virus
Latest
Mac malware survey finds mostly incompatible nasties
See that chart there? That's a lovely graphic conjured up by Sophos, a company that makes ends meet by offering anti-virus software. The company just so happens to also have a flavor for OS X, and based on data culled from 150,000 users, it looks as if 50,000 machines had at least one piece of malware onboard. 'Course, a sizable chunk of these listed (Mal/ASFDldr-A and Mal/Conficker-A, for example) won't even run on OS X, so having them on one's HDD does little more than take up a section of space that could otherwise be used to archive a digital image of Aunt Mary. Graham Cluley, senior technology consultant at Sophos, even stated that Sophos doesn't "see as much Mac malware as Windows malware... by a long shot," but given that its Mac edition software is totally free, you might as well give it a look if you're suddenly stricken with paranoia.
One million Chinese cellphone users reportedly infected with zombie virus
Viruses have been making the rounds on cellphones for quite a while now, but it looks like China has now been hit by a particularly troublesome one. According to Shanghai Daily, a so-called zombie virus disguised as an anti-virus app has infected more than one million cellphone users in the country, and it's left users' phones vulnerable to the malicious hackers that created the virus. They've naturally taken advantage of that access to not only spread the virus further, but cash in by spamming the phones with money-making links and other general annoyances -- all of which has also added up to about $300,000 a day in added text message charges for the users affected. What's more, while authorities have apparently tracked down the company that created the anti-virus application, it apparently insists that it had nothing to do with the virus, and that it's actually a victim of it as well.
Report warns of the increased use of SEO Poisoning to spread malware
You'll undoubtedly be excited to know that the Internet security firm Websense has recently released its annual Threat Report. Other than trying to scare you into buying every single product the company has ever released, the paper highlights the growing problem of Black Hat SEO, or SEO Poisoning, which (if done right) sends malware-ridden links closer to the top of your Google search results. According to Network World, some 22.4 percent of Google searches performed since June produced malicious URLs (such as fake antivirus sites or malware downloads) as part of the top 100 search results, as opposed to 13.7 percent in the second half of 2009. It seems that the old model of cyber-attacks, involving peer-to-peer virus infection, is becoming increasingly ineffective as anti-virus companies step up their game, causing nogoodniks to rely on search results, websites, and zero-day attacks. That said, there is a silver lining: as Network World goes on to explain, these days you are actually less likely to get malware from "adult content" sites than in previous years. Or should we say, that's good news for your "friend" or "co-worker."
Sophos releases free Mac anti-virus package
Security company Sophos has today released a free Home Edition of its Mac virus scanner suite. This is a timely move by Sophos to get an early foothold in what could become a significant market for aftermarket OS X security tools. While it's true that Macs have, until now, enjoyed a relatively blissful life free of viruses and other malware, increasing market share means we can sadly expect to see more bad guys target us from now on. There are more examples of recent Mac security problems on the Sophos company blog, and while (of course) they are motivated to scare you into using their product, they aren't making it up either. Thanks to everyone who sent this in.
Shocker! Cellphone touchscreens are dirty
If you have even the slightest inclination towards Mysophobia then please, do yourself a favor and stop reading now. A Stanford University study found that if you put a virus on a touchscreen surface then about 30 percent of it will make the jump to the fingertips of anyone who touches it. From there it goes into the eyes, mouth, or nose -- whichever face-hole is in most urgent need of a rub. And just to drive the point home, the Sacramento Bee adds this little nugget from an unspecified British study: "Mobile phones harbor 18 times more bacteria than a flush handle in a typical men's restroom." Eww. You know, sometimes it's best not to know how the sausage is made.
Microsoft declares 'open season' on botnets, beats Waledac in court
When we heard that Microsoft was appealing to a higher power to shut down the Waledac botnet, we assumed that meant lighting candles at St. Francis Parish -- instead, the company went to the courts. At its prime, Waledac was estimated to have infected upwards of 90,000 machines, which in turn sent out approximately 1.5 billion pieces of spam a day (about one percent of the world's total). In February, District Court Judge Leonie Brinkema issued a temporary restraining order taking the 276 domains that the perps used for the network's command and control structure offline, and earlier this month the act was finalized with the U.S. District Court of Eastern Virginia granting a motion that, according to USA Today, "[effectively] gives Microsoft permanent ownership" of the domains. Although the defendants didn't come forward, Microsoft lawyers were able to prove that they were indeed aware of the case -- it seems that not only did they launch a DDOS attack against Microsoft's law firm, they also threatened a researcher involved in the case. Of course, since the worm can also operate in peer-to-peer mode there's no telling how many infected machines are still out there, but at the very least the botnet has been crippled -- and now companies like Microsoft have proven legal recourse if they are targeted by domains (at least ones registered in the US). "It's open season on botnets," said Microsoft senior attorney Richard Boscovich Sr. "The hunting licenses have been handed out, and we're coming back for more." Image: Privacy Canada (https://privacycanada.net).
