malware
Latest
Talkcast tonight, 4 PM HI/7 PM PT/10 PM ET: Mother's Day Edition
Here we go again, kids! Not only do we have Mother's Day to talk about, but we also have the shiny new iMacs and a shiny new piece of malware to discuss as well. As always when I'm hosting, if there's show, there's an aftershow. Join us for TUAW and stay for TUAWTF. It's like two shows in one! Your calls and questions help us make the show the best it can be, otherwise I'm just talking to myself! To participate on TalkShoe, you can use the browser-only client, the embedded Facebook app, or download the classic TalkShoe Pro Java client; however, for maximum fun, you should call in. For the web UI, just click the Talkshoe Web button on our profile page at 4 HI/7 PDT/10 PM EDT Sunday. To call in on regular phone or VoIP lines (yay for free cell phone weekend minutes!): dial (724) 444-7444 and enter our talkcast ID, 45077 -- during the call, you can request to talk by keying in *8. If you've got a headset or microphone handy on your Mac, you can connect via the free Gizmo, X-Lite or Blink SIP clients; basic instructions are here. Talk to you tonight!
MacDefender malware targeting Mac users, instructions for removal
Mac owners usually have little to worry about in terms of computer viruses and spyware, but a new malware attack seems to be causing issues for some users. According to a report on The Next Web, a specialized malware attack targeting Mac users is making the rounds. Users seem to be targeted as they are browsing Google Images, with one victim reporting that he suddenly received a message stating that his machine had been infected with viruses that only a "MacDefender" application could remove. There is a MacDefender website that highlights a few shareware apps that a dedicated geocacher has written, and the site's owner is warning people to not download the malware app. The malware appears to be targeting Safari. The browser can be configured so that it will automatically open trusted software, and that appears to be the route of attack that's being used. While the MacDefender malware isn't infecting Macs with a virus or running a keylogger in the background, the author seems to be trying to scare users into providing credit card information by buying the software. The Next Web provided some useful hints on how to protect yourself from the malware and to remove the pesky app if it is downloaded onto your Mac. If you aren't seeing MacDefender in your Applications folder, you can protect yourself from possible infiltration by unchecking the "Open 'safe' files after downloading" box at the bottom of Safari > Preferences > General (see the area outlined in red in the image above). If MacDefender is already on your Mac, check out the next page for tips on how to remove it.
Samsung reportedly installing keylogger software on laptops (update: it's a false-positive)
We'll start by saying that we've reached out to Samsung for a response here, but as of now, no reply has been given -- neither a confirmation nor a refusal of truth. Why bother mentioning that? If this here story proves true, Sammy could have a serious problem on its hands -- a problem that'll definitely start with a rash of negative PR, and a quandary that could very well end the outfit up in the courtroom. According to a report by Mohamed Hassan over at Network World, Samsung allegedly took the initiative to install a keylogger into his recently purchased R525 and R540 laptops. The app was noticed right away after a security scan on both systems, with StarLogger popping up with the c:\windows\SL directory. Where things really get strange is on the support line; reportedly, a supervisor informed Mr. Hassan (after an earlier denial) that the company did indeed install the software at the factory in order to "monitor the performance of the machine and to find out how it is being used." Unfortunately, it's difficult to say if this is a widespread issue, or if the tale is entirely correct, but we get the feeling that Samsung will have little choice but to respond in some form or fashion here shortly. Naturally, we'll keep you abreast of the situation -- meanwhile, you may want to reconsider that hate-filled comment you're about to bang out on your Samsung laptop, and instead, feast your eyes on the video just past the break. Update: Kudos to Samsung for hitting this head-on. An hour after we inquired for comment, a company spokesperson tossed over this official quote: "Samsung takes Mr. Hassan's claims very seriously. After learning of the original post this morning on NetworkWorld.com, we launched an internal investigation into this issue. We will provide further information as soon as it is available." Update 2: Samsung's official Korean language blog, Samsung Tomorrow, has a posted an update calling the findings false. According to Samsung, the confusion arose when the VIPRE security software mistakenly identified Microsoft's Slovene language folder ("SL") as Starlogger, which Sammy was able to recreate from an empty c:\windows\SL folder (see image above). So yeah, move along, it's much ado about nothing -- the R525 and R540 laptops are perfectly safe. Update 3: Even GFI Software has stepped up and confirmed the good news; furthermore, it'll be changing the way it structures things so as not to set off any more false-positives.
