Trojan
Latest
Play safe because a trojan can get you banned
Remember that "non-personal system information" that Blizzard said they are searching for? Part of it is a search for keyloggers, trojans and viruses that affect WoW. If the system check finds one of those on any of the computers you are using, Blizzard will ban your account for 24 hours so that you can get it fixed.When this happened to a guildie, I must admit I was skeptical. Blizzard scans for viruses? And then sends an email that sounds suspiciously similar to the various phishing emails out there? But my friend sent me a copy of the email and described the whole process to me and I am a believer. Blizzard has some issues it needs to resolve with how it is handling this, however.
Snow Leopard packing antivirus software?
If the online chatter is to be believed, Apple's very soon to be released Snow Leopard has in its code new protection for fighting malware. According to the picture above corroborated by other online reports, a DMG downloaded by Safari was checked by the OS and found to contain the "RSPlug.A" Trojan. The system promptly suggests you eject the disk image to avoid damage. Should Apple really be treading down this path, it begs the question of how often and how comprehensive / aggressive the company will be updating its antivirus logs. If nothing else, it's a certainly a notable symbolic gesture that the one-time underdog might be gaining enough market share to catch the attention of the darker side of the internet -- and all of a sudden, David Puddy isn't looking nearly as bad. [Thanks, David]
Pirated iWork contains botnet trojan, breaks hearts
The tubes are ablaze today with news from CNN of the first ever latest malicious program to be found on the Mac. The trojan was first discovered in January but it did not receive wildfire-like popularity until recently when two experts at Symantec published a bulletin on the subject of the malware.The trojan, named "iBotnet" (get it?), has only affected a few thousand Macs in the wild and it is currently not known to do any real harm. Should you be concerned? Well, the answer to that depends on whether you're a software pirate or not. The distribution method for this particular piece of malware is through the downloading of certain bootlegged copies of Apple's iWork.Brian Krebs over at the Washington Post details some information about the actual first botnet specifically for the Mac. He points out that the current media storm is for a trojan that was actually discovered in January. He goes on to mention that the first botnet for the Mac was actually released in 2006 and targeted both Macs and PCs alike.In other news, sales of Symantec's Norton AntiVirus shot up following the release of the security bulletin and subsequent frenzy of coverage. Actually, this is not true (at least to this humble blogger's knowledge); but it does pose an interesting question. Who profits most from the release of malware on any platform? One thing we know for sure, though, is that the end-user is definitely losing out in this game.The moral of this story: stop all the downloading! Thanks G.I. Joe! In all seriousness, though, the majority of malware on the Mac (and on the PC) is distributed through nefarious chains of content acquisition. Be careful out there when clicking links and downloading files or programs from sites that you may not trust.Thanks to everyone who sent this in!
Sophos video shows Mac trojan caught in the act
Apple Mac malware: Caught on camera from Sophos Labs on Vimeo. It's not every day that you can watch Mac malware in action, but the team at Sophos Labs has put together the demonstration video above; it shows a malicious installer downloaded from a site pretending to serve up an HD video player, which actually carries the RSPlug-F trojan. Even though Mac users would still have to provide admin credentials to install the application (unlike Windows users, who might catch the Zlob malware just by visiting the webpage), it would be perfectly natural to go ahead and authenticate after downloading an installer... but not a good idea in this case. The fake site and bogus application are appearing in two versions, one billed as MacCinema and another trying to steal the goodwill of a legitimate Windows app called HDTV Player (the real app is from blazevideo.com). RSPlug-F does try to change your DNS settings to point at bad-guy controlled servers, which could conceivably result in you being redirected to malicious or phony sites; however, if your ISP is on the ball, those bogus DNS servers are already blocked. The only way to catch this bit of malware is via the installer, but it's easy to see how an innocent Mac user might be fooled by the convincing-seeming download site. [H/T Ars Technica Infinite Loop]
iWork '09 trojan infects at least 20,000 machines?
