malware
Latest
Mountain Lion's Gatekeeper adds additional security options to OS X
With the many updates and new features announced for the upcoming OS X release of Mountain Lion, one may have slipped by, but it's an important feature. It's also likely to become controversial. Gatekeeper gives users some extra security when running third party software. Apple says Gatekeeper will help prevent users from "unknowingly downloading and installing malicious software." The system preference has three levels of security. One only allows you to install apps from the Mac App Store. A second level allows installation of apps from what Apple calls "identified developers." Apple is starting up a program that basically allows developers to have digital signing of their apps. The lowest level of security allows apps to be installed from any source, but OS X will warn you if the app is not digitally signed. What Gatekeeper doesn't do is protect you against malware and viruses, which admittedly have not been a big problem on the Mac platform. Apple does have some built in tools to identify potentially harmful programs, but sometimes the problems can get ahead of Apple implementing a solution. Of course, Windows faces similar challenges, but on a much larger scale. Gatekeeper is in the recently released developer preview, but it is not activated. AppleInsider reports that it can be turned on by using the new OS X system policy control command-line tool "spctl(8)". It will be interesting to see if Gatekeeper matures and adds features by the time Mountain Lion is released in late summer. We'll do a deeper dive on Gatekeeper and its possible implications for the Mac platform later on.
Google Chrome update brings speedier browsing, enhanced security, joy
The week isn't quite over yet, but it's already shaping up to be a busy one for Google Chrome. After finally bringing its browser to Android on Tuesday, Google yesterday announced an update for the original desktop version, promising faster browsing and enhanced security. More specifically, this new Stable release features a revamped omnibox that will now pre-render pages as a user types in a URL or search query, allowing for faster load times. Google has also tweaked its Safe Browsing feature, which will now automatically scan downloaded files for malware, with an especially sharp focus on any ".exe." or ".msi" files. To determine the safety of a given file, the browser will compare it against a list of publishers and files known to be safe. If it doesn't show up there, Chrome will then consult Google for more information. If the file proves suspicious, it'll warn the user and recommend deleting it. Google added that it's working on an update for its Chrome OS, as well, promising a new image editor and Verizon 3G activation portal, though there's no word yet on when that might roll out. For more details, see the source link below.
Google's 'Bouncer' service scans the Android Market for malware, will judge you at the door
Google has had its fair share of malware-related problems in the Android Market, but that's hopefully about to change, now that the company has announced a new security-enhancing service. Codenamed "Bouncer," Mountain View's new program sounds pretty simple, in principle: it just automatically scans the Market for malware, without altering the Android user experience, or requiring devs to run through an app approval process. According to Hiroshi Lockheimer, Android's VP of Engineering, Bouncer does this by scanning recently uploaded apps for spyware, trojans or any other lethal components, while looking out for any suspicious behavior that may raise a red flag. The service also runs a simulation of each app using Google's cloud-based infrastructure, and regularly checks up on developer accounts to keep repeat offenders out of the Android Market. Existing apps, it's worth noting, will be subject to the same treatment as their more freshly uploaded counterparts. Lockheimer went on to point out that malware is on the decline in the Market, citing a 40 percent drop between the first and second halves of 2011, and explained some of Android's fundamental security features, including its sandboxing and permission-based systems. Head for the source link below to read the post in full.
The Daily Grind: Do you loathe third-party downloaders?
Every time I boot up Lord of the Rings Online or Dungeons and Dragons Online, I'm reminded that somewhere on my computer lurks Pando Media Booster. Ostensibly, Pando and software like Pando helps MMO players to download game clients, but they also spread out the load and track other information presumably of use to the game companies themselves. I've deleted Pando and similar software from my PC multiple times, but some games just don't function well without them. Players have been known to suggest the whole system of third-party installers and downloaders and launchers is nothing more than bloatware, or worse, malware and spyware. Am I alone in loathing MMO patchers that are really torrents I can't disable, launchers that lump the entirety of a company's games together, and third-party download whatever-ware that won't go away? Every morning, the Massively bloggers probe the minds of their readers with deep, thought-provoking questions about that most serious of topics: massively online gaming. We crave your opinions, so grab your caffeinated beverage of choice and chime in on today's Daily Grind!
