Trojan
Latest
Daily Update for December 12, 2012
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for daily listening through iTunes, click here. No Flash? Click here to listen. Subscribe via RSS
Apple responds to spam app Find and Call
On Thursday, Kaspersky Lab Expert researcher Denis Maslennikov wrote about a rogue app in the iOS App Store and Google Play store that secretly uploads your contact list to a remote server and then uses that information to send out spam text messages. Called "Find and Call", the app is actually a Trojan that lets users "find friends in a phone book." The app then steals your contact list and uses the phone numbers to send out spam messages on your behalf. The app has a companion website that lets you add your social networks and email accounts to the service. You can even use PayPal to transfer money to your Find and Call account. It is the first case of malware the company has detected in the iOS App Store says Kaspersky in a blog post. You can read more about the threat and its possible Russian origins on Kaspersky's website. The Loop has a follow-up report that confirms the rogue app has been removed from the iOS App Store by Apple because of "its unauthorized use of users' Address Book data." [Via Forbes]
Spam-happy iOS trojan slips into App Store, gets pulled in rapid fashion
You could call it technological baptism of sorts... just not the kind Apple would want. A Russian scam app known as Find and Call managed to hit the App Store and create havoc for those who dared a download, making it the first non-experimental malware to hit iOS without first needing a jailbreak. As Kaspersky found out, it wasn't just scamware, but a trojan: the title would swipe the contacts after asking permission, send them to a remote server behind the scenes and text spam the daylights out of any phone number in that list. Thankfully, Apple has already yanked the app quickly and explained to The Loop that the app was pulled for violating App Store policies. We'd still like to know just why the app got there in the first place, but we'd also caution against delighting in any schadenfreude if you're of the Android persuasion. The app snuck through to Google Play as well, and Kaspersky is keen to remind us that Android trojans are "nothing new;" the real solution to malware is to watch out for fishy-looking apps, no matter what platform you're using. [Image credit: C Jones Photography (wallpaper)]
Trojan targets Mac-using activists in China
There's a new backdoor trojan exploit out there for Mac users that appears to originate in China, specifically targeted at political activists in the Uighur movement against that country. The trojan appears in email inboxes as a picture attachment which, when opened, secretly installs information gathering and remote control tools, characteristic of advanced persistent threat (or APT malware). Security experts say that the trojan was almost certainly created in China, and when you combine that fact with connections to certain required servers in that country (as well as an observation that some of the debug code in the attack is in English), it seems likely that this is a coordinated attack against this activist movement. With Mac use on the rise in the East, including high profile political activists, Macs are facing a growing malware threat in that region. There are already a few varieties of this attack in the wild, but hopefully fixes for the exploit will be available soon.
Windows updated with better checking for bad digital certs after Flame malware incident
Having already pushed one patch to servers as part of its response to the recently discovered Flame trojan, Microsoft is making another adjustment on Windows Vista, Windows 7, and Windows Server 2008 machines. A new update going out lets revoked certificates be published and recognized much faster, which would protect against a vulnerability exploited by Flame to fake its way in as a legitimate update. Informationweek has more information on the old OCSP method used to set revocation status, and also points out another vulnerability in XML Core Services the folks in Redmond is warning people of this week and has already released a "fix it" solution for. Hit the source link to get all the details and grab the update, IT types may want to update their firewalls with the new URLs being put into use for the lists.
Google starts warning affected users about state-sponsored cyber attacks
The fallout from malware like Stuxnet and Flame might soon be rearing its head at a Google Plus page or Gmail inbox near you. A post on its online security blog states that Google will now issue warnings in the form of a strip placed just below the upper menu bar to users being targeted by suspected state-sponsored cyber attacks. Google stressed that such warnings don't mean that its systems have been compromised but it does make it highly likely that the recipient may be the target of state-sponsored phishing or malware. How exactly does Google know this to be the case? The company declined to offer specifics, only saying that data from victim reports and its own analysis strongly point toward the involvement of states or state-sponsored groups. Google also didn't mention how often it sees such malicious activity, though coverage of Stuxnet and Flame certainly has put a spotlight on cyber warfare involving nations. In the meantime, feel free to hit the source link below for Google's tips on how to secure your account.