Did malware cause the crash of Spanair Flight JK 5022? (update)
The inquiry into the August 2008 crash of Spanair Flight JK 5022 at Barajas Airport in Madrid took a bizarre turn recently when Spanish daily El Pais reported that the server that the airline used to track technical problems on aircraft contained malware. Although the flaps and slats were not in the proper position for takeoff, the crew was never alerted -- causing the flight to go down moments after takeoff, killing all but 18 of the 172 on board. That's not to say that human error wasn't a factor: as well as causing an audible alarm, the problem should have been spotted by the mechanic or airport maintenance chief, both of whom are under investigation. Space stations, power grids, and now airline safety systems? Please, people -- keep your antivirus software up to date. Update: Of the many possibilities that could have brought down JK 5022, it turns out malware was pretty low on the list -- ZDNet's Ed Bott reports that it was a maintenance computer at the airline's HQ that was infected, and the plane itself (an MD-82) uses a takeoff warning system that predates airplane computerization, and was thus not susceptible to viruses.
Samsung Wave shipping with infected microSD card (confirmed, limited to first run)
Did you get a Samsung Wave today, or perhaps early last week? You might not want to connect it to your computer, just in case. We're hearing anecdotal reports that the 1GB microSD card shipped with certain German units includes a nasty surprise: it automatically installs the trojan Win32/Heur using the file "slmvsrv.exe." While we're not sure exactly what the virus does or if it's widespread, there's no point in finding out the hard way, right? Install a good antivirus program and then format that sucker, or better yet, simply drop in a larger microSDHC card. Don't forget this thing plays DivX HD, people -- you're going to need more than a single gigabyte of storage. Update: Samsung HQ got in touch with MobileBurn to confirm the existence of the virus in shipping S8500 Wave handsets, but said that the outbreak was confined to the German market's initial production run and all other shipments are A-OK. Still, there's no harm in disabling autorun before connecting one to your PC, eh?
British scientist becomes first human 'infected' with a computer virus
Sure, a cybernetic-filled, dystopian future may sound nice and cheery, but what happens when all your snazzy implants get infected with a computer virus? That's what one brave researcher at the University of Reading is attempting to find out, and he's now actually gone so far as to willingly "infect" himself in the name of science. As you might expect, however, this is all this very much a proof of concept, but Dr. Mark Gasson says that the infected RFID chip in his hand was indeed able to pass on the virus to an external control device in his trials, and he warns that the eventual real world implications could be far more dire. Gasson is particularly concerned when it comes to medical implants, which he says could potentially become infected by other implants in the body, and even pass on the "infection" to other people. Head on past the break for the BBC's report, and try not to be too startled by the Dalek in the room. [Thanks, Mark S]
McAfee patches customers' hearts with subscription extension, reimbursement for PC repairs
McAfee's little issue with a security update that sent Windows XP computers far and wide to a screeching halt was fairly unprecedented as far as anti-virus software goes, and it looks like the company is now taking some considerable steps to make up for the mess it created. Not only is it handing out a free two-year subscription extension to all affected customers, but it will soon be starting a program to reimburse "reasonable expenses" that customers have incurred in repairing their PCs. Complete details on that program aren't available just yet, but it will apparently be starting "within a few days," and will involve submitting a reimbursement request to McAfee. Given the number of users involved, however, we've got to guess that McAfee won't be buying folks new PCs, and chances are it'll take quite a while to get your check in the mail, though we'll just have to wait to see exactly what McAfee has planned.
