TrojanHorse
Latest
Apple removes claim of virus immunity
As small as the threat may be, Mac users can no longer claim immunity from attack by malicious software online. Many Mac users are starting to recognize this new reality and now Apple does, too. As noted in a recent PC World article, Apple has quietly removed the claim "It doesn't get PC viruses" from its OS X website and replaced it with the phrase "It's built to be safe." Also changed is the paragraph header "Safeguard your data. By Doing Nothing," which now says "Safety. Built right in." It's a subtle difference, but it's enough to show that Apple recognizes the importance of Mac security. Mac OS X is growing as a desktop platform and increasingly will be the target of malicious attacks. Recently, the Flashback botnet infected over 670,000 computers worldwide, most of which were running Mac OS X. This botnet exploited a hole in Java that was patched by Apple in a subsequent update to OS X.
More malware in the Android Market: Google removes 26 deleterious app doppelgangers
Ideally, we'd do our smartphone software shopping free from the specter of malicious apps masquerading as useful ones. This past weekend, however, 26 apps in the Android Market were discovered to be packing pernicious code called Droid Dream Light. Apparently, the dastardly devs who made the malware took existing apps and modified them to send details (including IMEI and IMSI info) about the infected handset to a remote server upon receiving a call. The code can also download and cue new package installations, but it needs user approval to do so. Google promptly pulled the offending apps, but their appearance serves as another reminder to be careful when downloading software on your smartphone -- prudence demands minding your app permissions, lest your little green bot start stealing your personal info.
Creeper, the first computer virus, is 40 years young today
Forty years ago today is considered by many to be the birthday of the first computer virus. Of course, in the early 1970s they weren't called computer viruses, but that doesn't make Bob Thomas's handiwork any less special. Creeper (named after a character in the old Scooby Doo cartoons) spread from BBN Technologies' DEC PDP-10 through Arpanet, displaying the message: "I'm the creeper, catch me if you can!" and messing with people's printers. One notable difference between this and the majority of viruses was the fact that it deleted old versions as it replicated itself. Incidentally, that would make 2011 the fortieth anniversary of the first antivirus software: called, appropriately enough, Reaper.
Google spikes 21 malicious apps with big download counts from the Market (update: Android 2.2.2 and up are immune)
We're sure that the debate of a carefully controlled and curated environment like Apple's App Store versus a free-for-all like the Android Market will rage on for years to come, but here's something to chew on: Google just removed some 21 apps from the Market in the last day from a publisher going by Myournet for doing all sorts of naughty things to your device. Offenses include attempting to root your phone, uploading phone information (including IMEI) to who-knows-where, and -- most egregiously -- adding a backdoor that allows additional code to be pulled down and executed. At least some of the apps are pirated versions of existing apps that have been re-uploaded at zero cost to the user, which makes them appealing... and the trick apparently works quite well, because the 21 managed to clock over 50,000 downloads before getting taken down. This isn't the first time malicious apps have shown up on smartphones -- far from it -- but it's probably the highest-profile case of a first-party app store being infiltrated by really bad stuff. If there's a silver lining, it's that Google was extraordinarily quick to respond once Android Police reported the situation -- the site says it took less than five minutes from the time they reached out to the time the apps actually went offline. Still, that's little consolation if you've already installed your "free" copy of Super History Eraser. Hit the source links for the full list of pulled apps. Update: Android Central points out that the type of root exploit used in these apps was patched in Android 2.2.2 and up, so Nexus One and Nexus S owners should be fine; everyone else is left out in the cold, though, thanks to the vexing third-party update lag. Thanks, Z!
