malware
Latest
Symantec names Shaoxing, China as world's malware capital
It's not the sort of title any city's looking for, but Symantec has now given Shaoxing, China the dubious honor of being the world's malware capital, saying that it accounts for more targeted attacks than any other city. In fact, the company found that while close to 30 percent of all malicious attacks came from China (making it the number one country), 21.3 percent came just from Shaoxing. It was followed by Taipei at 16.5 percent, and London at 14.8 percent. Following China in the country rankings is Romania with 21.1 percent of attempted attacks (most of those are said to be commercial fraud), and the United States at 13.8 percent. That's actually just part of a larger report by Symantec's MessageLabs division, which details everything from the most common types of email attachments (.XLS and .DOC are neck and neck for the lead) to the percentage of emails that contain a virus of phishing attack (one in 358.3 and one in 513.7, respectively). Dive into the PDF linked below for the complete details.
Vodafone Spain replacing microSD cards on 3,000 virus-infected handsets
It looks like the virus-strewn HTC Magic that was recently purchased from Vodafone UK is only the tip of the iceberg. According to Vodafone Spain, some 3,000 users in all may have been exposed to Mariposa malware -- which used the handset's storage to make its way to customer's PCs via USB, leading the company to replace the microSD cards for infected customers. The company also says that the incident is "isolated and local," but with the number of infections rising from one in the UK to 3,000 in Spain in just over a week we wouldn't be surprised this story was just heating up.
Customer greeted with malware on Vodafone-issued HTC Magic (good thing it's discontinued)
Crapware's bad enough, but having your life torn asunder simply by plugging in that shiny new (insert USB-connected device here) is an exciting new trend -- viruses find their way into the darnedest places, don't they? It seems an employee at anti-malware firm Panda Research who'd ordered a new Magic off Vodafone UK's site was greeted with no fewer than three nefarious executables upon plugging the device into her PC: a bot client, a password stealer, and a Conficker variant, and running a network sniffer quickly confirmed that the virii were live and ready to do harm as soon as the autorun in the Magic's mounted mass storage was executed on her Windows machine. If this were a widespread issue, we'd certainly have heard about it in other places, so odds are good (as Panda points out) that this was simply a case of HTC or Vodafone doing an awful job of wiping a refurbished set -- but it gives you pause and kind of makes you wish you worked for an anti-malware firm, at least on days when you're plugging in a new phone for the first time. The silver lining, we suppose, is that Vodafone has recently discontinued the Magic, though that creates another problem: the only Android device it currently stocks now is the lowly Tattoo, so the X10 and Nexus One can't come soon enough.
Update: Keylogger source identified
Just a quick update from from our friends at World of Raids about the current situation regarding circumvented authenticators. It appears there are multiple websites being used for this malware. Be careful of which sites you go to in order to update your addons from; fake website addresses are being used to trick users. For example, one of the fake sources appears as a "Sponsored Link" right at the top of a Google search. Don't actually visit that site and be sure to warn players asking about addons where to go. What happens is the fake site will allow you to download a fake copy (did you see fake?) of the WowMatrix AddOn Manager which installs the emcor.dll. This Trojan (Malware.NSPack) can currently be detected by Malware Bytes. Thanks Kody!
Man in the middle attacks circumventing authenticators
It has been brought to our attention that Blizzard's technical support department is currently handling a security exploit that is, in a limited capacity, circumventing authenticators. Before we get into the details, please do not panic. This does not make authenticators worthless, and it is not yet a widespread problem. Do not remove your authenticator because of this, and do not base your decision on whether or not to buy an authenticator off of this. They are still very useful, and your account is much safer with an authenticator than it is without one. This is not the only report of this that we've seen, but it is the first time that a Blizzard representative has openly acknowledged that there is something afoot. For a full account of what happened, check the thread on the EU Technical Support forums. To sum up: There is a piece of malware (emcor.dll is what is being reported at the moment) that is being used as a hijacking tool to facilitate Man-in-the-Middle attacks on users. Kropaclus After looking into this, it has been escalated, but it is a Man in the Middle attack. http://en.wikipedia.org/wiki/Man-in-the-middle_attack This is still perpetrated by key loggers, and no method is always 100% secure. source To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
Breakfast Topic: What are you doing to protect your account?
