Apple developing program to track, destroy Flashback malware

Posted by:
Date: Wednesday, April 11th, 2012, 07:38
Category: News, security, Software

applelogo_silver

I think this is where an awesome montage scene of productivity/progress begins in an 80s movie. Or at least the cast involves vows to achieve a long-term goal.

Apple revealed on Tuesday that it is currently developing software to detect and remove the Flashback malware that has infected an estimated 600,000 Macs worldwide.

The company made mention of the upcoming tool in a support document regarding the malicious software, as noted by The Loop. The document also pointed users to last week’s Java update that patched the security flaw that the virus was exploiting.

“In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network,” the company said.

Apple also advises Macs running OS X 10.5 or earlier to disable Java in their browser preferences.

The Flashback trojan horse was first discovered last September. The malware posed as a phony Adobe Flash Player installer in order to trick users into installing it. At the time, a security first categorized the threat as “low.” The current version of Flashback used the Java vulnerability to create a botnet that could mine personal information from unsuspecting users.

Evidence of Apple’s efforts to contact ISPs surfaced earlier on Tuesday when a Russian security firm revealed that the company had targeted one of its servers as being “involved in a malicious scheme.” Dr. Web chief executive Boris Sharov said the server was “not doing any harm to users” and was being used to monitor the spread of the virus.

Sharov noted that the relative rarity of Apple security issues meant that Dr. Web hadn’t established close ties with the company. “For Microsoft, we have all the security response team’s addresses,” he said. “We don’t know the antivirus group inside Apple.”

Last week, a Dr. Web analyst claimed that 600,000 Macs around the world had been infected by the Flashback malware. 56.6 percent of those infections are reportedly located in the U.S.

Stay tuned for additional details as they become available.

Security hole discovered in Facebook, Dropbox apps for iOS, physical connection needed to exploit it (updated)

Posted by:
Date: Friday, April 6th, 2012, 07:26
Category: security, Software

You’re probably not going to like this.

According to security researcher Gareth Wright and The Next Web, a fairly prominent security hole has been discovered in the popular Facebook and Dropbox iOS apps. The good news is that someone would have to have physical access to your iPhone, and you’d have to allow them to plug it into their Mac, then allow them to do a bunch of business on your phone to grab a plain text file from inside these apps, then they’d have to go and do something malicious on your Facebook or Dropbox accounts.

Although many have reported jailbreak is required to access this hole, that is simply not true. A Mac app like iExplorer, which allows you to open app folders on an iPhone, will allow you to access the security hole.

According to The Unofficial Apple Weblog, it works like this: iOS apps use .plist files (aka property list files), to store all sorts of little things about an app. In this case, Dropbox and Facebook are using an unencrypted property list to apparently store both the oauth key and its secret counterpart.

By using iExplorer to find the right plist, that file can be copied and dropped into another device, which would then be able to access your account as though you had already logged in. Using a property list in this way leaves us scratching our heads.

Facebook issued a comment saying they will patch this soon and a representative with Dropbox offered the following comment:

“Dropbox’s Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.”

Stay tuned for additional details as they become available.

Researchers estimate 600,000 Macs infected by “Flashback” trojan, offer removal/online safety advice

Posted by:
Date: Thursday, April 5th, 2012, 08:21
Category: News, security

Even if you’re a Mac user, you have to be careful out there.

According to Russian antivirus company Dr. Web, a trojan horse virus named “Flashback” that surfaced last year is believed to have created a botnet including more than 600,000 infected Macs around the world, with more than half of them in the U.S. alone.

The outfit issued a report on Wednesday noting that 550,000 computers running OS X had been infected by BackDoor.Flashback variants of the virus, as highlighted by ArsTechnica.

An analyst for the company later updated the figure to note that the size of the botnet had reached 600,00. He also pointed out that 274 bots are originating from Apple’s hometown of Cupertino, Calif.

According to a map released by the firm, 56.6 percent of infected computers are located in the United States. Canada was second with 19.8 percent, followed by the U.K. with 12.8 percent of cases.

