Trojan
Latest
DevilRobber now "improved", still nasty malware threat
We previously told you about DevilRobber and what sort of unsavory things it can do to (and with) your Mac. (In case you don't click over to read the article, here's the scoop: it's bad. Real bad.) Back in the day (November 1st), it was a Trojan horse and sent a little of your personal info off to some far flung servers. But CNet is reporting the new version has mutated, and now it tries to grab your Terminal history and system logs. This new "improved" version can be picked up by downloading Pixelmator from someplace that is not the Mac App Store (currently the only place to legitimately get a copy). But the fun doesn't end there! It also tries (but does not succeed at) making off with information stored in your 1Password data file. CNet's story makes it sound like DevilRobber can actually do something with that file, but in reality that data is safe, as confirmed by Agile themselves. They have a nice writeup on their site about all of this and the steps you can take to make extra super sure your data is safe. This is also another of those opportunities we here at TUAW occasionally take to remind you that malware is bad but real, and you DO need to protect yourself. Remember "Macs don't get viruses" is just as accurate as "Macs don't have any good games" (which is to say not accurate at all), and protection is ridiculously easy. Get yourself a nice antivirus utility and spend a little time with Little Snitch to make sure nothing suspicious is being sent from your machine, and that should help you avoid a lot of problems.
Trojan variation disables Mac malware protection
Researchers from F-Secure warn that a variant on a trojan discovered in September, which masquerades as an Adobe Flash Player installer, now exists and is capable of disabling OS X's built-in malware protection. OSX/Flashback.C disables the auto-updater component of XProtect, which means the system's built-in anti-malware application no longer looks for updates to its malware definitions. This essentially holds the door open for future malware to invade the system unimpeded. F-Secure provides instructions for removing OSX/Flashback.C if your system has already been compromised. For the truly paranoid, you can also bypass the auto-update process and force your Mac to update its malware definitions manually. Since OS X malware authors seem to be employing fake Flash Player installers as a delivery vector, it's worth mentioning that you should only download Flash Player from trusted sources. Adobe's website is a good place to start. You could also remove the plug-in version of Flash Player altogether, essentially zeroing out your risk of being exposed to the OSX/Flashback trojan variants; the Google Chrome browser includes a bundled Flash Player if you need to view Flash content. [Hat tip to Ars Technica]
Daily Update for September 26, 2011
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes, which is perfect for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for listening through iTunes, click here. No Flash? Click here to listen.
Apple updates malware definitions to address PDF trojan
According to MacRumors, Apple has updated its malware definitions to address a PDF trojan that gained widespread attention last week. While reports indicated that the trojan's damage was limited to installing a backdoor in users' systems, Apple has moved relatively quickly to address the threat anyway. CNET reports that yet another OS X trojan is making the rounds, however, this time posing as an Adobe Flash installer. Avoiding this bit of malware is simple: if you must install Flash on your system, only download it from a trusted source like Adobe's own site or MacUpdate. A similar bit of malware made the rounds in August, but Apple updated malware definitions to address the threat; it's likely the company will do the same to squash this newest trojan. Your Mac's malware definitions are supposed to auto-update, but if you're not afraid of diving into the command line you can force your Mac to update manually.
Daily Update for September 23, 2011
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes, which is perfect for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for listening through iTunes, click here. No Flash? Click here to listen.
F-Secure reports Mac trojan poses as PDF
Security firm F-Secure has unearthed a troubling trojan for Macs that hides itself as a PDF, only waiting until the file is opened up and displaying some Chinese characters before it dives into your Mac's hard drive and sets up a backdoor control. Currently, according to F-Secure, the backdoor doesn't actually do anything harmful, but obviously that could change in the future, either if the original hackers take advantage of the trojan, or if someone else does. F-Secure says that the trojan currently doesn't have an icon associated with it, so in the current spotted form, it should be pretty easy to identify as a virus (especially if it shows up in just a random email). But if the trojan is embedded in a file with an extension and an icon that matches a familiar document type (like a PDF, or any other kind of file you'd open in everyday use), it's possible that the backdoor could get installed. In other words, you've got to do what you should always do on any computer: beware of any file downloaded from an untrusted source on the Internet, or any email attachments coming from a sender you don't know or recognize.
