Intego announces discovery of “Flashback.G” trojan variant, advises caution

Posted by:
Date: Thursday, February 23rd, 2012, 12:21
Category: News, security, Software

On Thursday, security firm Intego announced that it has discovered more strains of the Flashback Trojan horse. The company says that “many Mac users have been infected by this malware,” especially the latest variant, Flashback.G.

Per Macworld, Intego describes three unique methods that the Trojan horse uses to infect Macs: It attempts to exploit a pair of Java vulnerabilities in sequence, which the company says allows infection with no further user intervention. Failing those two approaches, resorts to social engineering. In that last case, the applet presents a self-signed digital certificate, falsely claiming that the certificate is “signed by Apple Inc”; if you click Continue, the malware installs itself.

To fall victim to the Flashback Trojan horse, you first need to run software. By definition, Trojan horses disguise themselves as other kinds of software, tricking the user into, say, double-clicking an icon to launch a new download—thereby infecting themselves. Note, however, that if you’re still running Snow Leopard and your Java installation isn’t current, a maliciously-coded webpage could cause the malware to install without further intervention on your part, depending on your browser’s security settings.

According to Intego, the latest Flashback.G variant can inject code into Web browsers and other applications that connect to the Internet, often causing them to crash. It attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other ways.

As part of its installation process, the malware puts an invisible file in the /Users/Shared/ folder; that file’s name is variable, but it uses a .so extension. Other files the malware creates include /Users/Shared/.svcdmp, ~/.MACOSX/environment.plist, and ~/Library/Logs/vmLog. It also places a Java applet in ~/Library/Caches.

Intego has stated that its VirusBarrier X6 software can detect Flashback if it’s installed, and even prevent it from installing in the first place.

If you suspect you’ve already been infected, you can check by launching Terminal (in /Applications/Utilities/) and pasting in the code below, and pressing Return:

ls /Users/Shared/.*.so
If the response you see in Terminal includes “No such file or directory,” you’re in the clear. If you instead see a list of one or more files with a .so extension and no “no such file” declaration, you may well have fallen victim to the malware.

If you do find that you’re infected, removing the files referenced above or installing antivirus software like Intego’s should remove any traces of Flashback.

If you’ve seen this trojan on your end or tried this fix, please let us know in the comments.

Adobe releases Shockwave Player 11.6.4r634, claims identification of nine critical security flaws

Posted by:
Date: Wednesday, February 15th, 2012, 09:03
Category: News, security, Software

It wasn’t the most exciting update in the universe yesterday, but if Adobe recommends you snag it and calls snagging it “critical”, then that’s a good indication of things.

Per MacNN, Adobe released Shockwave Player 11.6.4r634 on Tuesday, the new version following Adobe’s identification of nine “critical” vulnerabilities in Shockwave Player 11.6.3.633 and earlier versions for the Mac and Windows platforms that could allow attackers to run malicious code on the affected systems.

The company is advising all users to update to the latest version for their system version, but only the new v11.6.4.634 is protected from the vulnerabilities, which revolve around a memory corruption issue in Shockwave 3D assets.

Adobe’s Flash and Shockwave browser plug-ins suffered numerous security issues over the course of 2011, resulting in frequent patches and updates. The latest version of Shockwave addresses a heap overflow vulnerability as well, but all nine patched vulnerabilities give attackers the ability to execute code on affected machines.

Shockwave Player 11.6.4r634 is an 11.1 megabyte download and requires Mac OS X 10.4 or later to install and run.

If you’ve tried the new version and have any kind of feedback to offer, please let us know in the comments.

Twitter acquires security firm Dasient

Posted by:
Date: Tuesday, January 24th, 2012, 11:48
Category: News, security

It never hurts to be a bit more secure.

Per Macworld, Twitter has announced that the company acquired Internet security firm Dasient.

Dasient, which describes itself as a cloud-based Web antimalware technology company, introduced in 2010 a service to protect advertisement networks and publishers from malicious ads. The company announced the acquisition via its blog on Monday.

Before that in 2009, the company launched its web antimalware platform, capable of scanning URLs (uniform resource locators) and websites for the presence of harmful content.