Nokia shareholders and unions fight back against Microkia
Nokia shareholders are not very happy right now with NOK taking a 25 percent hit since the announcement of the Microsoft marriage. Stephen Elop, Nokia's first foreign-born CEO, is taking heat on multiple fronts even as he prostrates himself to the media in hopes of getting his message out. Already, we've heard numerous conspiracies calling Elop a "trojan horse," sent by Steve Ballmer to sabotage Nokia from within. Conspiraloons are quick to point to records showing Elop holding a significant number of Microsoft shares -- a situation that Elop says is temporary (and outdated) having already sold a majority of his Microsoft position with plans to sell off the rest in favor of Nokia stock just as soon as he's free to do so under regulatory moratoriums meant to prevent insider trading. Nevertheless, Nokia will be facing at least two very real showdowns on its near-term horizon. First, will be a battle with the Finnish trade union Pro which is demanding €100,000 (in addition to severance payments) for every Nokia employee that loses their job under Elop's new strategy -- money the unions says will be used for reeducation. The union estimates that Nokia could cut as many as 25% (5,000 people) of Nokia's 20,000 workers located in Finland. The second major hurdle facing Elop, and the board of directors that appointed him, will come at Nokia's Annual General Meeting for shareholders. Already, a cabal of nine frustrated shareholders have been grabbing attention with its "Nokia Plan B" proposal to oust Stephen Elop and return Nokia to a MeeGo focus giving Symbian a five-year minimum reprieve. The group has since disbanded after its plan was rejected by institutional investors. Nevertheless, we don't expect Symbian / MeeGo fans and developers to give up without a fight, and we expect Helsinki Fair Centre's Amfi Hall to be center-ring when the event kicks off on May 3rd in Helsinki.
Xbox 360 mandatory update restores boot to disc, detains Call of Duty pirates for a tad
The story of the Trojan Horse must be a favorite among video game console manufacturers, because software updates these days often come with more than bargained for -- today, Microsoft issued a mandatory Xbox 360 update, reportedly for a single bugfix, but which seems to have coincidentally halted scores of pirates and hackers from playing Call of Duty: Black Ops and Modern Warfare 2 on the console. Members of the Xbox-Scene forums noted the update was taking suspiciously long to download, discovered that backup copies of these games ceased to work, and presently believe that Microsoft included a patch for these two games to enable an anti-piracy feature that specifically targets burned copies. What does the mandatory update do for you if you're not part of the hacking scene? It merely enables the console to automatically boot a pre-inserted game when you power it on, a feature that was accidentally disabled in November. [Thanks, Brian]
Mozilla evangelist asks Apple, Google and Microsoft to stop installing unwanted plug-ins
Asa Dotzler has been promoting Mozilla Firefox for more than six years, and he's not happy about other software vendors installing unwanted plug-ins in his browser. Among the vendors getting under Dotzler's skin are Apple, Google and Microsoft, each of whom also happen to produce a competing web browser. Apple, Google and Microsoft are by no means the only companies that install plug-ins to Firefox, but most companies at least ask the user before doing so. Dotzler is concerned about plug-ins like the iTunes Application Detector or Google Update being installed silently in the background without even a prompt. In Dotzler's view, this behavior is akin to installing a Trojan horse. Although the Firefox evangelist is not accusing Apple and the others of installing anything malicious, just the act of pushing unknown software is troubling. Since plug-ins and extensions are typically the leading cause of browser instability and crashes, even seemingly benign additions can cause user frustration. While silent plug-ins are doubtlessly annoying, the fact that it can happen is troubling. Instead of accusing other software companies of being evil, perhaps the Firefox developers need to change the code to prevent this from happening in the first place. If Apple or Google can install a plug-in without asking, what's to prevent a hacker from doing the same and grabbing your private data? Do Safari or Chrome allow silent plug-in installations? If not, then perhaps it's time to move on from Firefox. [Via MacStories]
Security alert: New Trojan Horse apps said to attack the Mac
Some security mavens have long theorized that as the Mac becomes more popular, we'd start to see malware that would start targeting the platform. Sure enough, this morning's crop of email blasts from PR firms included a few notices of trojans that are affecting Mac users. First, from SecureMac, comes word of trojan.osx.boonana.a, which comes disguised as a link on social networking sites asking "Is this you in this video?" Clicking the link downloads and runs a Java applet that then installs further applications to modify system files and open the system to password-free access. The other malicious apps report back to command and control servers, as well as hijack user accounts to spread the trojan through email spam. The SecureMac press release notes that the "Java component of the trojan horse is cross-platform," but it's not clear from their statement that the other components are capable of running under Mac OS X. Next, Intego reported that a similar Java trojan known as Koobface.A is also being spread through social networking systems such as Facebook and Twitter.
iWork '09 trojan infects at least 20,000 machines?