Quite a number of no-goodniks who thought they'd save a few bucks by downloading a pirated version of iWork '09 have gotten more than they'd bargained for -- in the form of a Trojan Horse called OSX.Trojan.iServices.A. This guy installs itself in the computer's startup as root, and once in place it can connect to a remote server and broadcast its location, allowing malicious users to take charge of the machine remotely. And since it has root access to the OS, the trojan can not only install additional components but can also modify existing apps, making this thing extremely difficult to remove. According to a white paper released by Intego, at least 20,000 people may have downloaded the infected software -- which they'll get around to installing as soon as they finish those episodes of Celebrity Rehab they grabbed at the same time.[Via Macworld]
New variant of RSPlug trojan making the rounds
Our friends at Intego sent out an alert this morning, warning users about a new variant of the RSPlug trojan horse, found on several adult websites. The risk to users is classified as "medium." RSPlug trojans, themselves a form of DNSChanger, change local DNS settings to redirect to phishing sites for banks, PayPal, and eBay. All these trojans must be downloaded at the user's request, and an administrator password has to be supplied. When visiting certain sites, the user is alerted that there is a "Video ActiveX Object Error" and is told that their "Browser cannot play this video file." The alert instructs the user to download the "missing Video ActiveX Object." If the user clicks OK, a disk image called "cleanlive.dmg" downloads (which may change in the future). Depending on the user's browser settings, this disk image may mount and installation may automatically start. Intego VirusBarrier X5 users are, as you might imagine, already protected. Updating your virus definitions today will improve detection. And, as always, be careful where you put your mouse online.
'MacGuard' double-plus ungood, avoid
The fine folks at Intego sent out a warning this morning about MacGuard, a bogus piece of software that claims to clean up your system and remove adware, spyware, and trojans. It doesn't. According to the warning, MacGuard is simply a clone of a Windows app called WiniGuard. The company releasing the software, Innovagest 2000 SL, may be using the credit card numbers they harvest during the purchase process for "nefarious purposes." WiniGuard "hijacks the user's desktop and typically displays exaggerated or false claims of spyware found to frighten the user into paying for the program," according to Sunbelt Malware Research Labs. While our fine readers wouldn't get suckered into such a scheme, parents, grandparents, aunts and uncles might not be so educated. If you know someone with a Mac who might fall for this, do them a favor and forward them this warning. The MacGuard website is at macguard.net.
EVE Online trojan warning
CCP Games issued a warning today, regarding a trojan found in a macro for EVE Online. CCP Wrangler said that the macro is being offered by 'Gold Harvest Macro Solutions' and ostensibly allows a player to automate their skill-training with a queue, eliminating the need to periodically log in and change skills. CCP became aware of it and put it through testing; here's a shocker -- the shady software contains a trojan. Please contain your surprise. CCP Wrangler's full announcement (login required): "A number of players have recently received an advertisement for a skill training macro, this macro is sent by Gold Harvest Macro Solutions who claims that the macro will let you create a skill training plan and have your character automatically train your skills. This macro has been tested and it contains a Trojan, so make sure you do not download any software from these people. If you downloaded the program, make sure that you run a complete scan of your system and then change all of your passwords!"Not that anyone who uses programs like this doesn't really understand they're breaking the accepted rules of the game, but pretty much using any 3rd-party automation with the EVE client is a bad move.
Virus Alert: Trojan poses as iPhone game
All right, kiddies, we know all of you out there have dutifully replaced your DS with a gaming-powered iPhone 2.0, but with all that gaming power comes the responsibility to be careful. Thus, you should all be on the lookout for a new Windows virus masquerading as apparently popular iPhone game Penguin Panic. According to Sophos, the computer-controlling Trojan shows up as a zipped attachment to an e-mail with a subject like "Virtual iPhone games!" or "Apple: The most popular game!" Ironically, it seems the virus won't actually infect your iPhone or any Mac-based computers. It also seems incapable of infecting other portable gaming systems, which should be a relief to those of you still living in the past with those long-defunct platforms.