The acquisition fits with Twitter’s plans to expand revenue from advertising including promoted Twitter messages and accounts.

By joining Twitter, Dasient will be able to apply its technology and team to the world’s largest real-time information network, Daswani said. The Dasient team is joining Twitter’s “revenue engineering” team, he said.

Twitter said in a message that “Dasient is joining the flock!”, and referred to Daswani’s blog post. Financial details were not disclosed. Twitter did not immediately respond to a request for information on how it plans to use Dasient’s technology and services.

As part of the merger, Dasient is winding down its business and is no longer able to accept new customers. The company, which was founded in 2008, was funded by Google Ventures among others.

Twitter acquired earlier this month Summify, a startup that summarizes content in people’s Google, Facebook and Twitter feeds and delivers a daily digest through email, on a website or to a user’s iPhone.

Stay tuned for additional details as they become available.

Intego warns of new, detailed phishing scam aimed at Apple’s user base

Posted by:
Date: Wednesday, December 28th, 2011, 05:02
Category: News, security

applelogo_silver

There’s a few things you can count on: death, taxes and various groups of wanders trying to get personal information from you via scams and phishing efforts.

Per AppleInsider, security firms have issued warnings regarding a new “well-crafted” phishing scam that attempts to fool customers into providing their AppleID billing information.

Intego posted an alert on the scam earlier this week, noting that the first emails appeared to have gone out on or around Christmas day. The phishing email purports to come from “appleid@id.apple.com” and informs recipients that their billing information records are “out of date.”

Customers are directed to click on a link to http://store.apple.com, but they are instead redirected to a “realistic-looking sign-in page,” according to the security firm’s report.

Though phishing scams targeting Apple customers are by no means new, this particular scam has attracted attention because it is unusually detailed in its efforts to deceive. The email makes use of the Apple logo and shading and employs better formatting than similar frauds in the past.

As a precautionary measure, users should remember not to click directly on links from email messages and instead navigate to the website in question on their own.

In August, scammers set out to trick Apple’s MobileMe subscribers into upgrading to the then-forthcoming iCloud service. Around the Thanksgiving holiday, another scam cropped up falsely advertising an iTunes gift certificate that was actually malware meant to pilfer passwords and other personal information.

Mac users were also the target of an elaborate hoax involving fake anti-virus software, usually dubbed MacDefender, earlier this year. The application would automatically download itself onto users’ computers in an attempt to obtain their credit card information. Russian police later found evidence tying the scam to online payment service Chronopay.

Stay tuned for additional details as they become available.

Security researcher Charlie Miller outs iOS code signing flaw, security hole

Posted by:
Date: Tuesday, November 8th, 2011, 05:46
Category: iOS, News, security, Software

It’s hard to say if it’s discouraging to see the iOS get spotted on assorted security failures or reassuring to see that security experts manage to notice these and bring them to the public’s attention.

According to Forbes, Mac hacker and researcher Charlie Miller has reportedly found a way to sneak malware into the App Store and subsequently onto any iOS device by exploiting a flaw in Apple’s restrictions on code signing, allowing the malware to steal user data and take control of certain iOS functions.

Miller explains that code signing restrictions allow only Apple’s approved commands to run in an iOS device’s memory, and submitted apps that violate these rules are not allowed on the App Store. However, he has found a method to bypass Apple’s security by exploiting a bug in iOS code signing that allows an app to download new unapproved commands from a remote computer.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” Miller said. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

The flaw was introduced when Apple released iOS 4.3, which increased browser speed by allowing javascript code from the internet to run on a much deeper level in a device’s memory than in previous iterations of the OS. Miller realized that in exchange for speed, Apple created a new exception for the web browser to run unapproved code. The researcher soon found a bug that allowed him to expand the flawed code beyond the browser, integrating it into apps downloaded from the App Store.

Miller created a proof-of-concept app called “Instastock” to showcase the vulnerability, which was submitted to and approved by Apple to be distributed via the App Store. The simple program appears to be an innocuous stock ticker, but it can leverage the code signing bug to communicate with Miller’s server to pull unauthorized commands onto the affected device. From there the program has the ability to send back user data including address book contacts, photos and other files, as well as initiate certain iOS functions like vibrating alerts.