Quite a number of no-goodniks who thought they'd save a few bucks by downloading a pirated version of iWork '09 have gotten more than they'd bargained for -- in the form of a Trojan Horse called OSX.Trojan.iServices.A. This guy installs itself in the computer's startup as root, and once in place it can connect to a remote server and broadcast its location, allowing malicious users to take charge of the machine remotely. And since it has root access to the OS, the trojan can not only install additional components but can also modify existing apps, making this thing extremely difficult to remove. According to a white paper released by Intego, at least 20,000 people may have downloaded the infected software -- which they'll get around to installing as soon as they finish those episodes of Celebrity Rehab they grabbed at the same time.[Via Macworld]
Insignia photo frame virus much nastier than originally thought
Ugh, we were already sick of digital photo frames -- and now it looks those now-discontinued virus-ridden Insignia units from Best Buy and several other models produced in China were carrying a much nastier trojan that we'd originally heard. According to an analyst form Computer Associates, the trojan, called Mocmex, is able to block more than 100 types of security and anti-virus software from killing it, and bypasses the Windows firewall to download files from remote locations, spreading them randomly over your hard drive and any portable storage device you plug into your PC -- like, for example, a digital photo frame. The trojan is apparently set to only steal gaming passwords at present, but CA says it's capable of stealing nearly any information on your machine, and thinks it might be a test for a much worse virus yet to come. Infected frames have come from Sam's Club, Target and Costco, in addition to Best Buy, so we'd say to avoid picking one up until this mess gets sorted out -- or, you know, forever.
Intego reporting new OS X trojan horse in the wild
Ah, Halloween, when all the nasties come out. Just when you thought it was safe to go surfing again, Mac AV vendor Intego is reporting an OS X-specific Trojan horse showing up on some sites and forums. The bit of nasty, which Intego is calling OSX.RSPlug.A and other sources refer to as DNSchanger or Ultracodec/Zlob (Windows version), is delivered on the pretense of installing a QuickTime codec necessary to view adult videos. Once the .dmg is downloaded and the installer is run (with administrative permissions), rather than a new video codec you've got rogue DNS server settings + a cron job that continually sets your DNS back to the bogus entries. Making matters worse, on Tiger the fake DNS settings are invisible in the Network system preference pane.These fake DNS entries might mislead your machine to spyware sites (unlikely to affect your Mac), pay-per-click search engines (annoying but not dangerous), more pornography (potentially troublesome), or -- and this is really the problem -- Potemkin versions of financially sensitive sites like PayPal, eBay or banks, which would presumably capture your login credentials before handing you off to the genuine article.While at least one unfortunate poster at Apple's support forum has been bitten by this malware, some simple precautions -- turning off "Open Safe Files" in Safari and, hmm, I dunno, not installing software downloaded from pornography sites -- will go a long way toward preventing the spread of this malware. Remember, a Trojan does not self-distribute; this code depends on user behavior as the vector of infection, so behave.Update: Rob Griffiths at Macworld has posted helpful detection and removal instructions for the Trojan.via MacTech
TomTom fesses up to Trojan infection in GO 910 navigation units
If you've recently plunked down $599-ish for a TomTom GO 910 portable GPS device, but decided to hop onto the interwebs real quick just before you plug that sucker in (yeah, we know, the odds are low), then it looks like it's your lucky day. Apparently the Netherlands-based TomTom just admitted to a UK security journalist that the TomTom GO 910s that were produced between September and November of 2006 have been shipping with a couple Trojans -- similar to Apple's little RavMonE.exe debacle last year. But not to worry: "The viruses that were detected present an extremely low risk to customers' computers," according to TomTom. Of course, relaying to the public such helpful information that TomTom was obviously aware of would be clearly out of the question, but it's nice to know that while manufacturing oversights caused a couple of Trojans to be introduced to unsuspecting PC users by spendy GPS hardware, they at least aren't the nasty kind. TomTom claims the problem has been corrected, and that "Appropriate actions have been taken to make sure this is prevented from happening again in the future." They also have some instructions at the read link for removing the viruses (win32.Perlovga.A Trojan and TR/Drop.Small.qp), which mostly amount to advising you to update your virus software.[Via Slashdot]