Apple updates malware definitions to address fake Flash player trojan
Apple's updated an entry in the anti-malware files of OS X to lock down a trojan that pretends to be a Flash player installer, but actually hijacks users' search results. The trojan is known as "OSX.QHost.WB.A," and claims to install Flash, but instead redirects Google results to an IP in the Netherlands, which then loads unwanted ads and offsite content along with the fake search results. When the malware was officially discovered, none of the ad servers actually worked, so the malware threat at this time is more of an inconvenience than anything. Still, Apple apparently doesn't want to take chances -- it's updated the "XProtect.plist" file in OS X with the definition of the trojan. Since an update earlier this year, you don't even need to run Software Update to get this upgrade, as you likely get File Quarantine definitions upgraded daily already. But it's good to know that steps have been taken already to protect your Mac from this malware.
New Android trojan can record phone calls, expose your embarrassing fantasy baseball talk
Mobile malware is nothing new, especially for Android users who have trained themselves to navigate the sometimes shady back alleys of the Market. The fine folks at CA Technologies came across an interesting new trojan though, that does something slightly more unnerving than max out your credit cards -- it records your conversations. There's no evidence that this has actually found its way into the wild yet, but it's entirely possible that some nefarious developer could capture your calls and upload them to a remote server. Obviously, this wouldn't hold much interest for your traditional cyber crook, but suspicious significant others and corporate spies could have a field day with such capabilities. All we can do is suggest you remain vigilant and maintain a healthy dose of paranoia about any apps on your phone.
Trojan asteroid caught circling Earth, the Greeks deny involvement
Hide your kids, hide your wife, there's an asteroid circling Earth's orbit and we're all gonna... be just fine? Yeah, no need to stock up those '60s fallout shelters folks, this approximately 1,000 feet wide space rock is sitting pretty and safe in one of our Lagrange points. The so-called Trojan asteroid, known as 2010 TK7, was uncovered 50 million miles away by the infrared eyes of NASA's Wide-field Infrared Survey Explorer (WISE) telescope, and is the first of its kind to be discovered near our humble planet. Typically, these near-Earth objects (NEOs) hide in the sun's glare, but this satellite's unusual circuit around our world helped WISE and the Canada-France-Hawaii telescope confirm its existence. The finding has our best and brightest giddy with the hope similar NEOs "could make excellent candidates for future robotic or human exploration." Unfortunately, our new planetoid friend's too-high, too-low path doesn't quite cut the space mission mustard. No matter, 2010 TK7 still gets to call "First!"
AppleCare rep tells Ed Bott Mac malware reports are up
An anonymous AppleCare support representative spoke to ZDNet's Ed Bott over the weekend, telling the reporter that complaints about malware infections on the Mac increased significantly in the first half of May. "This last week over 50% of our calls have been about [malware]," said the AppleCare staffer. "In two days last week I personally took 60 calls that referred to Mac Defender." Earlier this month, a new series of malicious software packages with names like "Mac Defender," "Mac Security" and "Mac Protector" began to assault Apple's computing platform. Websites would alert users their Macs were infected and persuade them to download and install "Mac Defender" to protect their computers from the alleged attack. Rather than eliminate malware, these trojans prompt users to provide credit card information to their authors. It's all a scam. Even so, the scam appears to be quite effective. The AppleCare staffer claims many callers believed the warnings from these malware packages were legitimate or came from Apple, and in the last week, call volume for the computer-maker's support lines was up to five times higher than normal. "I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls," the AppleCare representative told Bott. It's unclear from Bott's interview how many callers had actually installed the phony "Mac Defender" software and how many were calling to verify the authenticity of an alert on a website claiming their computers were infected. The AppleCare staffer's facts and figures are notably anecdotal. It's difficult, for example, to reconcile a five-fold increase in call volume since the malware attacks began when only half the calls have to do with "Mac Defender." Although the AppleCare staffer's story sounds a lot like a surfer boasting about a tremendous wave, it's important to use common sense when installing software from the internet. Unlike a virus or worm that sneaks onto a computer without authorization, trojans like "Mac Defender" require an administrator to provide his or her password and knowingly install the malicious software. When TUAW first reported these malware attacks, we offered some helpful tips for avoiding these digital con games. Is this AppleCare representative capitalizing on the latest wave of Mac malware hype and exaggerating his or her story for attention? Or is the "Mac Defender" family of trojans really gaining traction among a community of unsuspecting Mac users? Let us know what you think in the comments.