Apple released a Java Security update on Tuesday to resolve the vulnerabilities that the virus is exploiting, but not before a number of Mac users had been hit with the malicious software. Oracle first issued a fix for the vulnerability in February.

Security firm Intego publicized the Flashback trojan last September. Some variants of the software were even discovered with the potential to disable anti-malware protections within OS X.

Researchers F-Secure have provided instructions on how to detect and remove the malware.

So, be sure to snag the Java update via Mac OS X’s built-in Software Update feature, be careful out there and if they do catch whoever wrote this thing, I’ll happily serve marshmallow ‘smores and free drinks to the angry mob that corners them with torches and pitchforks.

Flashback trojan changes tactics, can now install on your Mac without a password

Posted by:
Date: Monday, April 2nd, 2012, 15:43
Category: News, security, Software

Well, you’ve gotta admit, they’re persistent.

Per Macworld and F-Secure, the Flashback Mac trojan uncovered by security firm Intego last year can now infect your computer from little more than a visit to a website.

Originally, Flashback masqueraded as an installer for Adobe’s Flash Player. Since then, the malware has changed tacks at last once since then, instead pretending to be a Mac software update or a Java updater.

The latest variant, discovered by security researchers at F-Secure and dubbed OSX/Flashback.K, takes advantage of a weakness in Java SE6. That vulnerability, identified as CVE-2012-0507, allows the malware to install itself from a malicious website the user visits, without needing the user to enter an administrator’s password.

No fix is currently available for this vulnerability on the Mac, although the hole was patched in Java for Windows back in February. Unfortunately, Apple has long been criticized for lagging behind Windows when it comes to updating Java for security patches. However, given that Apple rolls out updates every few months, it seems likely that the company will distribute a patch in the not too distant future.

Until then, F-Secure suggests users deactivate Java on their Macs. The company has also given instructions for checking if your system is currently infected by the Flashback Trojan.

It’s also worth noting that the Java vulnerability has recently been included in the popular BlackHole exploit kit used by many attackers.

While there’s no need for widespread panic, the fact that this latest version of the malware can install itself without the user’s password is enough of a reason for concern that some precautions are necessary. Disabling Java is a good step, but the first line of defense is, as always, to be cognizant of the websites you visit and use common sense.

Stay tuned fora additional details as they become available.

Swedish security firm’s video demonstrates simplicity of bypassing iOS, Android passcodes, reaping data from stolen devices

Posted by:
Date: Wednesday, March 28th, 2012, 07:15
Category: iPad, iPhone, iPod, security

The goal isn’t to make you paranoid (which, according to the movie “End of Days”, is just reality on a finer scale), but to help show you what’s out there.

Per Forbes, Swedish security firm Micro Systemation has posted the following video as to how quickly both iOS and Android-based devices can be cracked, the firm’s XRY 6.2 software suite cracking the device’s passcode, dumping its data to a Windows PC, decrypting it and showing tender morsels of information such as the user’s GPS location, files, call logs, contacts, messages, even a log of its keystrokes.
The report said the firm uses the same kind of exploits that jailbreakers use to gain access to the phone. Once inside, they have access to just about everything.

Take a gander at the video and try to be careful out there:



As always, please let us know what’s on your mind via the comments.

Security firm finds hole in iOS 5.1 that could lead to URL spoofing

Posted by:
Date: Friday, March 23rd, 2012, 06:45
Category: iPad, iPhone, iPod, News, security

safarilogo.jpg

Well, this is the reason they write updates.

Per AppleInsider, a newly-discovered mobile Safari web browser vulnerability allows a malicious website to display a URL that is different than the website’s actual address, and can trick users into handing over sensitive personal information.

The issue, first discovered by security firm Major Security, is an error in how Apple’s mobile Safari app in iOS 5.1 handles URLs when using javascript’s window.open() method that can be exploited by malicious sites to display custom URLs.

“This can be exploited to potentially trick users into supplying sensitive information to a malicious web site,” Major Security explains, “because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.”