While it is certainly nothing new, it seems that you can't spit without hitting someone who has, or has had, a compromised account. These WoW account predators are getting more clever by the day, with using everything from keyloggers, sham contests, betas and security checks, to even grabbing an account and immediately attaching an authenticator to it. Now, any moderately-savvy internet user would just scoff, and say that they take all necessary precautions -- what's there to worry about? Fair enough, but what about those who, well, don't? Blizzard has said time and time again about safe-guarding your account information, yet people still jump onto those fake Cataclysm betas and fancy new mount prizes. Make something idiot-proof, and they'll build a better idiot, eh? That being said, what are you doing to protect your prized polygons? Do you have a good anti-virus installed? A malware scanner? If you don't have an authenticator, how come? It's only about the price of a grande Starbucks drink, and will provide a longer-lasting effect of happiness and joy to your life. Discuss amongst yourselves!
Phishing Android apps explain our maxed-out credit cards
There's no such thing as a perfect mobile app store strategy -- you're either too draconian, too arbitrary, or too loose in your policies, and as far as we can tell, there's no way to find a balance that isn't going to trigger an alarm here and there or get a few people worked into a lather. If you're too loose, for instance, you're liable end up with the occasional bout of malware, which is exactly what appears to have gone down recently in the Android Market with a few fake banking apps published by a bandit going as "Droid09." As you might imagine, the apps end up doing little more than stealing your information and ending your day in tears; the apps have since been pulled, but that's probably little consolation for those already affected. The moral of the story? Be vigilant, keep a close eye on those system permissions the Market warns you about as you install new apps, report sketchy ones, and -- as always -- use a hearty dose of common sense.
iPhone worm author really goes to work
While you have to go to quite some lengths to be vulnerable to it, jailbroken iPhones have been under fire for susceptibility to a particular SSH-based type of worm that has seen a lot of press lately. One of the developers, Ashley Towns, who helped to get the "rick" rolling, as it were, has just announced his employment at an iPhone game firm. Sophos is reporting that he'll be taking up shop at mogeneration, the developer responsible for such hits as Xumii [iTunes link], a cross-social networking communication app, and Moo Shake! [iTunes link], a farm-based activity game for kids. It is an interesting turn of events given that mogeneration even reported on the topic of Ashley's now-infamous rickrolling iPhone worm. I personally think that there is a lot of potential for coders of malware to embark on legitimate careers as developers coding for good. However, I don't favor the thought that malware developers are essentially getting 'rewarded' for their dangerous work. There is nothing from mogeneration to imply that Towns was hired based on the notoriety of his SSH-based worm, but I can't help thinking that there are other, more talented iPhone developers who have stayed below the radar by not writing malware. I want to know what you think. Should developers of intentionally malicious software be given a clean slate and a new life? Or perhaps should they be feeling the effects of the law's very long arms? [via Techmeme]
First iPhone worm rickrolls jailbroken phones
We sort of knew this would happen as soon as we heard about that iPhone wallpaper hack in the Netherlands -- a hacker named ikex has created what's apparently the first iPhone worm, and it's currently infecting jailbroken iPhones across Australia. The "ikee" worm, as it's being called, takes advantage of the fact that jailbroken iPhones with SSH installed all have the same default root password of "alpine," and once in the system it changes your wallpaper to an image of Rick Astley and then tries to install itself on other jailbroken iPhones on the network. Sophos says it hasn't confirmed any infections outside of Oz, and to be clear, this worm can't get to stock iPhones or jailbreak owners who haven't installed SSH -- but if you're running a hacked phone we'd say you should change that root password just to be safe right away. Get to it, kids. [Via PMP Today; thanks to everyone who sent this in]
Malware targeting gamers gets some mainstream spotlight
Those vicious and despicable malware authors are targeting gamers, according to BBC. I know, big whoop, right? The news article reports on something many World of Warcraft players have known for years -- that viruses, phishing sites, trojans, and all those dirty tech terms have us gamers smack in the middle of their digital crosshairs. The findings are a result from a study by Microsoft, which tracked the exceptional growth of a family of worms called Taterf. The programs have been around for some time now, snooping around players' computers for login details to various games with in-game currency. World of Warcraft players are juicy targets because of the remarkably large player base and existence of the gold-buying industry which Blizzard has actively warned and fought against. While the findings are nothing new, they only serve to confirm our fears about the growing threats to our accounts. WoW.com has been big about account security for awhile, and it's nice to see the mainstream media begin to show some attention to the matter.