Flame malware snoops on PCs across the Middle East, makes Stuxnet look small-time
Much ado was made when security experts found Stuxnet wreaking havoc, but it's looking as though the malware was just a prelude to a much more elaborate attack that's plaguing the Middle East. Flame, a backdoor Windows trojan, doesn't just sniff and steal nearby network traffic info -- it uses your computer's hardware against you. The rogue code nabs phone data over Bluetooth, spreads over USB drives and records conversations from the PC's microphone. If that isn't enough to set even the slightly paranoid on edge, it's also so complex that it has to infect a PC in stages; Flame may have been attacking computers since 2010 without being spotted, and researchers at Kaspersky think it may be a decade before they know just how much damage the code can wreak. No culprit has been pinpointed yet, but a link to the same printer spool vulnerability used by Stuxnet has led researchers to suspect that it may be another instance of a targeted cyberwar attack given that Iran, Syria and a handful of other countries in the region are almost exclusively marked as targets. Even if you live in a 'safe' region, we'd keep an eye out for any suspicious activity knowing that even a fully updated Windows 7 PC can be compromised.
Apple issues Leopard update with Flashback removal tool
Folks still rocking Apple's Leopard may have been feeling left out after Lion and Snow Leopard both got an update for addressing that Flashback malware. If you're one of them, you'll be glad to know that Apple has finally issued a Leopard fix that comes with a removal tool for the vulnerability afflicting its big cats. In addition to a 1.23MB Flashback update, Apple also released a second 1.11MB fix for Leopard that disables versions of Adobe Flash Player that don't have the requisite security updates. Both should further whittle down the number of Apple computers affected by the Flashback trojan. For the actual updates, feel free to pounce on the source links below.
Another Mac Flashback variant out, but still uses same (patched) vulnerability
We're not quite done with Flashback yet. The good news is that the number of Macs affected by the trojan has gone down greatly, but the bad news is that there's a new variant of it out in the public. It's called Flashback.S, and just like the original, it can worm its way into a Mac's home folder without the admin password. But the new version still just takes advantage of that same vulnerability in Java, and that's already been patched. So if you've updated your Java post-Flashback, there's nothing to worry about. It's been quite a nuisance for Mac owners, however!
Twenty percent of Macs examined infected with Windows malware
Sophos looked at 100,000 Mac computers and found that one in every five has some form of malware. This might sound alarming, but before you stare at your machine in disgust, you should get some perspective. The survey looked at 100,000 OS X machines that are running Sophos's free Mac anti-virus software. Sophos found that this 20 percent figure is for malware that targets Windows-based computers. Though it can be used as a vector to infect other Windows machines, it won't affect Mac users on OS X. Sophos did find that 1 in 36 Macs (2.7 percent) were infected with OS X malware. Though less than 3 percent may be concerning, it's not as alarming as the 20 percent figure that's making its way into headlines.
Kaspersky Lab: Macs not invulnerable to malware
The writing is on the wall. Our time of innocence is gone. Researchers from Kaspersky Labs claim Mac market share has finally reached the critical point, and the platform is now an attractive target for online criminals. Kaspersky told Ars Technica and other press on Thursday that, "Mac users can expect "more drive-by downloads, more Mac OS X mass-malware, and more cross-platform exploit kits with Mac-specific exploits." It's not all doom and gloom. Infections in the wild are still sparse, and Apple may slow the spread of future threats with the introduction of Gatekeeper in Mac OS X Mountain Lion. Among other things, Gatekeeper will prevent users from "unknowingly downloading and installing malicious software." If you don't want to wait for Gatekeeper, there's also several good antivirus solutions like Avast and Sophos that are available now for Mac users to download.
Flashback infections down from over half a million to under 150,000 in eight days
According to Symantec, the OSX.Flashback.K infection is declining each day. The current number of infected Macs is now around 140,000, down from 600,000 a week ago. If you think you may be infected, you can run a Flashback removal tool from either Kapersky or F-Secure. Apple also has a tool for Lion users without Java installed. OS X users should install the latest Java update from Apple which will protect you from a future infection.