Botched McAfee update shutting down corporate XP machines worldwide
We can't officially confirm this yet but, We're hearing from all over that a bad McAfee for Windows XP update is causing computers worldwide to shut down. Apparently DAT update 5958 deletes the svchost.exe file, which then triggers a false-positive in McAfee itself and sets off a chain of uncontrolled restarts and loss of networking functionality. Yeah, wild -- Twitter is basically going nuts, and McAfee's support site appears to be down. There are some fixes floating around out there, but it may be too late -- the final tally of borked PCs today may reach into the millions. We've already heard anecdotally that an Intel facility has been affected, as well as Dish Network call centers, and we're sure there are going to be more reports as the day wears on. Update: McAfee just sent us a statement -- they've pulled the update from their corporate download servers, and consumers shouldn't be affected. McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2.00 PM GMT+1 (6am Pacific Time). Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3. The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers. We are not aware of significant impact on consumer customers and believe we have effectively limited such occurrence. McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. McAfee apologizes for any inconvenience to our customers Ouch -- that might be the understatement of the year. We've definitely hearing this affects SP2 as well, we'll keep looking for more. Update 2: The anecdotal numbers keep rolling in, and they're not small -- 30,000 machines are knocked out here, 60,000 there. Given that the only fixes right now involve techs spending time with each affected machine individually, things could get seriously messy. We'll keep you updated if you keep us updated, okay? Update 3: Here's an official McAfee fix, although like we said, it requires tech to hit each machine in person. We'll see what the story is for bigger institutions with tens of thousands of seats. Update 4: We're told the official fix only helps those who haven't been hit with the bug yet, so there's obviously still issues to be sorted out. [Thanks, Tyler.] [Thanks to everyone who sent this in] Developing...
Windows 7 is safer when the admin isn't around
Not that we necessarily needed a report to tell us this, but the fewer privileges you afford yourself as a Windows user, the more secure your operating system becomes. Such is the conclusion of a new report from BeyondTrust, a company that -- surprise, surprise -- sells software for "privileged access management." The only way we use Windows 7 is as admins and we've never had a moment's bother, but some of you like stats, and others among you might be involved in business, which tends to make people a little more antsy about these things. So for your collective sake, let there be pie charts! The report looks into vulnerabilities disclosed by Microsoft during 2009 and concludes that all 55 reported Microsoft Office issues and 94 percent of the 33 listed for IE could be prevented by simply running a standard user account. Or using better software, presumably. Hit the PDF source for more info -- go on, it's not like you have anything better to do while waiting for the Large Hadron Collider to go boom.
Symantec names Shaoxing, China as world's malware capital
It's not the sort of title any city's looking for, but Symantec has now given Shaoxing, China the dubious honor of being the world's malware capital, saying that it accounts for more targeted attacks than any other city. In fact, the company found that while close to 30 percent of all malicious attacks came from China (making it the number one country), 21.3 percent came just from Shaoxing. It was followed by Taipei at 16.5 percent, and London at 14.8 percent. Following China in the country rankings is Romania with 21.1 percent of attempted attacks (most of those are said to be commercial fraud), and the United States at 13.8 percent. That's actually just part of a larger report by Symantec's MessageLabs division, which details everything from the most common types of email attachments (.XLS and .DOC are neck and neck for the lead) to the percentage of emails that contain a virus of phishing attack (one in 358.3 and one in 513.7, respectively). Dive into the PDF linked below for the complete details.
Vodafone Spain replacing microSD cards on 3,000 virus-infected handsets
It looks like the virus-strewn HTC Magic that was recently purchased from Vodafone UK is only the tip of the iceberg. According to Vodafone Spain, some 3,000 users in all may have been exposed to Mariposa malware -- which used the handset's storage to make its way to customer's PCs via USB, leading the company to replace the microSD cards for infected customers. The company also says that the incident is "isolated and local," but with the number of infections rising from one in the UK to 3,000 in Spain in just over a week we wouldn't be surprised this story was just heating up.
Customer greeted with malware on Vodafone-issued HTC Magic (good thing it's discontinued)
Crapware's bad enough, but having your life torn asunder simply by plugging in that shiny new (insert USB-connected device here) is an exciting new trend -- viruses find their way into the darnedest places, don't they? It seems an employee at anti-malware firm Panda Research who'd ordered a new Magic off Vodafone UK's site was greeted with no fewer than three nefarious executables upon plugging the device into her PC: a bot client, a password stealer, and a Conficker variant, and running a network sniffer quickly confirmed that the virii were live and ready to do harm as soon as the autorun in the Magic's mounted mass storage was executed on her Windows machine. If this were a widespread issue, we'd certainly have heard about it in other places, so odds are good (as Panda points out) that this was simply a case of HTC or Vodafone doing an awful job of wiping a refurbished set -- but it gives you pause and kind of makes you wish you worked for an anti-malware firm, at least on days when you're plugging in a new phone for the first time. The silver lining, we suppose, is that Vodafone has recently discontinued the Magic, though that creates another problem: the only Android device it currently stocks now is the lowly Tattoo, so the X10 and Nexus One can't come soon enough.