Microsoft Security Essentials anti-virus software is now live and free
In a move that's sure to please a few million Windows users and break the hearts of a handful of anti-virus companies, Microsoft has now finally made the non-beta version of its Security Essentials software available to the general public, and it's not even asking that you throw a launch party to get it for free. For those not in on the beta or following Microsoft's exciting forays into freeware, the software promises to cover all the security basics and fend off viruses, spyware and other malicious software, and Microsoft even assures us that it'll "run quietly in the background" and only intrude on your life when an action is required. You'll also, of course, get free updates on a regular basis, and it'll work just fine whether you use Windows XP, Vista or Windows 7 -- hit up the link below to grab a copy.[Thanks to everyone who sent this in]
The best of WoW.com: September 1-8, 2009
Cats and dogs, sleeping -- well, you know the drill. Blizzard introduced faction transfers to World of Warcraft last week, and as you might imagine, it has us WoW.com folks in a tizzy. Trolls becoming Humans? Night Elves becoming Tauren? It's one big scandal all around. Here's that story, and nine more popular ones, from Joystiq's World of Warcraft-obsessed sister site WoW.com. News Faction change service now availableFor the first time in the game's history, players can switch from Horde to Alliance or vice versa. Patch 3.2.2: 5-man Coliseum jousting woes addressedThe next patch will smooth out some issues folks have been having with the new 5-man instance. Play safe, because a trojan can get you bannedBlizzard's Warden isn't just working for you: if it finds some malware, you might be asked to leave the game for good. Garrosh is not well-likedThere are rumors going around (spoiler) about Garrosh Hellscream, and players aren't real happy about it. Yogg-Saron in bluesThink you need epic gear to be great? Think again. Features Spiritual Guidance: 12 reasons you don't want to play a PriestOur Priest columnist looks at the bad side of the clothy healing class. Officers' Quarters: Loot rageAnd how to deal with it. WoW Rookie: How not to be a noobJust imagine if this was required reading when you first started playing games. No more noobs! Ask a Faction Leader: Genn GreymaneIt's an advice column and a lore story all in one! Survey: Figuring out the faction transfer numbersBreaking down who's transferring where.
Snow Leopard ships with old version of Flash - great for hackers, not so much for the rest of us
As we've seen, for many people the migration to Snow Leopard has been eventful (to say the least). Even if you've been spared most of the growing pains, you'll want to make note of this next item: According to the kids at Adobe, the initial release of Mac OS X 10.6 includes an earlier version of Adobe Flash Player (10.0.23.1), necessitating an upgrade to 10.0.32.18 if you want to take advantage of the enhanced security the latter provides. What's more, even if your plug-in was up-to-date, an upgrade to Snow Leopard will downgrade your Flash Player version -- so much for auto-magically downloading the most recent updates when you install the OS, eh? Our feeling is this: if you're including Flash Player in the OS, you'd better update that as well. As Daily Tech points out, Adobe products (especially Flash) are a favorite of hackers and malcontents everywhere, so if you're serious about security you'll want to get your hands on the update ASAP. And as always, the read link is a terrific place to start.[Via Daily Tech]
Malware detection coming in Snow Leopard?
We usually look at news updates and blog posts from antivirus vendor Intego with a bit of a gimlet eye, since the company has been known to spread a little bit of that good old FUD when it comes to the everyday risk of malware faced by most Mac users (that is to say, pretty much none). Today, however, the Intego blog pointed out an unheralded feature of the forthcoming Mac OS X 10.6 Snow Leopard update: some basic malware checking built into the operating system, reported by users of the beta version. As the post notes (and sites such as The Register and ZDnet corroborate), when a problematic DMG is downloaded or mounted -- containing one of two known malware components -- the Finder throws the alert pictured above, warning the user not to install the software in question and to throw away the disk image. While this is a nice touch for the two security risks in question, The Register notes that the filter appears to only catch files downloaded through some of the more common apps (Mail.app, Entourage, Safari, Firefox and iChat among them) but not files copied over from removable media. It doesn't cover the wider gamut of threats out there, nor would it detect or block Windows malware that a Mac user could unwittingly transmit; for all of those scenarios, a true AV app (paid or free) is what the doctor ordered. You can keep up with all the latest Snow Leopard news via our category page.
Snow Leopard packing antivirus software?
If the online chatter is to be believed, Apple's very soon to be released Snow Leopard has in its code new protection for fighting malware. According to the picture above corroborated by other online reports, a DMG downloaded by Safari was checked by the OS and found to contain the "RSPlug.A" Trojan. The system promptly suggests you eject the disk image to avoid damage. Should Apple really be treading down this path, it begs the question of how often and how comprehensive / aggressive the company will be updating its antivirus logs. If nothing else, it's a certainly a notable symbolic gesture that the one-time underdog might be gaining enough market share to catch the attention of the darker side of the internet -- and all of a sudden, David Puddy isn't looking nearly as bad. [Thanks, David]
Apple keyboard gets hacked like a ripe papaya, perp caught on video
As far as Apple is concerned, the Black Hat 2009 hackers conference didn't end soon enough. Having promptly patched the iPhone vulnerability, Cupertino is facing another security hole, this time in its keyboards. A hacker going by the pseudonym of K. Chen has come up with a way, using HIDFirmwareUpdaterTool, to inject malicious code into the keyboard's firmware. While it's not yet possible to perform this hack remotely, the fact it occurs at the firmware level means no amount of OS cleanser or anti-virals will remedy it -- which might be a bit of a bother to MacBook owners who can't simply swap to an uninfected keyboard. Panic is hardly advisable, as Chen is collaborating with Apple on a fix, but if you want to be freaked out by his simple keylogger in action, hit up the video after the break.