PC Tools iAntiVirus aims to be Mac specific
With the recent trojan scare PC Tools' timing for the beta release of iAntiVirus for Mac could hardly be better. While there are a variety of anti-virus applications for the Mac, iAntiVirus seems to be especially designed to reduce resource usage by simply ignoring virus signatures for Windows. The idea is that your Mac is immune to Windows viruses so why waste memory, etc. scanning for them? Otherwise iAntiVirus is pretty conventional with a menubar interface and real-time scanning.In some ways I'm of two minds about this approach. It's true that I don't allow any Windows boxes on my home network so having a Mac-only solution makes sense. However, by not scanning for non-Mac viruses it's possible that your Mac might unwittingly pass along a virus or trojan by email, etc. I run an Enterprise version of Sophos provided by my University and I've been surprised by how many Windows virus signatures it has picked up on my machine from various downloads.iAntiVirus is a free download, but virus definitions and updates are $29.95 for one year.[via Macworld]
Watch out for PokerGame trojan
In the wake of the ARDAgent vulnerability discovered yesterday, we all have something new to look out for: OSX.Trojan.PokerStealer is the official name of a trojan horse masquerading as a poker game. The trojan is distributed in a 65K .zip archive. According to security company Intego, running the trojan activates SSH, and transmits the username, password hash, and IP address of the computer to a server. It asks for an administrator's password after displaying a message about a corrupt preference file that needs to be repaired. The "PokerGame" application is 159,843 bytes, and includes the text "Copyright 2008 Andrew" in the version information (visible in Get Info). As always, please remember to use extreme caution when running applications downloaded from the Internet, or received via email. Thanks to Rosaline from Intego for the heads-up.
SecureMac identifies first ARDAgent-based trojan
SecureMac has identified AppleScript.THT, a trojan-horse type virus of malware that exploits a Apple Remote Desktop Agent vulnerability publicized earlier this week that can "allow a malicious user complete access to the system." The malware is distributed as a compiled AppleScript, named ASthtv05, or an application bundle named AStht_v06. The files are 60K and 3.1MB in size, respectively. Users must download and run the scripts in order for their computer to become infected. The trojan will install itself in the /Library/Caches folder, and will set itself to run at startup. To protect yourself, use extreme caution when running AppleScript files or applications sent to you in an email, or downloaded from the internet. While we can't say for sure that these are the same people that developed this malware, you can read about the evolution of a very similar exploit script here, including a June 14th mention of the ARDAgent vulnerability. Very depressing.
WoW Ace Updater ad banners may contain trojans, claim some users
While the Incgamers malware problem is fixed, it looks like there's another malware flare up in the world of addons. The WoW Ace Updater, according to many users, may be passing off a trojan from an ad in the guise of an antivirus program. The program, called Winfixer, pops up in a window and (in some cases automatically) installs malware while claiming your computer is compromised and that you need to buy the full retail version to fix it. It can be detected and removed by Spybot Search and Destroy and Vundofix, and Symantec includes instructions on how to manually remove it here. Wowace.com site owner Kaelten has disabled the ads on WoW Ace Updater completely for now, and is talking to his Ad provider to find out what went wrong and which ads might be causing problems. This isn't the first time a popular WoW site has had trouble with trojans in ads, and unfortunately, it is unlikely to be the last. Kaelten seems to be on top of it, though, so hopefully he'll get to the bottom of these claims. Since the ads are currently disabled, the program itself should already be safe to use. If you're feeling a bit skittish, though, you can check out some of Sean's recommendations for other upgrade programs here. I should note that, being a religious user of WoW Ace Updater myself (I run it at least a good 5 times a week), I just made sure to scan my computer with the aforementioned Spybot Search and Destroy as well as AVG Free Edition. According to those programs, It has a clean bill of health.
Incgamers.com malware mixup fixed
Yesterday, I reported to you that Google (via Stopbadware.org) had marked wowui.incgamers.com (which redirects to wowui.worldofwar.net) as a bad site. Today, the site is reported as clean according to the same report (you can check it out here). Rushter of Incgamers.com explained to us on the comments of the previous article that the problem was with a seperate attack on a different hosted site (which was quickly dealt with, and unrelated to worldofwar.net, says Rushster), but Google marked the whole site as bad. The worldofwar.net UI database was unaffected, he says, and after some back and forth, Google has now dropped the warning. Of course, it's still always a good idea to check your computer for viruses, trojans, and keyloggers regularly, and realize that no website is completely safe (though having a good defense always helps). That said, at the moment it looks like wowui.incgamers.com, also known as wowui.worldofwar.net, is a safe spot to grab your addons from.