New jailbroken iPhone worm is malicious
Last month a Dutch iPhone user demonstrated how careless jailbreaking can cause trouble. Namely, after finding users who enabled SSH with the phone's default password intact, he sent those phones a message that read, "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files." A similar worm caused phones to rickroll their owners. They could have done worse. This week, someone has. Again from the Netherlands and again finding jailbroken iPhones with SSH enabled, F-secure reports that this infraction puts up an ING Direct login page that lets the hacker gather login credentials and, we assume, move funds to wherever they please. This version also changes the 'alpine' password to block users from getting to the phone via SSH. We'll have more on this as the story develops, but the moral is this: If you jailbreak your iPhone, you should know what you're doing -- and you should change your SSH password. [via Engadget & ZDnet Asia]
Jailbroken iPhones exposed to second worm, this time malicious
As inevitable as the sun rising in the East and setting in the West, an innocuous iPhone worm has been transformed into a malicious bank details-stealing virus. The second recorded iPhone infection operates on exactly the same principles as the first, as it targets jailbroken handsets with SSH installed, but this time adds the ability for the hacker to remotely control and access the phone. By throwing up a purported ING Direct login page, he (or she, or they) can collect your online banking credentials and, presumably, all the cash they are supposed to protect. Presently isolated within the Netherlands, this outbreak may spread further still, as it is capable of infecting other jailbroken iPhones on the same WiFi network.
Cisco adds Security Intelligence Ops to iPhone portfolio
Despite some security-conscious enterprise experts pointing accusatory fingers at the rather bleak encryption story and only-recently fixed ActiveSync policy compliance on the iPhone platform, there's no doubt that IT and network professionals are grooving on the iPhone -- there are many apps designed for administrators to take control of their operations with a touch of a finger, and now Cisco has stepped in with an informational and alert resource that fits in your pocket. The Cisco SIO (Security Intelligence Operations) to Go free app [iTunes link], requiring iPhone OS 3.0 or later, lets the paranoid properly alert and aware security professional keep tabs on the global threat landscape with Cisco's Cyber Risk Reports, Threat Outbreaks and Mitigation Bulletins, along with podcasts, blog posts and a slew of other branded content. There's also an IronPort-driven IP and email domain scanner, which will grab WHOIS data along with a brief reputation score for your hosts. Having all this Cisco goodness in one place is handy, although the majority of the app's headlines link to pages on the Cisco site that remain largely iPhone-unfriendly -- even the press release announcing the app's launch is hard to zoom properly -- and there's none of the flexibility of a full-featured RSS reader to forward articles, bookmark or set read/unread points. Still, as a gesture of goodwill towards the intersection of iPhone users and security professionals, it's a reasonable step. Cisco also has the WebEx Meetings app [iTunes link] and the Cisco Mobile telephony tool [iTunes link] in the store, both free. [via TechCrunch]
Ask TUAW: Auto-tagging music, iPhone VoIP apps, replacing a hard drive and more
Welcome back to Ask TUAW, our weekly troubleshooting Q&A column. This week we've got questions about VOIP apps on the iPhone, auto-tagging music, Boot Camp, replacing a hard drive and more. As always, your suggestions and questions are welcome. Leave your questions for next week in the comments section at the end of this post. When asking a question, please include which machine you're using and what version of Mac OS X is installed on it (we'll assume you're running Snow Leopard on an Intel Mac if you don't specify). And now, on to the questions.
First iPhone worm rickrolls jailbroken phones
We sort of knew this would happen as soon as we heard about that iPhone wallpaper hack in the Netherlands -- a hacker named ikex has created what's apparently the first iPhone worm, and it's currently infecting jailbroken iPhones across Australia. The "ikee" worm, as it's being called, takes advantage of the fact that jailbroken iPhones with SSH installed all have the same default root password of "alpine," and once in the system it changes your wallpaper to an image of Rick Astley and then tries to install itself on other jailbroken iPhones on the network. Sophos says it hasn't confirmed any infections outside of Oz, and to be clear, this worm can't get to stock iPhones or jailbreak owners who haven't installed SSH -- but if you're running a hacked phone we'd say you should change that root password just to be safe right away. Get to it, kids. [Via PMP Today; thanks to everyone who sent this in]
