Symantec: Flashback malware still present on approximately 140,000 Macs

Posted by:
Date: Tuesday, April 17th, 2012, 19:21
Category: News, security, Software

The good news: The Flashback malware’s infection numbers have gone down dramatically.

The bad news: About 140,000 of you need to look into removing the malware on your Mac.

Per a recent Symantec blog post, the security firm guessed that the number of affected machines would have dropped precipitously by now given that Apple and third-party vendors released their respective Flashback-neutralizing programs last week. The Mac maker even rolled out a removal tool for those Mac users who don’t have Java installed, and thus may be harboring a dormant version of the malware.

Statistics from Symantec’s “sinkhole,” or spoofed command and control server, show that Flashback has been removed from some 460,000 machines since Apr. 9, but the company expected less than 99,000 would be carrying the trojan by Tuesday.

Sinkholes are used by internet security and research entities to monitor and analyze the spread of malicious programs, though the standard practice sometimes brings unwarranted suspicion to smaller, less well-known firms. For example, Apple reportedly attempted to shut down the server hosting a sinkhole belonging to Flashback’s discoverer Dr. Web, mistakenly thinking that it was a legitimate command and control server. Apple’s move, however, can also be considered standard practice when dealing with fast-moving malware.

There has been no speculation as to why the remaining Macs haven’t already disposed of Flashback, as the self-installing program can be easily identified and deleted. It is possible that machine owners remain unaware of the program and haven’t yet performed a software update that would eradicate it.

The trojan itself continues to propagate on upatched systems. Analysis into Flashback’s structure reveals that it is coded to exceed the .com top level domain, and generates domain names from .in, .info, .kz and .net. Flashback creates one new string every day that is paired with a random TLD.

Once a user visits a site carrying Flashback, the program installs itself without the need for permission and proceeds to collect sensitive data like user iDs, passwords and web browsing histories which it then sends to an off-site repository.

Just as Flashback exploited the “Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability” to create its botnet, another threat has surfaced that uses the same hole as a means of distribution.

Called Backdoor.OSX.SabPub.a, the newly-discovered malware was created in March and is considered an “active attack” trojan as an operator manually checks and harvests data from an affected machine. SabPub has also been seen being distributed in malicious Word documents, installing itself by exploiting a known record parsing buffer overflow vulnerability.

Stay tuned for additional details as they become available.

Flashback trojan emerges as “LuckyCat” variant, exploit found to spread malware via Microsoft Word documents

Posted by:
Date: Monday, April 16th, 2012, 09:44
Category: News, security, Software

You’ve got to hand it to whoever developed it: they’re persistent.

Per SecureList, a new version of a backdoor trojan for Apple’s OS X operating system takes advantage of an exploit in Microsoft Word to spread.

The latest variant of the attack known as “LuckyCat” was discovered and detailed by Costin Raiu, Kasperskky lab expert. Raiu found that a dummy infected machine was taken over by a remote user who started analyzing the machine and even stole some documents from the Mac.

“We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them,” Raiu wrote in a post.

The new Mac-specific trojan, named “Backdoor.OSX.SabPub.a,” uses a Java exploit to infect targeted machine. It spreads through Microsoft Word documents that exploit a vulnerability known as “CVE-2009-0563.”

The new trojan is noteworthy because it stayed undetected for more than a month and a half before it came alive and data was manually extracted from the machine. That’s different from MaControl, another bot used in attacks discovered in February 2012.

There are currently at least two variants of the “SabPub” trojan, which remains classified as an “active attack.” It is expected that new variants of the bot will be released in the coming weeks, as the latest was created in March.

Security on the Mac has been in the spotlight of late as a result of the “Flashback” trojan that infected more than 600,000 Macs worldwide. Apple addressed the issue with a series of software updates last week designed to remove the trojan from affected machines.

The Flashback botnet harvested personal information and Web browsing logs from infected machines. The trojan, which disguises itself as an Adobe Flash installer, was first discovered last September.

Stay tuned for additional details as they become available.

Apple updates iTunes account security protocols, adds new security prompts for users

Posted by:
Date: Friday, April 13th, 2012, 07:41
Category: News, security, Software

blueituneslogo.jpg

This could make your iTunes account that much more secure.

