who announced on Wednesday his resignation as CEO of the company.

Stay tuned for additional details as they become available.

New Mac OS X trojan horse goes live, acts as Adobe Flash Player updater application

Posted by:
Date: Monday, August 8th, 2011, 08:46
Category: News, security, Software

The bad news: There’ll always be people designing viruses, trojans and malware for computers.

The good news: It’s quite a bit rarer on the Mac OS X side of things.

Even so, the latest attempt from digital wrongdoers to infect your Mac has been spotted taking on the look and feel of Adobe’s Flash Installer.

According to CNET, the trojan, which has been dubbed as fairly serious since it mimics the Adobe Flash Player updated, has been named the Trojan Bash/QHost.WB by F-Secure, which provided some insight as to how it works.

Once installed, the Trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands. The server at the IP address displays a fake Web page designed to appear similar to the legitimate Google site.

The Trojan is currently dormant, meaning that while it will take you to the fake Google site, nothing will happen. It is, however, programed to serve pop-up ads once the user has accessed the false IP.

The current solution is to only install Adobe updates from Adobe’s official Web site. As with any Trojan designed for Mac, the malware only works if the user allows it. Most of the threats currently in the wild can be avoided by simply sticking to paid versions of software obtained directly from trusted creators of the product.

Stay tuned for additional details as they become available.

Apple releases iOS 4.3.5 update

Posted by:
Date: Tuesday, July 26th, 2011, 03:38
Category: iOS, iPad, iPhone, iPod Touch, News, security, Software

On Friday, Apple released iOS 4.3.5, the latest incarnation of its iOS operating system for its iPhone, iPod touch and iPad devices. The updates fix a security vulnerability with certificate validation and arrive in two versions, thanks to the different flavors of the iPhone 4. iOS 4.3.5 applies to the iPad and iPad 2, the third- and fourth-generation iPod touch, the iPhone 3GS, and the iPhone 4 (GSM model); users of the CDMA model of the iPhone 4 instead get iOS 4.2.10.

These updates can be snagged by plugging in your respective iOS device and checking for updates in iTunes.

If you’ve tried the updates and noticed any differences, please let us know in the comments.

Security researcher to illustrate MacBook batteries’ vulnerabilities to malware

Posted by:
Date: Monday, July 25th, 2011, 04:19
Category: battery, News, security

In the category of “weird but interesting and mildly disturbing”, a prominent security researcher has discovered a vulnerability in the batteries of Apple’s MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.

Per Forbes, Charlie Miller, a renowned white-hat hacker who works for security firm Accuvant, plans to reveal and offer a fix next month for a MacBook battery vulnerability he has discovered. Miller uncovered default passwords, which are used to access the microcontroller in Apple’s batteries, within a firmware update from 2009 and used them to gain access to the firmware.

Apple and other laptop makers use embedded chips in their lithium ion laptop batteries to monitor its power level, stop and start charging and regulate heat.

During the course of his tests, the researcher “bricked” seven batteries, rendering them unusable by rewriting the firmware. Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.

“These batteries just aren’t designed with the idea that people will mess with them,” he said. “What I’m showing is that it’s possible to use them to do something really bad.” According to him, few IT administrators would think to check the battery, providing hackers with an opportunity to hide malicious software on a battery that could repeatedly implant itself on a computer.

Miller admitted that he hasn’t tried to blow up any batteries, but he did say it might be possible. “You read stories about batteries in electronic devices that blow up without any interference,” he noted. “If you have all this control, you can probably do it.”

Another researcher, Barnaby Jack, who works for antivirus software maker McAfee, also looked into the battery issue a couple years ago, but said he didn’t get as far as Miller did.

Miller, who is a regular winner of security contests demonstrating Mac, Safari and iPhone exploits, has notified Apple and Texas Instruments of the issue. Despite requests from several other researchers not to proceed, he plans to unveil the vulnerability, along with a fix he calls “Caulkgun,” at the Black Hat security conference next month.

“Caulk Gun” will change a battery’s default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.

Stay tuned for additional details as they become available.

Apple working on fixes for posted iOS security holes

Posted by:
Date: Thursday, July 7th, 2011, 10:25
Category: iOS, iPad, iPhone, iPod Touch, security

applelogo_silver

This probably won’t make you feel safer about the security on your iOS device…

Per Macworld,

Apple said on Thursday that it is developing a fix for vulnerabilities that affect its iPhone, iPad and some iPod touch models, a problem that the German government warned could be used to steal confidential data.

The vulnerabilities became publicized with a new release on Wednesday of JailbreakMe 3.0, a framework that allows unauthorized applications to be installed in devices such as the iPhone.

Apple prohibits the installation of applications that have not been approved for distribution in its App Store. But hackers have used vulnerabilities in the iOS operating system that allow the phones to be “jailbroken,” allowing applications not vetted by Apple to be used that are obtained through alternative application markets such as Cydia.

Germany’s Federal Office for Information Security, known as BSI, issued an alert on Wednesday about the vulnerabilities, which it said could be exploited if a user opened a specially crafted PDF document. The issue involves how the iOS parses fronts within the mobile version of the Safari browser.

There is also a second vulnerability that circumvents ASLR (Address Space Layout Randomization), a security feature which mixes up how programs are loaded into memory and makes it more difficult for an attacker.

BSI noted that it would be possible for an attacker using the flaws to steal passwords, banking data and e-mails as well as have access to built-in cameras, intercept telephone calls and obtain the GPS coordinates of a user.

Apple rarely comments on security issues. But on Thursday, Alan Hely senior director for corporate communications in London, said in a statement that “Apple takes security very seriously, we’re aware of this reported issue and developing a fix that will be available to customers in an upcoming software update.”

The BSI wrote that the devices affected are the iPhone 3G and devices running iOS versions up to 4.3.3. Also affected are both iPad models and iPod Touch models running iOS versions up to 4.3.3.

One of the hackers behind JailbreakMe, Comex, published a fix for the vulnerability called PDF Patcher 2, which is now in the Cydia app store. It will only work if people install JailbreakMe, which Apple discourages.

“Until Apple releases an update, jailbreaking will ironically be the best way to remain secure,” according to a note on the JailbreakMe website.

Stay tuned for additional details as they become available.