Google pulls Android Market malware that exploits SMS hole
Google's reportedly pulled 22 malicious apps after two security firms tipped them off that the malware was tricking users into sending SMS messages to premium-rate phone lines. Android.RuFraud poses as popular games like Angry Birds, Assassins Creed or Tetris and can affect users across Europe and Russia. Fortunately the apps are easily spotted and deleted, but were downloaded 14,000 times before being pulled -- so if you see anyone experiencing similar issues, you can let 'em know how to solve it.
Windows Defender beta gains 'offline' functionality, can run sans-OS
PC users have been using Windows Defender to free themselves from the bane of viruses, malware and spyware for quite a while, but until now, you've needed Microsoft's OS running for it to do its work. That changes with a new beta, which creates bootable CDs or USB sticks that can run the utility. Those interested can begin by downloading the Windows Defender Offline Tool, which'll prompt you for either of those mediums and then install around 300MB of virus hating bits. And remember, because you're statically downloading an almanac of today's viruses, doesn't mean you'll be ready for those tomorrow, so those taking the plunge better remember to stay up to date.
US Cyber Command completes major cyber attack simulation, seems pleased with the results
The US Cyber Command is barely out of its infancy, but it's already crossed one milestone off its to-do list, with the successful completion of its first major test run. The exercise, known as Cyber Flag, was carried out over the course of a single week at Nellis Air Force Base in Nevada, where some 300 experts put their defense skills to the test. According to Col. Rivers J. Johnson, the participants were divided into two teams: "good guys," and "bad guys." The latter were delegated with the task of infiltrating the Cyber Command's networks, while the former were charged with defending the mock cyberattack and keeping the government's VPN free of malware. The idea, according to the agency, was to simulate a real-world attack on the Department of Defense, in order to better evaluate the Command's acumen. "There were a variety of scenarios based on what we think an adversary would do in real world events and real world time," Johnson explained. "It was a great exercise." The Colonel acknowledged that the good guys weren't able to defend against all of the attacks, but pointed out that the vast majority were recognized and mitigated "in a timely manner." All told, Cyber Flag was deemed a success, with NSA Director and Cyber Command chief Gen. Keith Alexander adding that it "exceeded" his own expectations.
WikiLeaks' Spy Files shed light on the corporate side of government surveillance
WikiLeaks' latest batch of documents hit the web this week, providing the world with a scarily thorough breakdown of a thoroughly scary industry -- government surveillance. The organization's trove, known as the Spy Files, includes a total of 287 files on surveillance products from 160 companies, as well as secret brochures and presentations that these firms use to market their technologies to government agencies. As Ars Technica reports, many of these products are designed to get around standard privacy guards installed in consumer devices, while some even act like malware. DigiTask, for example, is a German company that produces and markets software capable of circumventing a device's SSL encryption and transmitting all instant messages, emails and recorded web activity to clients (i.e., law enforcement agencies). This "remote forensic software" also sports keystroke logging capabilities, and can capture screenshots, as well. Included among DigiTask's other products is the WifiCatcher -- a portable device capable of culling data from users linked up to a public WiFi network. US-based SS8, Italy's Hacking Team and France's Vupen produce similar Trojan-like malware capable of documenting a phone or computer's "every use, movement, and even the sights and sounds of the room it is in," according to the publication. Speaking at City University in London yesterday, WikiLeaks founder Julian Assange said his organization decided to unleash the Spy Files as "a mass attack on the mass surveillance industry," adding that the technologies described could easily transform participating governments into a "totalitarian surveillance state." The documents, released on the heels of the Wall Street Journal's corroborative "Surveillance Catalog" report, were published alongside a preface from WikiLeaks, justifying its imperative to excavate such an "unregulated" industry. "Intelligence agencies, military forces, and police authorities are able to silently, and on mass, and [sic] secretly intercept calls and take over computers without the help or knowledge of the telecommunication providers," wrote Wikileaks in its report. "In the last ten years systems for indiscriminate, mass surveillance have become the norm." The organization says this initial document dump is only the first in a larger series of related files, scheduled for future release. You can comb through them for yourself, at the source link below.