Or it could make you want to put an axe through the screen as you just want to buy a cool 99 cent app.

Per Ars Technica, Apple has begun asking users to select and answer a series of questions associated with their Apple IDs to enhance security measures.

The security prompts began popping up on iOS devices on Wednesday, wherein users were met with a prompt that states “Security Info Required.”

After being shown the message, users are asked to select from a number of security questions and provide personal answers. Users are also prompted to provide a backup e-mail address in case the primary address associated with their Apple ID is compromised.

The changes are meant to curb fraud and phishing attempts that have been used for many years to hijack iTunes accounts. Because credit card information is tied to a user’s account, nefarious people will steal and resell accounts, allowing people to buy content like music, movies and applications on someone else’s dime.

This week’s changes are only the latest in a series of measures by Apple over the years to improve security associated with iTunes accounts. Some of the steps taken include requiring users to verify their account information when they log into new devices, and upgrading passwords to make them more complex with varying characters.

Some users have been confused by the new security prompts appearing this week, and have expressed concern on the Apple Support Communities website that the alerts could be bogus phishing attempts. However, the revised measures have been proven to be legitimate, and Apple has admitted they are part of an ongoing effort to bolster security.

If you’ve seen these prompts on your end, please let us know what you make of them in the comments.

Apple developing program to track, destroy Flashback malware

Posted by:
Date: Wednesday, April 11th, 2012, 07:38
Category: News, security, Software

applelogo_silver

I think this is where an awesome montage scene of productivity/progress begins in an 80s movie. Or at least the cast involves vows to achieve a long-term goal.

Apple revealed on Tuesday that it is currently developing software to detect and remove the Flashback malware that has infected an estimated 600,000 Macs worldwide.

The company made mention of the upcoming tool in a support document regarding the malicious software, as noted by The Loop. The document also pointed users to last week’s Java update that patched the security flaw that the virus was exploiting.

“In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network,” the company said.

Apple also advises Macs running OS X 10.5 or earlier to disable Java in their browser preferences.

The Flashback trojan horse was first discovered last September. The malware posed as a phony Adobe Flash Player installer in order to trick users into installing it. At the time, a security first categorized the threat as “low.” The current version of Flashback used the Java vulnerability to create a botnet that could mine personal information from unsuspecting users.

Evidence of Apple’s efforts to contact ISPs surfaced earlier on Tuesday when a Russian security firm revealed that the company had targeted one of its servers as being “involved in a malicious scheme.” Dr. Web chief executive Boris Sharov said the server was “not doing any harm to users” and was being used to monitor the spread of the virus.

Sharov noted that the relative rarity of Apple security issues meant that Dr. Web hadn’t established close ties with the company. “For Microsoft, we have all the security response team’s addresses,” he said. “We don’t know the antivirus group inside Apple.”

Last week, a Dr. Web analyst claimed that 600,000 Macs around the world had been infected by the Flashback malware. 56.6 percent of those infections are reportedly located in the U.S.

Stay tuned for additional details as they become available.

Security hole discovered in Facebook, Dropbox apps for iOS, physical connection needed to exploit it (updated)

Posted by:
Date: Friday, April 6th, 2012, 07:26
Category: security, Software

You’re probably not going to like this.

According to security researcher Gareth Wright and The Next Web, a fairly prominent security hole has been discovered in the popular Facebook and Dropbox iOS apps. The good news is that someone would have to have physical access to your iPhone, and you’d have to allow them to plug it into their Mac, then allow them to do a bunch of business on your phone to grab a plain text file from inside these apps, then they’d have to go and do something malicious on your Facebook or Dropbox accounts.

Although many have reported jailbreak is required to access this hole, that is simply not true. A Mac app like iExplorer, which allows you to open app folders on an iPhone, will allow you to access the security hole.

According to The Unofficial Apple Weblog, it works like this: iOS apps use .plist files (aka property list files), to store all sorts of little things about an app. In this case, Dropbox and Facebook are using an unencrypted property list to apparently store both the oauth key and its secret counterpart.