The app has since been pulled and according to his Twitter account, Miller has reportedly been banned from the App Store and kicked out of the iOS Developer Program.

Miller, a former NSA analyst who now works for computer security firm Accuvant, is a prominent Apple researcher who previously exposed the MacBook battery vulnerability and a security hole in the mobile version of Safari.

The researcher has refused to publicly reveal the exploit, reportedly giving Apple time to come up with a fix, though he will announce the specifics at the SysCan conference in Taiwan next week.

Stay tuned for additional details as they become available.

Hackers unlock hidden panorama camera mode in iOS 5, post instructions on accessing it

Posted by:
Date: Tuesday, November 8th, 2011, 05:19
Category: iPhone, News, security

It’s the hidden features that tend to make a gadget that much cooler.

Per iDownloadBlog, a group of hackers have discovered a hidden panorama mode embedded within Apple’s Camera application on iOS 5, though the feature does not appear to be completed.

iOS hacker Conrad Kramer, who goes by the alias Conradev, revealed via a tweet on Monday that he had discovered a way to enable the hidden Panorama mode within Apple’s own app, as noted by iDownloadBlog. The feature, which appears to be in ongoing development by Apple, offers settings for a grid and HDR when creating a panorama photo.

According to Kramer, the mode is activated by setting the “EnableFirebreak” key to YES in a preference file within the mobile operating system.

Fellow jailbreak hacker Grant Paul, also known as Chpwn, posted screenshots and examples of the panorama mode. He also announced that a tweak enabling the feature has been submitted to the Cydia application storefront for jailbroken iPhones and should arrive sometime on Tuesday.

‘Jailbreaking’ is a process that opens up an iOS device to run unauthorized code and applications. Though the U.S. government has legalized the procedure, it does still void Apple’s warranty.

With the release of the iPhone 4S, iCloud and iOS 5 last month, jailbreak hackers have been kept busy. Paul recently publicized a tweak that brought limited Siri voice assistant functionality to the iPhone 4 and the fourth-generation iPod touch. Siri is currently only officially available on Apple’s new iPhone 4S.

In addition, a “hidden” Drop Box-like syncing feature was discovered last week in Mac OS X Lion that can be used to sync files across multiple Macs.

In August, notorious jailbreak hacker “Comex” revealed that he would be starting an internship with Apple. It is not immediately clear whether he is working specifically on iOS security, but some have speculated that the iPhone maker will put him to use on locking down its software.

If you’ve tried the panorama hack and have any feedback about it, please let us know in the comments.

DevilRobber trojan horse for Mac OS X discovered, controls GPU, steals user data

Posted by:
Date: Tuesday, November 1st, 2011, 04:42
Category: News, security, Software

While there may not be that many viruses out there for the Mac, there are still Trojan horse apps to make life a little bit harder.

Here’s another.

Per AppleInsider, a new Trojan horse hidden in a Mac OS X application can steal sensitive user data and take control of the computer’s GPU to generate Bitcoins, a form of currency used online.

In a report released on Saturday, security firm Sophos reported that DevilRobber, a Trojan horse that can steal sensitive user data, was found hidden inside copies of Graphic Converter 7.4 downloaded from bit-torrent file-sharing sites.

DevilRobber, also known as “OSX/Miner-D,” can steal usernames and passwords and is capable of spying on users by taking screenshots of their activity and sending the images online. In addition, the Trojan is able to run scripts that can copy information “regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history” to a dump.txt file.

The malware has also been found to search for “pthc” files, a term that is used to describe pre-teen hardcore pornography. It is not known at this time whether one of the secondary features of DevilRobber is to find traces of child abuse on affected computers.

Another unusual feature for the new Trojan is its capability of taking over a Mac’s GPU in order to generate Bitcoins, a digital currency that can be used to perform online instant payments without the oversight of a banking authority.

Users generate Bitcoins on personal computers after installing Bitcoin Miner, an application that’s compatible with Mac, Windows and Linux systems. Once obtained, Bitcoins are stored in the user’s digital wallet and can be used for future online payments. Bitcoins can also be exchanged for actual currency with the current exchange rate reportedly valuing one Bitcoin at US$3.20.