DevilRobber now "improved", still nasty malware threat
We previously told you about DevilRobber and what sort of unsavory things it can do to (and with) your Mac. (In case you don't click over to read the article, here's the scoop: it's bad. Real bad.) Back in the day (November 1st), it was a Trojan horse and sent a little of your personal info off to some far flung servers. But CNet is reporting the new version has mutated, and now it tries to grab your Terminal history and system logs. This new "improved" version can be picked up by downloading Pixelmator from someplace that is not the Mac App Store (currently the only place to legitimately get a copy). But the fun doesn't end there! It also tries (but does not succeed at) making off with information stored in your 1Password data file. CNet's story makes it sound like DevilRobber can actually do something with that file, but in reality that data is safe, as confirmed by Agile themselves. They have a nice writeup on their site about all of this and the steps you can take to make extra super sure your data is safe. This is also another of those opportunities we here at TUAW occasionally take to remind you that malware is bad but real, and you DO need to protect yourself. Remember "Macs don't get viruses" is just as accurate as "Macs don't have any good games" (which is to say not accurate at all), and protection is ridiculously easy. Get yourself a nice antivirus utility and spend a little time with Little Snitch to make sure nothing suspicious is being sent from your machine, and that should help you avoid a lot of problems.
Windows 8 gets automatic updates, enforced restarts after 72 hours of polite harassment
Windows 8 is renaming the second week of every month. After "Patch Tuesday" comes "Gentle reminder Wednesday," "Polite yet firm suggestion Thursday" and "Automatic restart Friday". In order to keep everyone's system secure, Windows Update will download patches in the background before adding a notification on your lock screen that you're due a restart. If you haven't managed it within 72 hours, you'll be given a 15 minute warning to save your work and close up before it forces the shutdown -- unless you're watching a movie or conducting a presentation, it'll lie in wait for your next idle period to do it. With this system, you'll only have to complete the procedure once a month and can plan your schedule accordingly. The only time the system will deviate is when a security threat like a blaster worm appears, at which point Microsoft will ensure you're restarting as soon as a fix is available. What, you didn't know that "keeping end-users on their toes" was a feature?
Estonian Hackers target iTunes users in 'Clickjacking' ring
Wired has an interesting report on a clickjacking scheme that hijacked prominent websites including iTunes and the IRS. The scheme was run by six Estonians and one Russian operating out of Eastern Europe. The team created several fake companies, including a bogus advertising agency, which were paid for each click on an advertisement or a visit to a website. The criminals then setup a network of malware infected computers that hijacked internet links. The malware, called DNSChanger, would modify the DNS settings of infected computers and redirect them to a DNS server controlled by the criminals. This DNS server would then bring infected users to websites that would pay the suspects for each visit. Infected users visiting iTunes, for example, would be directed to www.idownload-store-music.com and the suspects would be paid for each visit. The malware infected 4 million computers worldwide and a half million in the US. The scheme was in operation for almost four years and netted the criminals over US$14 million before they were caught.