Anti Keylogger Shield may offer some protection for your account
Hackers are getting more and more brazen lately, hiding various trojans and keyloggers not only in random forum links, but in ad banners and even in electronic devices. Even common sense avoidance of suspicious links and websites doesn't always seem to work anymore. Luckily, there are other tools you can use, such as the Noscript extension for the Firefox browser. Lifehacker reported on a new one yesterday as well: Anti Keylogger Shield for Windows. This freeware program purports to work not by blocking installation of keyloggers, but by preventing them from logging your keys once installed. Lifehacker tested it by loading a keylogger and reported that it seemed to work, at least in that case, as the keylogger's log file was completely empty. Of course, you probably shouldn't just install this program and go off clicking strange links willy nilly, but it does look like it could be one more line of defense in the ever escalating battle to protect your computer and your account from those who would steal it. Plus, it's free, so that's even better. [Thanks for the forward, DrDiesel!]
Malwarez project grows virtual 3D organisms from vicious code
Ever had an urge to really get a visual on what masterfully written predatory code would look like if allowed to grow into a 3D organism? Okay, so maybe that hasn't been on the forefront of your mind recently, but there's no denying that Alex Dragulescu's Malwarez project is quite the source of eye candy. According to its maker, the aforementioned initiative is a "series of visualization of worms, viruses, trojans and spyware code," and their "frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity." Who knew viruses could look so dreamy?[Thanks, Danger Mouse]
Wowhead and other sites are having trouble with ad banner trojans
You'll want to be a bit more cautious when looking up information on the game today. World of Raids reports that an unknown ad banner appearing on Wowhead, Thottbot, and Allakhazam has an embedded keylogger trojan. You don't even need to click on the banner, apparently, simply mousing over it will be enough. Wowhead says that all they know for sure is that it originates from "ad.yieldmanager.com", and will produce a redirect to "xpantivirus.com." They're working at isolating it. The issue is known, and all parties involved are tracking it down, so it should hopefully be resolved soon. In the meantime, if you're looking for a quick way to protect yourself, I would follow the recommendation of World of Raids, and try out the Firefox web browser and the No Script extension. As long as you keep the scripts blocked, it should prevent the banner in question from forcing itself on you. This should also provide you with some protection if you accidentally click on the wrong link elsewhere, such as on the WoW general forums. Edit: Apparently, the virus in question is not an actual keylogger, but it still does a number on your system, which is reason enough to try to avoid it.
Did you give the gift of a hacked account this Christmas?
var digg_url = 'http://digg.com/pc_games/Did_you_get_the_gift_of_a_hacked_account_this_holiday'; Do you even know? Many digital photo frames sold at Best Buy, Target, Costco and Sam's Club have a particularly insidious trojan embedded in them - one designed to thieve your account information for a variety of online games. One of the primo geek gifts of 2007, variations of these devices were bundled with darn near everything gadgety during the holidays. Some percentage of these contain a professionally written and very stealthy little gremlin that Computer Associates has dubbed Mocmex that is apparently capable of robustly concealing itself from many detection engines. This isn't an amateur-night special, by all reports. This is professional nastiness, with multiple variants.
Best Buy confirms it sold virus-infected Insignia photo frames, no recall in the works
As we noted a week back, Best Buy's house-brand Insignia photo frames are indeed virus-infected, but now it appears Best Buy is doing something about it. Unfortunately, info is still slim at the moment from company lips. Best Buy says it's "connecting with our customers who may have been impacted," and has pulled remaining inventory from the shelves, but there are no plans for a recall of the infected NS-DPF10A, and Best Buy won't specify what specific type of malware we're dealing with. Best Buy seems to think that anti-virus software should have no problem dealing with the old-ish trojan in the frames, and recommends customers plug the frame into a PC and run some current anti-virus software to eradicate the malware. Macs are unaffected, and Apple could be seen on the playground making smarmy remarks about the incident to anyone who'd listen.
Infection alert: Insignia 10.4-inch photo frame kindly bundled with trojan
We haven't exactly gotten a torrent of email complaints from angry Best Buy customers, but for anyone wondering why the $230 Insignia 10.4-inch photo frame got pulled from shelves last week, here's your answer: they were manufactured, like devices sometimes are, with a supposedly "old and easily removed" trojan. Funny, though, that the internal memo we got has Best Buy dragging its feet, intending to send a letter to potentially infected customers only "once a solution has been tested and confirmed." Here's a solution: recall the frames and send everyone some anti-virus software and a free appointment with the Geek Squad, instead of letting sites like ours break the news that Best Buy isn't moving fast to fix its digital security mishaps. The memo is posted after the break.