The exploit was tested on an iPhone 4, iPhone 4S, iPad 2 and third-generation iPad running iOS 5.1, and it seems that any iDevice running Apple’s latest mobile OS is affected by the vulnerability. Users can test the vulnerability themselves by visiting this web site from a mobile device. After a user clicks the “demo” button on the test page, Safari will open a new window which shows “http://www.apple.com” in the address bar, but that URL is in fact being displayed through an iframe being hosted by Major Security’s servers.

By spoofing a URL and adding some convincing images to a malicious site, users can easily be tricked into thinking they are visiting a legitimate website such as Apple’s online store.

The vulnerability was originally found in iOS 5.0 and reproduced on iOS 5.1 earlier in March. Apple was made aware of the issue on March 1 and posted an advisory regarding the matter on March 20. A patch has yet to be pushed out, though the iPhone maker is expected to do so in the near future.

Stay tuned for additional details as they become available.

New Flashback malware variant strain discovered, infection tactic changes approach

Posted by:
Date: Thursday, March 8th, 2012, 10:34
Category: News, security

When in doubt, try something new.

Per Macworld, a new variant of the password-stealing Flashback malware aimed at Macs has emerged, the new software attempting to install itself after a user visits an infected website, according to new research.

Flashback, discovered by security vendor Intego last September, is engineered to steal passwords for websites, including financial sites. Since its emergence, several variants have appeared showing its authors’ innovation.

The first version of Flashback tried to trick users into installing it by masquerading as Adobe’s Flash Player. Later versions checked to see if the Apple computer in question had an unpatched version of Java with two software vulnerabilities.

If the computer was running unpatched Java, Flashback automatically installed itself. If the Java attack didn’t work, Flashback then presented itself as an Apple update with a self-signed security certificate.

The latest “Flashback.N” version spotted by Intego tries to infect the computer after a person has visited an infected Web page. The tactic is often referred to as a drive-by download. Much of the drive-by download malware for Windows can infect a computer without any action by the user merely by visiting the tampered website.

Users get a bit more warning with Flashback.N. Upon hitting the infected website, Flashback.N shows a “Software Update” dialog box similar to the legitimate Apple one and asks for a user’s password.

On its blog, Intego described the installation procedure as “somewhat odd,” as the website, that has been rigged to deliver the malware, displays Apple’s multicolored spinning gear for a while before the dialog box appears. Flashback then injects itself into the Safari browser and starts sniffing data traffic for passwords.

Earlier this week, Intego found that Flashback was using Twitter as a command-and-control mechanism. Other botnets have also used Twitter to post commands or directions to new commands.

The Flashback malware queries Twitter for 12-character hashtag composed of seemingly random characters, according to an Intego blog post. The strings are actually generated using 128-bit RC4 encryption and are composed of four characters for the day, four for the month and four for the year.

As always, look before you leap in terms of the sites you visit, keep your Mac OS X operating system updated and whoever would like to contribute to a piranha-filled pool to hurl the Flashback malware creators into upon their discovery, we welcome your contributions.

Intego announces discovery of “Flashback.G” trojan variant, advises caution

Posted by:
Date: Thursday, February 23rd, 2012, 12:21
Category: News, security, Software

On Thursday, security firm Intego announced that it has discovered more strains of the Flashback Trojan horse. The company says that “many Mac users have been infected by this malware,” especially the latest variant, Flashback.G.

Per Macworld, Intego describes three unique methods that the Trojan horse uses to infect Macs: It attempts to exploit a pair of Java vulnerabilities in sequence, which the company says allows infection with no further user intervention. Failing those two approaches, resorts to social engineering. In that last case, the applet presents a self-signed digital certificate, falsely claiming that the certificate is “signed by Apple Inc”; if you click Continue, the malware installs itself.

To fall victim to the Flashback Trojan horse, you first need to run software. By definition, Trojan horses disguise themselves as other kinds of software, tricking the user into, say, double-clicking an icon to launch a new download—thereby infecting themselves. Note, however, that if you’re still running Snow Leopard and your Java installation isn’t current, a maliciously-coded webpage could cause the malware to install without further intervention on your part, depending on your browser’s security settings.