By using iExplorer to find the right plist, that file can be copied and dropped into another device, which would then be able to access your account as though you had already logged in. Using a property list in this way leaves us scratching our heads.

Facebook issued a comment saying they will patch this soon and a representative with Dropbox offered the following comment:

“Dropbox’s Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.”

Stay tuned for additional details as they become available.

Researchers estimate 600,000 Macs infected by “Flashback” trojan, offer removal/online safety advice

Posted by:
Date: Thursday, April 5th, 2012, 08:21
Category: News, security

Even if you’re a Mac user, you have to be careful out there.

According to Russian antivirus company Dr. Web, a trojan horse virus named “Flashback” that surfaced last year is believed to have created a botnet including more than 600,000 infected Macs around the world, with more than half of them in the U.S. alone.

The outfit issued a report on Wednesday noting that 550,000 computers running OS X had been infected by BackDoor.Flashback variants of the virus, as highlighted by ArsTechnica.

An analyst for the company later updated the figure to note that the size of the botnet had reached 600,00. He also pointed out that 274 bots are originating from Apple’s hometown of Cupertino, Calif.

According to a map released by the firm, 56.6 percent of infected computers are located in the United States. Canada was second with 19.8 percent, followed by the U.K. with 12.8 percent of cases.

Apple released a Java Security update on Tuesday to resolve the vulnerabilities that the virus is exploiting, but not before a number of Mac users had been hit with the malicious software. Oracle first issued a fix for the vulnerability in February.

Security firm Intego publicized the Flashback trojan last September. Some variants of the software were even discovered with the potential to disable anti-malware protections within OS X.

Researchers F-Secure have provided instructions on how to detect and remove the malware.

So, be sure to snag the Java update via Mac OS X’s built-in Software Update feature, be careful out there and if they do catch whoever wrote this thing, I’ll happily serve marshmallow ‘smores and free drinks to the angry mob that corners them with torches and pitchforks.

Flashback trojan changes tactics, can now install on your Mac without a password

Posted by:
Date: Monday, April 2nd, 2012, 15:43
Category: News, security, Software

Well, you’ve gotta admit, they’re persistent.

Per Macworld and F-Secure, the Flashback Mac trojan uncovered by security firm Intego last year can now infect your computer from little more than a visit to a website.

Originally, Flashback masqueraded as an installer for Adobe’s Flash Player. Since then, the malware has changed tacks at last once since then, instead pretending to be a Mac software update or a Java updater.

The latest variant, discovered by security researchers at F-Secure and dubbed OSX/Flashback.K, takes advantage of a weakness in Java SE6. That vulnerability, identified as CVE-2012-0507, allows the malware to install itself from a malicious website the user visits, without needing the user to enter an administrator’s password.

No fix is currently available for this vulnerability on the Mac, although the hole was patched in Java for Windows back in February. Unfortunately, Apple has long been criticized for lagging behind Windows when it comes to updating Java for security patches. However, given that Apple rolls out updates every few months, it seems likely that the company will distribute a patch in the not too distant future.

Until then, F-Secure suggests users deactivate Java on their Macs. The company has also given instructions for checking if your system is currently infected by the Flashback Trojan.

It’s also worth noting that the Java vulnerability has recently been included in the popular BlackHole exploit kit used by many attackers.

While there’s no need for widespread panic, the fact that this latest version of the malware can install itself without the user’s password is enough of a reason for concern that some precautions are necessary. Disabling Java is a good step, but the first line of defense is, as always, to be cognizant of the websites you visit and use common sense.

Stay tuned fora additional details as they become available.

Swedish security firm’s video demonstrates simplicity of bypassing iOS, Android passcodes, reaping data from stolen devices

Posted by:
Date: Wednesday, March 28th, 2012, 07:15
Category: iPad, iPhone, iPod, security

The goal isn’t to make you paranoid (which, according to the movie “End of Days”, is just reality on a finer scale), but to help show you what’s out there.