Two new Mac malware concerns: Tsunami and DevilRobber
As reported yesterday by Computerworld, there are two malware threats for OS X to concern yourself with (temporarily). The first, Tsunami, isn't much of a threat yet. The other, DevilRobber, may be slowing your Mac down as we speak. Here's more info on each of them. Tsunami Basically a ported version of some rather old Linux malware, Tsunami isn't being seen widely just yet. Still, the trojan appears to be evolving, and has even been updated for Macs in the variant Tsunami.A, as discussed on this ESET Security blog post. What does Tsunami do? The original was a backdoor program, which uses IRC to control your machine and coordinate Distributed Denial of Service attacks. Tsunami.A adds the ability to copy itself, and includes an updated IRC command and control server (which were not active at the time ESET wrote their post). Thus far, Tsunami is merely on the radar and appears to be in active development, but not widely disseminated yet. DevilRobber While Tsunami may be on the horizon, DevilRobber is out there right now, and could be slowing your Mac down. DevilRobber, as Intego reports, isn't just one thing, it's a Trojan horse, a backdoor (allowing control), it can steal data (and surreptitiously mine Bitcoin virtual currency) and it can send personal data to servers (thus making it spyware as well). Sounds nasty, eh? Apparently the malware installs DiabloMiner, which is used in creating Bitcoins. Using this legit software, DevilRobber, aka OSX/Miner-D, can suck up processor cycles and generate the hashes used in Bitcoin's currency. Essentially the malware is using your computer to generate Bitcoins likely without you knowing what is going on. Worse, Sophos senior tech consultant Graham Cluley told Computerworld that DevilRobber can take pictures of your screen, thus stealing sensitive info, and "it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history and .bash_history" -- all of which are bad things. So how big a threat is DevilRobber? Chances are, if you don't download torrents of commercial Mac software, you're fine. Intego's Mac Security Blog has some more info on DevilRobber, but for now it doesn't appear to be widespread. Also, as with Flashback.C, some users are reporting that if you have LittleSnitch installed and enabled the malware will bail. As usual, we suggest you don't illegally download commercial software via Bittorrent and only download from trusted sources (a developer's site is a good bet, and don't forget about the Mac App Store). If you suspect your machine may be infected, schedule a trip to a local Genius Bar or use antivirus software to scan your machine.
Georgia Tech spies on nearby keyboards with iPhone 4 accelerometer, creates spiPhone
Ever plopped your cellular down next to your laptop? According Georgia Tech researchers, that common scenario could let hackers record almost every sentence you type, all thanks to your smartphone's accelerometer. They've achieved the feat with an impressive 80 percent accuracy using an iPhone 4, and are dubbing the program they've developed, spiPhone. (Although the group initially had fledgling trials with an iPhone 3GS, they discovered the 4's gyroscope aided in data reading.) If the software gets installed onto a mobile device it can use the accelerometer to sense vibrations within three-inches, in degrees of "near or far and left or right," allowing it to statistically guess the words being written -- so long as they have three or more letters. It does this by recording pairs of keystrokes, putting them against dictionaries with nearly 58,000 words to come up with the most likely results. The group has also done the same with the phone's mics (which they say samples data at a whopping 44,000 times per second vs. the accelerometer's 100), but note that it's a less likely option given the usual need for some form of user permission. Furthermore, they explained that the accelerometer data rate is already mighty slow, and if phone makers reduced it a bit more, spiPhone would have a hard time doin' its thing. The good news? Considering the strict circumstances needed, these researchers think there's a slim chance that this kind of malware could go into action easily. Looks like our iPhone and MacBook can still be close friends... For now. You'll find more details at the links below.
Trojan variation disables Mac malware protection
Researchers from F-Secure warn that a variant on a trojan discovered in September, which masquerades as an Adobe Flash Player installer, now exists and is capable of disabling OS X's built-in malware protection. OSX/Flashback.C disables the auto-updater component of XProtect, which means the system's built-in anti-malware application no longer looks for updates to its malware definitions. This essentially holds the door open for future malware to invade the system unimpeded. F-Secure provides instructions for removing OSX/Flashback.C if your system has already been compromised. For the truly paranoid, you can also bypass the auto-update process and force your Mac to update its malware definitions manually. Since OS X malware authors seem to be employing fake Flash Player installers as a delivery vector, it's worth mentioning that you should only download Flash Player from trusted sources. Adobe's website is a good place to start. You could also remove the plug-in version of Flash Player altogether, essentially zeroing out your risk of being exposed to the OSX/Flashback trojan variants; the Google Chrome browser includes a bundled Flash Player if you need to view Flash content. [Hat tip to Ars Technica]
Daily Update for September 26, 2011
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes, which is perfect for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for listening through iTunes, click here. No Flash? Click here to listen.