Another Java trojan for Mac discovered, this time through Microsoft Word
Just days after Apple released its official Flashback trojan patch, another Java trojan has been discovered that could possibly infect Macs. The trojan is known as "LuckyCat." As Kaspersky Lab Expert Costin Raiu explains in a blog post, LuckyCat takes advantage of an exploit in Microsoft Word that allows malware to be spread via documents that take advantage of the CVE-2009-0563 vulnerability: One of the biggest mysteries is the infection vector of these attacks. Given the highly targeted nature of the attack, there are very few traces. Nevertheless, we found an important detail which is the missing link: Six Microsoft Word documents, which we detect as Exploit.MSWord.CVE-2009-0563.a. In total we have six relevant Word .docs with this verdict -- with four dropping the MaControl bot. The remaining two drop SabPub. The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named "8958.doc". This suggests it was extracted from a Word document or was distributed as a Doc-file. Currently there are no details on how the average user can detect if they are infected with the LuckyCat trojan, nor how to remove it. One can expect that the Microsoft Word vulnerability will be patched in an Office for Mac update.
Apple publishes support page for Flashback malware, is working on a fix
After the Flashback / Flashfake Mac trojan was exposed by Russian site Dr. Web, Apple has finally responded by publishing a support page about the issue and promising a fix. If you haven't heard by now, the malware exploits a flaw in the Java Virtual Machine, which Oracle pushed a fix for back in February, but Apple didn't patch until a botnet consisting of as many as 650,000 Macs was identified on March 4th. Antivirus maker Kaspersky has confirmed the earlier findings, and released a free tool affected users can run to remove the trojan from their computers. Other than the update already delivered for computers running OS 10.6 and 10.7 Apple recommends users on 10.5 and earlier disable Java in their browser preferences. What isn't mentioned however, is when its fix is incoming or any timetable on its efforts with international ISPs to cut off the IP addresses used by the network. This is not the first time Macs have fallen prey to malware and as their market share grows will likely not be the last, so don't think just opting for OS X is automatically keeping you a step ahead security-wise. Check the links below for more information about what the malware does, and how to get rid of it.
Apple responds to Flashback trojan, promises removal tool
In a tech note published today, Apple discussed the Flashback trojan (past coverage here) and reminded users of OS X 10.6 and 10.7 that they should install the April 3 Java update to remove the vulnerability that the malware uses to infect Macs. For users of OS X 10.5 Leopard or earlier, Apple has not updated Java yet to patch the flaw; in that case, Apple's recommendation is to turn off Java in the browser to guard against Flashback. The note also says that "Apple is developing software that will detect and remove the Flashback malware." No ETA on that yet; in the meantime, the company is working with network service providers to disable or block the command and control servers that Flashback checks in with. [via The Loop] Photo by Joost J. Bakker | flickr cc
Talkcast tonight, 10pm ET: Fighting Flashback
As this holiday weekend draws to a close, the unfortunate fact is that we may be dealing with the largest Mac-centric botnet ever documented in the wild. While the Flashback trojan is easy to find and simple to prevent -- in fact, a stock Lion installation includes neither Java nor the Flash plugin, cutting down dramatically on the attack surface for malware of this kind -- there are still thousands of compromised Macs out there. Given the requirements of a Java installation to enable the trojan's exploit, it looks like a nontrivial number of infections have hit experienced Mac users. We recommend immediately updating your Java install with Apple's patch. You can test for the Flashback trojan using the standalone Terminal method or a simple utility -- and you can also install some free virus protection if you're so inclined. That's our topic for tonight's Talkcast, same as it was two weeks ago: Mac (and iOS) security. We welcome your calls, questions and comments at 10 pm ET, 7 pm PT tonight live on Talkshoe. To participate in the call, you can use the browser-only Talkshoe client, the embedded Facebook app, or download the classic TalkShoe Pro Java client; however, for +5 Interactivity, you should call in. For the web UI, just click the Talkshoe Web button on our profile page at 4 HI/7 PDT/10 pm EDT Sunday. To call in on regular phone or VoIP lines (Viva free weekend minutes!): dial (724) 444-7444 and enter our talkcast ID, 45077 -- during the call, you can request to talk by keying in *8. If you've got a headset or microphone handy on your Mac, you can connect via the free X-Lite or other SIP clients -- basic instructions are here. Skype users with dial-out credit can call in via the service, or use those free iPhone minutes. Talk to you tonight!