Per Forbes, Swedish security firm Micro Systemation has posted the following video as to how quickly both iOS and Android-based devices can be cracked, the firm’s XRY 6.2 software suite cracking the device’s passcode, dumping its data to a Windows PC, decrypting it and showing tender morsels of information such as the user’s GPS location, files, call logs, contacts, messages, even a log of its keystrokes.
The report said the firm uses the same kind of exploits that jailbreakers use to gain access to the phone. Once inside, they have access to just about everything.

Take a gander at the video and try to be careful out there:



As always, please let us know what’s on your mind via the comments.

Security firm finds hole in iOS 5.1 that could lead to URL spoofing

Posted by:
Date: Friday, March 23rd, 2012, 06:45
Category: iPad, iPhone, iPod, News, security

safarilogo.jpg

Well, this is the reason they write updates.

Per AppleInsider, a newly-discovered mobile Safari web browser vulnerability allows a malicious website to display a URL that is different than the website’s actual address, and can trick users into handing over sensitive personal information.

The issue, first discovered by security firm Major Security, is an error in how Apple’s mobile Safari app in iOS 5.1 handles URLs when using javascript’s window.open() method that can be exploited by malicious sites to display custom URLs.

“This can be exploited to potentially trick users into supplying sensitive information to a malicious web site,” Major Security explains, “because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.”

The exploit was tested on an iPhone 4, iPhone 4S, iPad 2 and third-generation iPad running iOS 5.1, and it seems that any iDevice running Apple’s latest mobile OS is affected by the vulnerability. Users can test the vulnerability themselves by visiting this web site from a mobile device. After a user clicks the “demo” button on the test page, Safari will open a new window which shows “http://www.apple.com” in the address bar, but that URL is in fact being displayed through an iframe being hosted by Major Security’s servers.

By spoofing a URL and adding some convincing images to a malicious site, users can easily be tricked into thinking they are visiting a legitimate website such as Apple’s online store.

The vulnerability was originally found in iOS 5.0 and reproduced on iOS 5.1 earlier in March. Apple was made aware of the issue on March 1 and posted an advisory regarding the matter on March 20. A patch has yet to be pushed out, though the iPhone maker is expected to do so in the near future.

Stay tuned for additional details as they become available.

New Flashback malware variant strain discovered, infection tactic changes approach

Posted by:
Date: Thursday, March 8th, 2012, 10:34
Category: News, security

When in doubt, try something new.

Per Macworld, a new variant of the password-stealing Flashback malware aimed at Macs has emerged, the new software attempting to install itself after a user visits an infected website, according to new research.

Flashback, discovered by security vendor Intego last September, is engineered to steal passwords for websites, including financial sites. Since its emergence, several variants have appeared showing its authors’ innovation.

The first version of Flashback tried to trick users into installing it by masquerading as Adobe’s Flash Player. Later versions checked to see if the Apple computer in question had an unpatched version of Java with two software vulnerabilities.

If the computer was running unpatched Java, Flashback automatically installed itself. If the Java attack didn’t work, Flashback then presented itself as an Apple update with a self-signed security certificate.

The latest “Flashback.N” version spotted by Intego tries to infect the computer after a person has visited an infected Web page. The tactic is often referred to as a drive-by download. Much of the drive-by download malware for Windows can infect a computer without any action by the user merely by visiting the tampered website.

Users get a bit more warning with Flashback.N. Upon hitting the infected website, Flashback.N shows a “Software Update” dialog box similar to the legitimate Apple one and asks for a user’s password.

On its blog, Intego described the installation procedure as “somewhat odd,” as the website, that has been rigged to deliver the malware, displays Apple’s multicolored spinning gear for a while before the dialog box appears. Flashback then injects itself into the Safari browser and starts sniffing data traffic for passwords.

Earlier this week, Intego found that Flashback was using Twitter as a command-and-control mechanism. Other botnets have also used Twitter to post commands or directions to new commands.

The Flashback malware queries Twitter for 12-character hashtag composed of seemingly random characters, according to an Intego blog post. The strings are actually generated using 128-bit RC4 encryption and are composed of four characters for the day, four for the month and four for the year.

As always, look before you leap in terms of the sites you visit, keep your Mac OS X operating system updated and whoever would like to contribute to a piranha-filled pool to hurl the Flashback malware creators into upon their discovery, we welcome your contributions.