Apple updates malware definitions to address PDF trojan
According to MacRumors, Apple has updated its malware definitions to address a PDF trojan that gained widespread attention last week. While reports indicated that the trojan's damage was limited to installing a backdoor in users' systems, Apple has moved relatively quickly to address the threat anyway. CNET reports that yet another OS X trojan is making the rounds, however, this time posing as an Adobe Flash installer. Avoiding this bit of malware is simple: if you must install Flash on your system, only download it from a trusted source like Adobe's own site or MacUpdate. A similar bit of malware made the rounds in August, but Apple updated malware definitions to address the threat; it's likely the company will do the same to squash this newest trojan. Your Mac's malware definitions are supposed to auto-update, but if you're not afraid of diving into the command line you can force your Mac to update manually.
US government to beat back botnets with a cybersecurity code of conduct
Old Uncle Sam seems determined to crack down on botnets, but he still needs a little help figuring out how to do so. On Wednesday, the Department of Homeland Security and National Institute of Standards and Technology (NIST) published a request for information, inviting companies from internet and IT companies to contribute their ideas to a voluntary "code of conduct" for ISPs to follow when facing a botnet infestation. The move comes as an apparent response to a June "Green Paper" on cybersecurity, in which the Department of Commerce's Internet Policy Task Force called for a unified code of best practices to help ISPs navigate through particularly treacherous waters. At this point, the NIST is still open to suggestions from the public, though Ars Technica reports that it's giving special consideration to two models adopted overseas. Australia's iCode program, for example, calls for providers to reroute requests from shady-looking systems to a site devoted to malware removal. The agency is also taking a hard look at an initiative (diagrammed above) from Japan's Cyber Clean Center, which has installed so-called "honeypot" devices at various ISPs, allowing them to easily detect and source any attacks, while automatically notifying their customers via e-mail. There are, however, some lingering concerns, as the NIST would need to find funding for its forthcoming initiative, whether it comes from the public sector, corporations or some sort of public-private partnership. Plus, some are worried that anti-botnet programs may inadvertently reveal consumers' personal information, while others are openly wondering whether OS-makers should be involved, as well. The code's public comment period will end on November 4th, but you can find more information at the source link, below.
Daily Update for August 24, 2011
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top stories of the day in three to five minutes, which is perfect for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for listening through iTunes, click here. No Flash? Click here to listen.
McAfee: Android malware soars while iPhone untouched
McAfee says that the Android OS is having some issues with malware lately -- according to a new study from the anti-malware company, Android malware has grown by 76% over the past few months, sending the number of troublesome scripts out there to over 40. Some of the malware appears to be legitimate apps, and other issues come from code that sends unwanted text messages or performs other scammy behavior. Meanwhile, Apple is doing great with iOS -- McAfee has recorded zero legitimate threats to a stock iPhone, with the only attacks on the hardware coming to four different jailbroken devices. It appears Apple's "walled garden" approach, while limiting to some developers and customers, has at least made good use of those walls in keeping malware away. The other mobile OS with a spotless score? webOS, which of course is probably that way simply because it's just not used that much.
Looking back at a year of Android Malware
Wow, has it really been a year a year since we first witnessed the arrival of SMS.AndroidOS.FakePlayer.a? It seems like only yesterday when everyone was first scrambling to describe the text message manipulating bit of Android malware. We've come along way and seen plenty of malicious bits of software since August 2010. Remember the porn-bundled SMS.AndroidOS.FakePlayer.b trojan from October? Or how about the bible-packing Android.Smspacem? Relive all of the handset hijacking memories in the source link below.