In addition to harnessing the power of the GPU to generate more Bitcoins, DevilRobber can also steal the user’s existing Bitcoin wallet if it finds the appropriate files.

Sophos suggests users be aware of signs that point to a malware attack. For example, a malware attack can result in the slowdown of overall computing performance, with affected users reporting sluggishness as the Trojan steals GPU resources for mining purposes.

In order to avoid unwanted DevilRobber installations, Mac users are advised to refrain from downloading software via untrusted sources, even if they appear to be legitimate. It is not known at this time whether other Mac applications available on torrent sites come bundled with the new Trojan horse.

Apple has yet to acknowledge the new threat, though common anti-virus programs are able to detect DevilRobber.

The new malware is the most recent in a wave of programs targeting an increasing number of Mac owners. Apple recently cleared a threat from a non-functional Chinese Trojan horse that disguised itself as a PDF download.

Recently various instances of a different, more advanced malware program emerged. “Flashback” posed as an Adobe Flash installer, with a later upgraded version programmed to disable the default OS X anti-malware protection thus leaving systems vulnerable to subsequent attacks.

Stay tuned for additional details as they become available.

F-Secure identifies new Mac trojan masquerading as Flash Player update

Posted by:
Date: Thursday, October 20th, 2011, 02:28
Category: News, security, Software

Sometimes you get the feeling that that the security war never really ends.

Per Macworld, F-Secure has reported on a new, scarier-than-usual Mac Trojan horse masquerading as a Flash installer. The downside is that if you do fall victim to the Trojan, it disables your Mac’s automatic malware definition updates.

F-Secure, which has a report on the issue, has dubbed the new pest Trojan-Downloader:OSX/Flashback.C; Macworld reported on a previous version of the malware back in September. A Trojan horse works by fooling you into running it; in this case, Flashback disguises itself as an installer package for Flash Player.

The earlier incarnation of the Flashback Trojan horse sent information about your Mac back to a remote server, which was bad enough, but this new version disables the security definition updating mechanism Apple first introduced in Snow Leopard back in May; the same malware protection is included in Lion, too. If you install the rogue software, it prompts you for your administrator password. Enter that, and Flashback.C wipes out files necessary for the malware definition updating process to run properly.

By disabling the malware definitions update, Flashback.C attempts to ensure that your Mac won’t know about any update Apple releases to remove the malicious software. Notably, the Trojan horse bails and deletes itself if you have the Little Snitch app installed.

F-Secure offers removal instructions if you fear you’ve been infected; the fix involves deleting entries from your browsers’ .plist files. Check out F-Secure’s page if you’re concerned, but you only need to worry if you recently installed Flash Player from a download that you didn’t get from Adobe’s website.

If you’ve seen this trojan on your end or have any feedback on it, please let us know in the comments section.

Apple releases Security Update 2011-006 for Mac OS X 10.6, 10.7 operating systems

Posted by:
Date: Thursday, October 13th, 2011, 06:10
Category: News, security, Software

applelogo_silver

On Thursday, Apple also released Security Update 2011-006 for the Mac OS X 10.6 and 10.7 operating systems. The update, a 136 megabyte download, offers a series of fixes and changes detailed here.

Security Update 2011-006 requires Mac OS X 10.6.8 or later on the Mac OS X 10.6 end or Mac OS X 10.7.1 or later on the Mac OS X 10.7 end to install and run.

If you’ve tried the security update and have any feedback to offer, please let us know in the comments.

Apple releases Security Update 2011-005

Posted by:
Date: Friday, September 9th, 2011, 14:20
Category: News, security, Software

applelogo_silver

On Friday, Apple also released Security Update 2011-005 for the Mac OS X 10.6 and 10.7 operating systems. The update, a 15.6 megabyte download, offers the following fixes and changes:

- Certificate Trust Policy:

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

Security Update 2011-005 requires Mac OS X 10.6.8 or later on the Mac OS X 10.6 end or Mac OS X 10.7.1 or later on the Mac OS X 10.7 end to install and run.