According to Intego, the latest Flashback.G variant can inject code into Web browsers and other applications that connect to the Internet, often causing them to crash. It attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other ways.

As part of its installation process, the malware puts an invisible file in the /Users/Shared/ folder; that file’s name is variable, but it uses a .so extension. Other files the malware creates include /Users/Shared/.svcdmp, ~/.MACOSX/environment.plist, and ~/Library/Logs/vmLog. It also places a Java applet in ~/Library/Caches.

Intego has stated that its VirusBarrier X6 software can detect Flashback if it’s installed, and even prevent it from installing in the first place.

If you suspect you’ve already been infected, you can check by launching Terminal (in /Applications/Utilities/) and pasting in the code below, and pressing Return:

ls /Users/Shared/.*.so
If the response you see in Terminal includes “No such file or directory,” you’re in the clear. If you instead see a list of one or more files with a .so extension and no “no such file” declaration, you may well have fallen victim to the malware.

If you do find that you’re infected, removing the files referenced above or installing antivirus software like Intego’s should remove any traces of Flashback.

If you’ve seen this trojan on your end or tried this fix, please let us know in the comments.

Adobe releases Shockwave Player 11.6.4r634, claims identification of nine critical security flaws

Posted by:
Date: Wednesday, February 15th, 2012, 09:03
Category: News, security, Software

It wasn’t the most exciting update in the universe yesterday, but if Adobe recommends you snag it and calls snagging it “critical”, then that’s a good indication of things.

Per MacNN, Adobe released Shockwave Player 11.6.4r634 on Tuesday, the new version following Adobe’s identification of nine “critical” vulnerabilities in Shockwave Player 11.6.3.633 and earlier versions for the Mac and Windows platforms that could allow attackers to run malicious code on the affected systems.

The company is advising all users to update to the latest version for their system version, but only the new v11.6.4.634 is protected from the vulnerabilities, which revolve around a memory corruption issue in Shockwave 3D assets.

Adobe’s Flash and Shockwave browser plug-ins suffered numerous security issues over the course of 2011, resulting in frequent patches and updates. The latest version of Shockwave addresses a heap overflow vulnerability as well, but all nine patched vulnerabilities give attackers the ability to execute code on affected machines.

Shockwave Player 11.6.4r634 is an 11.1 megabyte download and requires Mac OS X 10.4 or later to install and run.

If you’ve tried the new version and have any kind of feedback to offer, please let us know in the comments.

Twitter acquires security firm Dasient

Posted by:
Date: Tuesday, January 24th, 2012, 11:48
Category: News, security

It never hurts to be a bit more secure.

Per Macworld, Twitter has announced that the company acquired Internet security firm Dasient.

Dasient, which describes itself as a cloud-based Web antimalware technology company, introduced in 2010 a service to protect advertisement networks and publishers from malicious ads. The company announced the acquisition via its blog on Monday.

Before that in 2009, the company launched its web antimalware platform, capable of scanning URLs (uniform resource locators) and websites for the presence of harmful content.

The acquisition fits with Twitter’s plans to expand revenue from advertising including promoted Twitter messages and accounts.

By joining Twitter, Dasient will be able to apply its technology and team to the world’s largest real-time information network, Daswani said. The Dasient team is joining Twitter’s “revenue engineering” team, he said.

Twitter said in a message that “Dasient is joining the flock!”, and referred to Daswani’s blog post. Financial details were not disclosed. Twitter did not immediately respond to a request for information on how it plans to use Dasient’s technology and services.

As part of the merger, Dasient is winding down its business and is no longer able to accept new customers. The company, which was founded in 2008, was funded by Google Ventures among others.

Twitter acquired earlier this month Summify, a startup that summarizes content in people’s Google, Facebook and Twitter feeds and delivers a daily digest through email, on a website or to a user’s iPhone.

Stay tuned for additional details as they become available.