Visualized: preconceived notions about personal computer security
See that chart up there? That's a beautiful visualization of a dozen folk models surrounding the idea of home computer security, devised by Michigan State's own Rick Wash. To construct it (as well pen the textual explanations to back it), he interviewed a number of computer users with varying levels of sophistication, with the goal being to find out how normal Earthlings interpreted potential threats to their PC. His findings? A vast amount of home PCs are frequently insecure because "they are administered by untrained, unskilled users." He also found that PCs remain largely at risk despite a blossoming network of preventative software and advice, and almost certainly received an A for his efforts. Hit the source link for more, but only after you've spiffed up, thrown on a pair of spectacles and kicked one foot up on the coffee table that sits in front of you.
Google flips Android kill switch, destroys a batch of malicious apps (update)
When 21 rogue apps started siphoning off identifying information from Android phones and installing security holes, Google yanked the lot from Android Market, and called the authorities to boot. But what of the 50,000 copies already downloaded by unwitting users? That's what Google's dealing with this week, by utilizing Android's remote kill switch to delete them over the air. But that's not all, because this time the company isn't just removing offending packages, but also installing new code. The "Android Market Security Tool March 2011" will be remotely added to affected handsets to undo the exploit and keep it from sending your data out, as well as make you wonder just how much remote control Google has over our phones. Yes, we welcome our new Search Engine overlords and all that, so long as they've got our best interests at heart, but there's a certain irony in Google removing a backdoor exploit by using a backdoor of its own -- even one that (in this case) will email you to report what it's done. Update: TechCrunch says there were 58 malicious apps and 260,000 affected phones in total.
New trojan MusMinim-A written for Mac OS X
On Saturday, information security firm Sophos reported a new "backdoor Trojan" designed to allow remote operations and password "phishing" on systems running Mac OS X. The author of the Trojan refers to his or her work as "BlackHole RAT" and claims the malware is still in beta. Indeed, Sophos, who re-named the threat "OSX/MusMinim-A," says the current code is a very basic variation of darkComet, a well-known Remote Access Trojan (RAT) for Microsoft Windows. The source code for darkComet is freely available online. The biggest threat from MusMinim appears to be its ability to display fake prompts to enter the system's administrative password. This allows the malware to collect sensitive user and password data for later use. The Trojan also allows hackers to run shell commands, send URLs to the client to open a website, and force the Mac to shut down, restart or go to sleep arbitrarily. Other "symptoms" include mysterious text files on the user's desktop and full screen alerts that force the user to reboot. Additionally, the malware threatens to grow stronger. "Im a very new Virus, under Development, so there will be much more functions when im finished," the author of the Trojan claims via its user interface. Sophos believes the new malware indicates more hackers are taking notice of the increasingly popular Mac platform. "[MusMinim] could be indicative of more underground programmers taking note of Apple's increasing market share," says Sophos on its blog. Another line from the malware's user interface supports the idea that hackers' interest in Mac OS X is growing. "I know, most people think Macs can't be infected, but look, you ARE Infected!" In an apparent response to the increase in malware threats on the Mac, Apple is reportedly working with prominent information security analysts like Charlie Miller and Dino Dai Zovi to strengthen the overall security of Mac OS X Lion, the company's forthcoming major update to its desktop operating system. It's the first time Apple has openly invited researchers to scrutinize its software while still under development. Mac OS X Lion is scheduled to be released this summer. In the meantime, Sophos tells Mac users to be cautious when installing software from less trustworthy sources. "Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it," they say. Also, "patching is an important part of protection on all platforms" to prevent hackers from exploiting security vulnerabilities in web browsers, plug-ins and other applications. [via AppleInsider]