Visualized: preconceived notions about personal computer security
See that chart up there? That's a beautiful visualization of a dozen folk models surrounding the idea of home computer security, devised by Michigan State's own Rick Wash. To construct it (as well pen the textual explanations to back it), he interviewed a number of computer users with varying levels of sophistication, with the goal being to find out how normal Earthlings interpreted potential threats to their PC. His findings? A vast amount of home PCs are frequently insecure because "they are administered by untrained, unskilled users." He also found that PCs remain largely at risk despite a blossoming network of preventative software and advice, and almost certainly received an A for his efforts. Hit the source link for more, but only after you've spiffed up, thrown on a pair of spectacles and kicked one foot up on the coffee table that sits in front of you.
Google spikes 21 malicious apps with big download counts from the Market (update: Android 2.2.2 and up are immune)
We're sure that the debate of a carefully controlled and curated environment like Apple's App Store versus a free-for-all like the Android Market will rage on for years to come, but here's something to chew on: Google just removed some 21 apps from the Market in the last day from a publisher going by Myournet for doing all sorts of naughty things to your device. Offenses include attempting to root your phone, uploading phone information (including IMEI) to who-knows-where, and -- most egregiously -- adding a backdoor that allows additional code to be pulled down and executed. At least some of the apps are pirated versions of existing apps that have been re-uploaded at zero cost to the user, which makes them appealing... and the trick apparently works quite well, because the 21 managed to clock over 50,000 downloads before getting taken down. This isn't the first time malicious apps have shown up on smartphones -- far from it -- but it's probably the highest-profile case of a first-party app store being infiltrated by really bad stuff. If there's a silver lining, it's that Google was extraordinarily quick to respond once Android Police reported the situation -- the site says it took less than five minutes from the time they reached out to the time the apps actually went offline. Still, that's little consolation if you've already installed your "free" copy of Super History Eraser. Hit the source links for the full list of pulled apps. Update: Android Central points out that the type of root exploit used in these apps was patched in Android 2.2.2 and up, so Nexus One and Nexus S owners should be fine; everyone else is left out in the cold, though, thanks to the vexing third-party update lag. Thanks, Z!
New trojan MusMinim-A written for Mac OS X
On Saturday, information security firm Sophos reported a new "backdoor Trojan" designed to allow remote operations and password "phishing" on systems running Mac OS X. The author of the Trojan refers to his or her work as "BlackHole RAT" and claims the malware is still in beta. Indeed, Sophos, who re-named the threat "OSX/MusMinim-A," says the current code is a very basic variation of darkComet, a well-known Remote Access Trojan (RAT) for Microsoft Windows. The source code for darkComet is freely available online. The biggest threat from MusMinim appears to be its ability to display fake prompts to enter the system's administrative password. This allows the malware to collect sensitive user and password data for later use. The Trojan also allows hackers to run shell commands, send URLs to the client to open a website, and force the Mac to shut down, restart or go to sleep arbitrarily. Other "symptoms" include mysterious text files on the user's desktop and full screen alerts that force the user to reboot. Additionally, the malware threatens to grow stronger. "Im a very new Virus, under Development, so there will be much more functions when im finished," the author of the Trojan claims via its user interface. Sophos believes the new malware indicates more hackers are taking notice of the increasingly popular Mac platform. "[MusMinim] could be indicative of more underground programmers taking note of Apple's increasing market share," says Sophos on its blog. Another line from the malware's user interface supports the idea that hackers' interest in Mac OS X is growing. "I know, most people think Macs can't be infected, but look, you ARE Infected!" In an apparent response to the increase in malware threats on the Mac, Apple is reportedly working with prominent information security analysts like Charlie Miller and Dino Dai Zovi to strengthen the overall security of Mac OS X Lion, the company's forthcoming major update to its desktop operating system. It's the first time Apple has openly invited researchers to scrutinize its software while still under development. Mac OS X Lion is scheduled to be released this summer. In the meantime, Sophos tells Mac users to be cautious when installing software from less trustworthy sources. "Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it," they say. Also, "patching is an important part of protection on all platforms" to prevent hackers from exploiting security vulnerabilities in web browsers, plug-ins and other applications. [via AppleInsider]
Microsoft rolls out long, long-awaited Windows update to disable AutoRun for USB drives
It's already changed the behavior in Windows 7, and Microsoft has now finally rolled out an update for earlier versions of Windows that prevents a program from executing automatically when a USB drive is plugged into a PC. That behavior has been blamed for the spread of malware in recent years -- including the infamous Conficker worm -- and Microsoft had actually already made it possible to disable the functionality back in November of 2009, albeit only through an update available from its Download Center website. It's now finally pushed the update out through the Windows Update channel, though, which should cause it to be much more broadly deployed (particularly in large organizations). As explained in a rather lengthy blog post, however, Microsoft has decided to simply make it an "important, non-security update" rather than a mandatory update, as it doesn't technically see AutoRun as a "vulnerability" -- it was by design, after all. That means you'll have to look for the option in Windows Update and check it off to install it -- if you choose, you can also re-enable it at anytime with a patch.