McDonald's MP3 players ship with trojan horse
What do tubby teens, MP3 players, and grandma's scalded taint all have in common? That's right, the absolute attention of McDonald's legal. See, McDonald's and Coca-Cola recently teamed up in Japan to give away 10,000 self-branded MP3 players pre-loaded with 10 spankin' new tunes and... some delicious malware. It seems that a "portion" of the players sport a variant of the QQPass family of trojan horses which capture passwords and other personal information when the MP3 player is plugged into the users' PC. The code then proceeds to email the details to the author. McDonald's has setup a 24 hour hotline while they are investigating the matter and will swap out all the offending players. Good times. [Via Impress]
Text messages lure in virus victims
Spam via text is nothing new, but it seems crooks are now turning to SMS to cultivate legions of zombie PCs for denial-of-service attacks. The ruse apparently begins when an unsuspecting individual receives a text message thanking them for subscribing to a dating service at the pricey rate of $2 a day, which also includes instructions on how to cancel the service through a website. When the user gets to their PC and navigates to the site, they're instructed to download an executable, and you can probably guess what happens from there. Our question is, if you don't try to cancel, do you get any dating action out of it?[Via Smart Mobs]
New World of Warcraft Trojan
A new trojan is out in the wild looking to steal your Warcraft login information. Once infected, this virus will attempt to log all keystrokes sent between your computer and the login servers (us.logon.worldofwarcraft.com or eu.logon.worldofwarcraft.com). Any data it collects - which would include your username and password - will then be sent off to a remote attacker. Symantec is currently reporting that the virus hasn't spread far yet, but it's time-consuming and difficult to recover a lost account, whereas it's fairly quick and painless to make sure your anti-virus definitions are up to date.
Password Stealing Trojan
A new trojan out in the wild is attacking computers with the goal of stealing your World of Warcraft account information. It may seem like a trivial target for virus writers, but there's definitely money to be made reselling in-game items - and, thus, money to made by stealing your password. So be certain to keep your anti-virus up to date and if your account has been compromised, contact a GM or the billing department, but expect a lengthy process of investigation to have your items or account restored.
Possible Mac OS X Trojan Horse (mostly harmless)
So I saw the news this morning about a possible first trojan horse for Mac OS X and decided I didn't really want to deal with the inevitable ensuing hysteria, flames, and crazy comments that would be sure to follow such a post. It was 8:00am and just way too early to deal. I mean, if I want to read stupid comments about Macs all day long, I'll just spend my time over at Digg.Heh heh..I thought to myself, I'll let some other TUAW staff member post this news story. Then they can deal with the puerility.But now it's almost noon and something like 42 people have sent in a tip and no one's stepped up to the plate, so I figure I probably should write up something.Here's a quick summary: Someone uploaded a trojan horse to the MacRumors.com forums which claims to be a .tgz archive of screenshots of Apple's upcoming Mac OS X 10.5 Leopard. Problem is that it seems to be a proof-of-concept trojan and isn't very successful at doing what it's supposed to do, which is propagate itself out via your IM buddy list. Andrew Welch, who founded Ambrosia Software (thanks for Apeiron, BTW!), has been doing a bang-up job of dissecting the trojan and has determined that it's mostly harmless. You can read the specifics in the Ambrosia forums. Sophos has already posted a definition for this trojan here.The bottom line is that this really seems to be a proof-of-concept trojan more than an actual "in the wild, self-propagating" virus. So yeah, it's certainly very interesting, but I'm not about to start watching for the sky to fall. Leave that to cartoon birds, storybook characters, and PC magazine columnists.