How to find/remove the Flashback trojan
According to Russian antivirus firm Dr. Web, over 600,000 Macs worldwide are infected with the Mac flashback trojan. The trojan can be installed if you visit a malicious website, and it will attempt to connect your Mac to a botnet. Fifty-seven percent of infected machines are located in the US and 20 percent are in Canada. There are even 24 infected machines supposedly connected to the botnet from Apple's Cupertino campus. This trojan targets a Java vulnerability in Mac OS X that was recently patched. It should be noted that in OS X 10.7 Lion, Java isn't included by default; only those who have deliberately installed it are potentially vulnerable to this exploit (or those running Snow Leopard or earlier OS X versions). If you installed it at some point but no longer have a reason to run Java, you should probably turn it off completely or at a minimum disable it in Safari. F-Secure has provided a set of diagnostics that'll let you know if you have been infected. If you have the malware on your machine, F-Secure's page can walk you through the steps to remove the infection. Thanks to everyone who sent this in. [Via The Loop]
Macs are being spied on just like Windows machines
Any tech savvy Windows user is familiar with the term backdoor trojan; either they've been infected with one themselves or know someone who has. Now, it's time for Mac users, especially those who work for entities that are targets for corporate or military espionage, to become more aware of this threat says a report in Ars Technica. According to Ars who spoke to Jaime Blasco of security firm Alien Vault, two backdoor trojans that infect Mac computers have been discovered in the wild. These trojans target the employees of several non-governmental, pro-Tibetan organizations and exploit a security hole in Microsoft Office and Oracle's Java framework. The holes have been patched, but apparently the security fixes closing them were not applied in this infection. Once installed, the trojans send user and domain information to a central server owned by the people who created the malware. The trojans then sit in the background awaiting instructions. This is only one report of such targeted attacks, but Blasco believes this won't be last. As companies and governments move from Windows to Macs to avoid security problems with Windows, it only makes sense that Macs will become the next target.
Windows Defender beta gains 'offline' functionality, can run sans-OS
PC users have been using Windows Defender to free themselves from the bane of viruses, malware and spyware for quite a while, but until now, you've needed Microsoft's OS running for it to do its work. That changes with a new beta, which creates bootable CDs or USB sticks that can run the utility. Those interested can begin by downloading the Windows Defender Offline Tool, which'll prompt you for either of those mediums and then install around 300MB of virus hating bits. And remember, because you're statically downloading an almanac of today's viruses, doesn't mean you'll be ready for those tomorrow, so those taking the plunge better remember to stay up to date.
WikiLeaks' Spy Files shed light on the corporate side of government surveillance
WikiLeaks' latest batch of documents hit the web this week, providing the world with a scarily thorough breakdown of a thoroughly scary industry -- government surveillance. The organization's trove, known as the Spy Files, includes a total of 287 files on surveillance products from 160 companies, as well as secret brochures and presentations that these firms use to market their technologies to government agencies. As Ars Technica reports, many of these products are designed to get around standard privacy guards installed in consumer devices, while some even act like malware. DigiTask, for example, is a German company that produces and markets software capable of circumventing a device's SSL encryption and transmitting all instant messages, emails and recorded web activity to clients (i.e., law enforcement agencies). This "remote forensic software" also sports keystroke logging capabilities, and can capture screenshots, as well. Included among DigiTask's other products is the WifiCatcher -- a portable device capable of culling data from users linked up to a public WiFi network. US-based SS8, Italy's Hacking Team and France's Vupen produce similar Trojan-like malware capable of documenting a phone or computer's "every use, movement, and even the sights and sounds of the room it is in," according to the publication. Speaking at City University in London yesterday, WikiLeaks founder Julian Assange said his organization decided to unleash the Spy Files as "a mass attack on the mass surveillance industry," adding that the technologies described could easily transform participating governments into a "totalitarian surveillance state." The documents, released on the heels of the Wall Street Journal's corroborative "Surveillance Catalog" report, were published alongside a preface from WikiLeaks, justifying its imperative to excavate such an "unregulated" industry. "Intelligence agencies, military forces, and police authorities are able to silently, and on mass, and [sic] secretly intercept calls and take over computers without the help or knowledge of the telecommunication providers," wrote Wikileaks in its report. "In the last ten years systems for indiscriminate, mass surveillance have become the norm." The organization says this initial document dump is only the first in a larger series of related files, scheduled for future release. You can comb through them for yourself, at the source link below.