The Road to Mordor: Hacked!
"My kinship had just finished an instance run about a week-and-a-half ago and was in the process of reloading back into the world when I got the message that I was being disconnected because I had just logged into the Brandywine server. Huh? Suspecting the worst, I immediately hit up the Turbine Account page and changed my password then re-logged back into the game, which would boot the hacker offline just like I had been booted minutes earlier. "I was lucky and did that before the hacker had time to switch servers to where my active characters are. Other kinmates have not been so lucky." So goes the frightening tale of Pumping Irony's Scott, who shares this in the hopes that others may avoid a similar scare. Unfortunately, it seems as though stories such as these are becoming more and more common in Lord of the Rings Online, where the worst threat to your quest may not be the eye of Sauron but the malicious intent of hackers gutting your account while you're offline. Today we're going to step off the path for a temporary side trail into the gloomy undergrowth of account security and an MMO under siege.
AT&T, Verizon, RIM get serious about security for mobile devices
As commonplace as smartphones have become, it's about time that carriers and manufacturers start getting serious about mobile security (and no, we don't mean iPhone tethers). According to a recent Wall Street Journal article, Verizon is currently working with Lookout, a San Francisco-based company known for remote backup and geolocation apps for BlackBerry, Android, and Windows Mobile devices, while RIM has recently announced a little something called BlackBerry Protect, which promises to lock or even wipe a misplaced phone, pinpoint the thing on a map, and make regularly-scheduled wireless backups. By far the most ambitious plans in the article, however, belong to AT&T, which -- aside from recent deals with MobileIron and McAfee -- is currently opening a new mobile security lab in New York City. From here, the company will research malware, worms, viruses, and other threats as they develop in the mobile sphere. "Everyone is realizing that this is an uncontrolled environment," said AT&T chief security officer Edward G. Amoroso. "We don't want to have the same problems that we had with PCs."
Google hacked site notification notifies you if your site is hacked (repeat this five times fast)
Those crazy cats at Google have been tinkerin' with the search results quite a bit lately: in addition to the old standbys (malware notifications, updated image search), the company has recently rolled out Instant Search, Instant Preview... and now? That's right: hacked site notifications in the search results. According to the Webmaster Central blog, the company uses "a variety of automated tools to detect common signs of a hacked site," and if you have a Webmaster Tools account you'll even be notified of the breach. Hit the source link for more info.
Chrome sandboxes Flash Player in latest Dev channel release for Windows
Hey, Adobe's finally figured out how to make Flash secure -- have Google do it! The guys behind your favorite search engine have updated their latest Dev channel release of Chrome to include a new sandboxing facility for Flash Player content. It'll serve to limit access to sensitive system resources and make Flash's operation a generally less threatening proposition than it currently is. This also marks the fulfillment of a longstanding promise from Google to give Flash the same treatment it's afforded to JavaScript and HTML rendering for a while, and should be welcome news to Windows users eager to minimize "the potential attack surface" of their browser. Sorry, Mac fans, you're out in the unsecured cold for now. Of course, the Dev channel itself is one step less refined than beta software, so even if you're on Windows it might be advisable to wait it out a little bit.