New computer shipped with malware that targeted WoW
Here's a big oops -- a company named M&A Technology accidentally shipped out a unit of their Companion Touch PC that contained some malware on it, including a password stealer that targeted World of Warcraft. It was an accident -- apparently someone at the factory decided to upgrade the computer's drivers and software before shipping it out, but they used a USB stick that had been infected with the bad apps, and thus in the process infected the brand new computer. Fortunately, the person who received the computer apparently scanned and caught the bad code before any damage was done -- I guess if you buy a computer from a brand you've never heard of, it's worth giving it an antivirus and malware scan at least once before you use it.And/or you can just use an authenticator -- even if someone nabs your password, the Blizzard Authenticator makes sure that they can't log in without a current code. So there's not too much to worry about here -- while computers do occasionally get shipped with software that could jeopardize your security, as long as you're vigilant about what's on your hard drive, and take caution before using apps and hardware that you've never used before, you generally won't have any problems.[via WoW LJ]
Better safe than sorry? Trend Micro Smart Surfing for Mac
Earlier this week, PC security app vendor Trend Micro announced a new product aimed at Mac users. Smart Surfing for Mac (US$69.95 per user per year) provides antivirus, anti-spyware, anti-rootkit, and web threat protection, and also has a two-way firewall built in. This, of course, brings up the old debate for Mac users. On the one hand, our 10% of the personal computing market is virtually free of the virus and malware attacks that plague the Windows world. On the other hand, should you be concerned enough to consider purchasing protection that might be overkill?Some of the features of Smart Surfing for Mac could be very useful for users who might otherwise be in danger of certain nefarious schemes. For example, it blocks visits to dangerous websites and has anti-phishing capabilities. While I know enough to check the real URL of links in emails by simply hovering my cursor above them, there are a frightening number of people who don't do this and who are at real risk of phishing scams. Parents might like Smart Surfing for Mac for their kids, as it restricts access by content categories, controls IM access, and also lets you block certain websites.Are products like Smart Surfing for Mac expensive overkill, or are they cheap insurance against the remote chance of actually getting hit with a Mac virus, malware, or a scam? Let's hear your opinion in the comments section!
Sophos video shows Mac trojan caught in the act
Apple Mac malware: Caught on camera from Sophos Labs on Vimeo. It's not every day that you can watch Mac malware in action, but the team at Sophos Labs has put together the demonstration video above; it shows a malicious installer downloaded from a site pretending to serve up an HD video player, which actually carries the RSPlug-F trojan. Even though Mac users would still have to provide admin credentials to install the application (unlike Windows users, who might catch the Zlob malware just by visiting the webpage), it would be perfectly natural to go ahead and authenticate after downloading an installer... but not a good idea in this case. The fake site and bogus application are appearing in two versions, one billed as MacCinema and another trying to steal the goodwill of a legitimate Windows app called HDTV Player (the real app is from blazevideo.com). RSPlug-F does try to change your DNS settings to point at bad-guy controlled servers, which could conceivably result in you being redirected to malicious or phony sites; however, if your ISP is on the ball, those bogus DNS servers are already blocked. The only way to catch this bit of malware is via the installer, but it's easy to see how an innocent Mac user might be fooled by the convincing-seeming download site. [H/T Ars Technica Infinite Loop]
Another pair of infected digiframes promise to ruin the rest of your holiday break
Oh, geez. Not this again. Just months after everyone involved with that virus-ridden Insignia frame finally cleaned things up, here comes two new reports that select frames could indeed be shipping from the factory with malware pre-installed. For starters, the 1.5-inch Mercury Digital Photo Keychain -- which is sold at Walmart and other fine retailers -- seems to have some pretty nasty software loaded on, and Amazon has went so far as to issue an alert that some Samsung SPF-85H frames are leaving the dock with the 32.Sality.AE worm on the installation disc. Something tells us someone in quality control couldn't quite get in the holiday spirit.[Via Slashdot]