Mozilla evangelist asks Apple, Google and Microsoft to stop installing unwanted plug-ins
Asa Dotzler has been promoting Mozilla Firefox for more than six years, and he's not happy about other software vendors installing unwanted plug-ins in his browser. Among the vendors getting under Dotzler's skin are Apple, Google and Microsoft, each of whom also happen to produce a competing web browser. Apple, Google and Microsoft are by no means the only companies that install plug-ins to Firefox, but most companies at least ask the user before doing so. Dotzler is concerned about plug-ins like the iTunes Application Detector or Google Update being installed silently in the background without even a prompt. In Dotzler's view, this behavior is akin to installing a Trojan horse. Although the Firefox evangelist is not accusing Apple and the others of installing anything malicious, just the act of pushing unknown software is troubling. Since plug-ins and extensions are typically the leading cause of browser instability and crashes, even seemingly benign additions can cause user frustration. While silent plug-ins are doubtlessly annoying, the fact that it can happen is troubling. Instead of accusing other software companies of being evil, perhaps the Firefox developers need to change the code to prevent this from happening in the first place. If Apple or Google can install a plug-in without asking, what's to prevent a hacker from doing the same and grabbing your private data? Do Safari or Chrome allow silent plug-in installations? If not, then perhaps it's time to move on from Firefox. [Via MacStories]
Report warns of the increased use of SEO Poisoning to spread malware
You'll undoubtedly be excited to know that the Internet security firm Websense has recently released its annual Threat Report. Other than trying to scare you into buying every single product the company has ever released, the paper highlights the growing problem of Black Hat SEO, or SEO Poisoning, which (if done right) sends malware-ridden links closer to the top of your Google search results. According to Network World, some 22.4 percent of Google searches performed since June produced malicious URLs (such as fake antivirus sites or malware downloads) as part of the top 100 search results, as opposed to 13.7 percent in the second half of 2009. It seems that the old model of cyber-attacks, involving peer-to-peer virus infection, is becoming increasingly ineffective as anti-virus companies step up their game, causing nogoodniks to rely on search results, websites, and zero-day attacks. That said, there is a silver lining: as Network World goes on to explain, these days you are actually less likely to get malware from "adult content" sites than in previous years. Or should we say, that's good news for your "friend" or "co-worker."
Microsoft declares 'open season' on botnets, beats Waledac in court
When we heard that Microsoft was appealing to a higher power to shut down the Waledac botnet, we assumed that meant lighting candles at St. Francis Parish -- instead, the company went to the courts. At its prime, Waledac was estimated to have infected upwards of 90,000 machines, which in turn sent out approximately 1.5 billion pieces of spam a day (about one percent of the world's total). In February, District Court Judge Leonie Brinkema issued a temporary restraining order taking the 276 domains that the perps used for the network's command and control structure offline, and earlier this month the act was finalized with the U.S. District Court of Eastern Virginia granting a motion that, according to USA Today, "[effectively] gives Microsoft permanent ownership" of the domains. Although the defendants didn't come forward, Microsoft lawyers were able to prove that they were indeed aware of the case -- it seems that not only did they launch a DDOS attack against Microsoft's law firm, they also threatened a researcher involved in the case. Of course, since the worm can also operate in peer-to-peer mode there's no telling how many infected machines are still out there, but at the very least the botnet has been crippled -- and now companies like Microsoft have proven legal recourse if they are targeted by domains (at least ones registered in the US). "It's open season on botnets," said Microsoft senior attorney Richard Boscovich Sr. "The hunting licenses have been handed out, and we're coming back for more." Image: Privacy Canada (https://privacycanada.net).