Mac malware survey finds mostly incompatible nasties
See that chart there? That's a lovely graphic conjured up by Sophos, a company that makes ends meet by offering anti-virus software. The company just so happens to also have a flavor for OS X, and based on data culled from 150,000 users, it looks as if 50,000 machines had at least one piece of malware onboard. 'Course, a sizable chunk of these listed (Mal/ASFDldr-A and Mal/Conficker-A, for example) won't even run on OS X, so having them on one's HDD does little more than take up a section of space that could otherwise be used to archive a digital image of Aunt Mary. Graham Cluley, senior technology consultant at Sophos, even stated that Sophos doesn't "see as much Mac malware as Windows malware... by a long shot," but given that its Mac edition software is totally free, you might as well give it a look if you're suddenly stricken with paranoia.
Report warns of the increased use of SEO Poisoning to spread malware
You'll undoubtedly be excited to know that the Internet security firm Websense has recently released its annual Threat Report. Other than trying to scare you into buying every single product the company has ever released, the paper highlights the growing problem of Black Hat SEO, or SEO Poisoning, which (if done right) sends malware-ridden links closer to the top of your Google search results. According to Network World, some 22.4 percent of Google searches performed since June produced malicious URLs (such as fake antivirus sites or malware downloads) as part of the top 100 search results, as opposed to 13.7 percent in the second half of 2009. It seems that the old model of cyber-attacks, involving peer-to-peer virus infection, is becoming increasingly ineffective as anti-virus companies step up their game, causing nogoodniks to rely on search results, websites, and zero-day attacks. That said, there is a silver lining: as Network World goes on to explain, these days you are actually less likely to get malware from "adult content" sites than in previous years. Or should we say, that's good news for your "friend" or "co-worker."
Critical security warning issued for Mac OS X 10.5 Leopard
Computerworld reports that security researchers from CoreLabs have publicly released details on a critical security flaw in Mac OS X 10.5 Leopard, an older version of the Mac's operating system. Curiously, the security flaw in Leopard is quite similar to a flaw we reported on back in August, which allowed easy-as-pie browser-based jailbreaking of iOS devices. CoreLabs became aware of the flaw in Leopard and informed Apple only a couple weeks after Apple patched a similar hole in iOS 4; according to those same researchers, Apple has had more than enough time since then to patch the flaw in Leopard. That the flaw remains unpatched was the researchers' motivation for sounding the alarm publicly. The current version of Mac OS X, 10.6 Snow Leopard, is not vulnerable to this exploit. Those using Mac OS X 10.5 Leopard will remain vulnerable until Apple offers a security update for the older OS, which theoretically should be coming soon (reportedly, Apple has developed a patch and is simply waiting to release it). As it stands now, Mac OS X Leopard's vulnerability could potentially leave the OS vulnerable to malware or remote attacks. More specific information is available on CoreLabs' website.
Security alert: New Trojan Horse apps said to attack the Mac
Some security mavens have long theorized that as the Mac becomes more popular, we'd start to see malware that would start targeting the platform. Sure enough, this morning's crop of email blasts from PR firms included a few notices of trojans that are affecting Mac users. First, from SecureMac, comes word of trojan.osx.boonana.a, which comes disguised as a link on social networking sites asking "Is this you in this video?" Clicking the link downloads and runs a Java applet that then installs further applications to modify system files and open the system to password-free access. The other malicious apps report back to command and control servers, as well as hijack user accounts to spread the trojan through email spam. The SecureMac press release notes that the "Java component of the trojan horse is cross-platform," but it's not clear from their statement that the other components are capable of running under Mac OS X. Next, Intego reported that a similar Java trojan known as Koobface.A is also being spread through social networking systems such as Facebook and Twitter.
Thumb drive-based malware attack led to formation of US Cyber Command
Recently declassified documents have revealed that the worst breach of U.S. military computers evar went down in 2008, a major turning point in our nation's cyberstrategy that eventually led to the formation of the United States Cyber Command. Operation Buckshot Yankee, as the defense came to be known, began when a USB thumb drive infected by a foreign intelligence agency was found in the parking lot of a Department of Defense facility in the Middle East. Whomever found the thing placed it in their laptop (probably hoping to find Justin Bieber MP3s), which just so happened to be attached to United States Central Command. From that point, writes Deputy Defense Secretary William J. Lynn in Foreign Affairs, malware spread "undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control." Yikes! We still haven't found out which country orchestrated the attack, or what they might have learned from it, so until the Pentagon tells us otherwise we're going to do what we usually do in these situations and blame Canada (sorry, Don). [Warning: read link requires subscription]
Did malware cause the crash of Spanair Flight JK 5022? (update)
The inquiry into the August 2008 crash of Spanair Flight JK 5022 at Barajas Airport in Madrid took a bizarre turn recently when Spanish daily El Pais reported that the server that the airline used to track technical problems on aircraft contained malware. Although the flaps and slats were not in the proper position for takeoff, the crew was never alerted -- causing the flight to go down moments after takeoff, killing all but 18 of the 172 on board. That's not to say that human error wasn't a factor: as well as causing an audible alarm, the problem should have been spotted by the mechanic or airport maintenance chief, both of whom are under investigation. Space stations, power grids, and now airline safety systems? Please, people -- keep your antivirus software up to date. Update: Of the many possibilities that could have brought down JK 5022, it turns out malware was pretty low on the list -- ZDNet's Ed Bott reports that it was a maintenance computer at the airline's HQ that was infected, and the plane itself (an MD-82) uses a takeoff warning system that predates airplane computerization, and was thus not susceptible to viruses.
BBC crafts malicious smartphone app to prove a point... we guess
You may surmise that Auntie Beeb is only good for news distribution from across the pond, but as it turns out, the BBC is apparently giving at least a few of its employees a little of that oh-so-coveted "20 percent time." In an effort to prove just how easy it is to create a smartphone application that can gank all sorts of personal information, a staffer at the organization spent just a few weeks learning enough code to create a "crude game." In play, the app would gather contact information, copy text messages and log the phone's current location; afterwards, it would shoot all of that information to a specified email address, but not before putting a serious hurting on the battery. All told, the spyware took up around 250 lines of the 1,500 making up the whole program, and thankfully for us all, the BBC decided against submitting the program into any app stores. Phew. So, the point? It's pretty easy to craft an ill-willed app, so as with anything in life, download with care -- and keep an eye on atypical battery drain, eh?
Microsoft responds to Google moving away from Windows, calls it ironic
Google made some waves earlier this week by reportedly moving employees off of Windows and onto Mac OS X and Linux machines -- although the company wouldn't confirm the switch, the move was said to be precipitated by security issues after Chinese hackers attacked the search giant back in January. Now, that wasn't the only reason mentioned in the report -- Google apparently also wants employees to use home-grown products like Chrome OS, and it's sort of weird for Google to buy tons of software licenses from a major competitor -- but the implication that Windows isn't secure enough for Google seems to have raised Microsoft's hackles: a new post on the Windows Team Blog says the irony of the move is "hard to overlook" as Gmail and Google Docs have privacy and security issues of their own, offers a point-by-point breakdown of all the ways Windows 7 is more secure than the competition, and goes on to suggest that a recent piece of shady Mac OS X malware is "a future sign of things to come for Apple and security." Meow. Now, we honestly think the real story is as simple as Google not wanting to write Microsoft a really big check, but we're not going to say no to a little fight here -- Eric, Steve, you have anything to say?
PC malware targeting iTunes, iPad users
Here's a cute trick. Some PC owners are getting emails alerting them to a new version of iTunes that has been updated "...for best iPad performance, newer features and security." The email provides a link, asking recipients to download a "new" version of iTunes. You see where this is going, of course. Those who follow through actually download a counterfeit version of iTunes which contains malicious code that opens up a backdoor allowing unauthorized access to a PC. According to security software firm BitDefender, the code, called Backdoor.Bifrose.AADY, attempts to read the keys and serial numbers of the various software installed on the affected computer. It also logs the victim's ICQ, Messenger and POP3 mail account password plus protected storage login. Of course, BitDefender would be glad to sell you some anti-malware software to clean the mess up, but it's better still to know about this in advance and not download what looks like Apple software from anyone other than Apple. Mac owners can rest easy. This malware only hits on PCs.