Symantec analyzes cache of stolen accounts
Kotaku brings word of a massive cache of stolen gaming accounts brought to light and investigated by computer security software maker Symantec. Massive, in this case, equals around 44 million accounts from game publishers including Blizzard, NCsoft, and Wayi Entertainment. The largest chunk of compromised accounts came from Wayi (around 16 million), while NCsoft held down second place with over 2 million infected accounts (60,000 of which came from Aion). World of Warcraft accounts made up approximately 210,000 of the total number. Symantec identifies the culprit as a Trojan named, appropriately enough, Trojan.Loginck, which worms its way through multiple computers and updates the stolen account database any time it strikes pay dirt. Check out the article over at Kotaku as well as Symantec's Trojan.Loginck blog entry.
Phishing Android apps explain our maxed-out credit cards
There's no such thing as a perfect mobile app store strategy -- you're either too draconian, too arbitrary, or too loose in your policies, and as far as we can tell, there's no way to find a balance that isn't going to trigger an alarm here and there or get a few people worked into a lather. If you're too loose, for instance, you're liable end up with the occasional bout of malware, which is exactly what appears to have gone down recently in the Android Market with a few fake banking apps published by a bandit going as "Droid09." As you might imagine, the apps end up doing little more than stealing your information and ending your day in tears; the apps have since been pulled, but that's probably little consolation for those already affected. The moral of the story? Be vigilant, keep a close eye on those system permissions the Market warns you about as you install new apps, report sketchy ones, and -- as always -- use a hearty dose of common sense.
Malware targeting gamers gets some mainstream spotlight
Those vicious and despicable malware authors are targeting gamers, according to BBC. I know, big whoop, right? The news article reports on something many World of Warcraft players have known for years -- that viruses, phishing sites, trojans, and all those dirty tech terms have us gamers smack in the middle of their digital crosshairs. The findings are a result from a study by Microsoft, which tracked the exceptional growth of a family of worms called Taterf. The programs have been around for some time now, snooping around players' computers for login details to various games with in-game currency. World of Warcraft players are juicy targets because of the remarkably large player base and existence of the gold-buying industry which Blizzard has actively warned and fought against. While the findings are nothing new, they only serve to confirm our fears about the growing threats to our accounts. WoW.com has been big about account security for awhile, and it's nice to see the mainstream media begin to show some attention to the matter.
The best of WoW.com: September 1-8, 2009
Cats and dogs, sleeping -- well, you know the drill. Blizzard introduced faction transfers to World of Warcraft last week, and as you might imagine, it has us WoW.com folks in a tizzy. Trolls becoming Humans? Night Elves becoming Tauren? It's one big scandal all around. Here's that story, and nine more popular ones, from Joystiq's World of Warcraft-obsessed sister site WoW.com. News Faction change service now availableFor the first time in the game's history, players can switch from Horde to Alliance or vice versa. Patch 3.2.2: 5-man Coliseum jousting woes addressedThe next patch will smooth out some issues folks have been having with the new 5-man instance. Play safe, because a trojan can get you bannedBlizzard's Warden isn't just working for you: if it finds some malware, you might be asked to leave the game for good. Garrosh is not well-likedThere are rumors going around (spoiler) about Garrosh Hellscream, and players aren't real happy about it. Yogg-Saron in bluesThink you need epic gear to be great? Think again. Features Spiritual Guidance: 12 reasons you don't want to play a PriestOur Priest columnist looks at the bad side of the clothy healing class. Officers' Quarters: Loot rageAnd how to deal with it. WoW Rookie: How not to be a noobJust imagine if this was required reading when you first started playing games. No more noobs! Ask a Faction Leader: Genn GreymaneIt's an advice column and a lore story all in one! Survey: Figuring out the faction transfer numbersBreaking down who's transferring where.
