Monday, May 16, 2011

Mac® OS X Threats in Review: from Rogue AV to Dedicated Malware Kits

OS X security myths dismantled by the recent developments in the malware landscape.

The past couple of weeks have mostly been about Mac threats. Once touted as being the crème de la crème of system security, the Mac OS X systems are now faced with an assortment of e-threats ranging from intelligently-crafted rogue antivirus utilities to highly advanced malware development tools. On top of that, the large number of 0-day exploits and flaws in both Apple software and third-party apps make it harder for the regular Mac OS X user.

MacDefender: classical Rogue AV with a twist

Rogue antiviruses may not be breaking news for the OS X user, since they have been around for a while, but the new contender called MacDefender takes the business to a whole new level. This classic example of truly efficient search engine poisoning paired with the “Open ‘Safe’ files after downloading” option in Safari made it easier for the crooks behind the MacDefender business to automate the extraction process of the malware from its archive and launch it without the user’s interaction.In order to get installed, the application still asks for the administrator’s password, but most inexperienced users will actually fall for this.



The MacDefender Rogue AV is hard at work

The installation process goes like this: the Mac user performs an image search query (such as lookups for pictures related to Osama Bin Laden’s death). When clicking on a poisoned link, a fake scanner pops-up on the screen, initializing a bogus scan that ends up triumphantly announcing the user that his system is swarming with malware. This is common practice in case of a rogue AV. At this point, the victim is hooked and ready to open his wallet in order to pay for a solution to this problem.

The fake scanner offers the answer: a not-yet-registered antimalware solution appears on the screen. The user only needs to download a .zip file with a filename like "BestMacAntivirus2011.mpkg.zip". It will start disinfection the moment the user pays a “small” fee that the victim perceives, under the circumstances, as a blessing. Apart from the sum of money, the cyber-crook has at this point the user’s credit card credentials as well.

This piece of malware has been originally discovered on May 2nd and ever since, new morphed variants are emerging under different names, such as MAC Defender, Mac Security and Mac Protector.

Heavy Duty malware kits

Next in line is a DIY crimeware kit we have got word of since last month. Known by now under the name of Weyland-Yutani, this malware creation tool is meant to grow a nice new botnet with the help of cybercriminal wannabes. The builder has been sold on the underground forums for a while now and lets less tech-savvy cyber-thugs create their own malware by simply filling in some info in its builder. The Weyland-Yutani kit is equipped with a builder, an admin panel and it can also support encryption. The resulting bots support web injects and form grabbing in Firefox and – judging by the claims of its author - both Chrome and Safari will soon follow. The web-injects templates are identical to the ones used in Zeus and SpyEye. It is true that there have been other attempts at creating Do-It-Yourself malware kits for Mac OS X users, such as the HellRaiser bundle, but the Weyland-Yutani bundle is much more sophisticated.

The good news is that its author does not sell the kit anymore to individuals, which means that there are only a few builders bought by now. The bad news is that we’ve seen this move back in the heyday of Zeus, when the original DIY kit was pulled off just to be improved and get sold as SpyEye.

Software flaws leading to remote code execution

Last month’s update pack coming from the Cupertino-based vendor has an impressive log. According to the Apple Security Bulletin for April, the company has delivered no less that 9 fixes for various types of attacks ranging from buffer overflows to memory corruption in multiple applications and libraries. All of these flaws allow arbitrary code execution when a malicious movie file or image is opened. To be more specific, when you open a movie or image from the web, someone may actually execute code (plant malware) on your OS X computer without your intervention. No administrator password required.

Other fixes address buffer overflow and memory corruption issues in font-handling components that also allow a remote attacker to install malware on the computer without the user’s interaction. Things go as simply as visiting a website containing a specially crafted embedded font. Privilege escalation is also present in the bulletin: “A privilege checking issue in the i386_set_ldt system can result in a local user being allowed to execute arbitrary code with system privileges,” quotes the document. This means that, in special circumstances, non-administrators are able to execute and install software, which makes social engineering a lot easier.

I’m not going discuss the other vulnerabilities in third-party software that can get your Mac-running machine owned, but it’s worth mentioning that Skype issued an advisory documenting a flaw that allows an attacker to take control of the system by simply sending a specially crafted message. That’s easy, eh?

Bottom line

Now that Mac OS X has gained well above 10 percent of market share, cyber-crooks seem to have taken the users into their crosshair. If you think that you still don’t need a security solution just because you’re running a Mac OS X, then you’d probably be shocked to learn that during the latest Pwn2Own conference a fully-patched Mac OS X 10.6.6 computer running Safari 5.0.3 was owned in less than 5 seconds, leaving it open to further attacks.

Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.

Sunday, May 8, 2011

Malware instead of Carnations for Mother’s

Spam, phishing, malware are all thrown at you while you are busy looking for a nice gift for your wife, mother or sister on Mother’s Day
The International Mother’s Day has been celebrated, since 1910, with white and red carnations, appreciation letters replaced today by greeting cards, nice dinner in smart restaurants or jewelries especially created for such occasion. Unfortunately, this kind of events is not missed by cyber crooks who find this frenzy particularly convenient for their on-line scams. And with a bit of social engineering things can turn very ugly, should the enthusiastic buyer not exercise enough caution around this otherwise beautiful holiday.

First of all, many well-known online retailers are phished in order to mislead buyers into thinking that they are purchasing mother’s daygifts from their favorite virtual shop. The credit card credentials can this way fall into the hands of cyber-crooks and your savings can vanish in a heartbeat. If you are about to make such a purchase, it is highly recommended that you type in the whole address of the site you would like to visit and furthermore avoid clicking on links that land on your social networking wall or that reach your spam folder.

Second, with holidays around the corner, fake shops arise each day on the Internet. These online locations advertise fictitious products and take your not-so-fictitious money without ever delivering your order. If you can’t tell an online shop from a trustworthy source, maybe you either should do some research on the particular site before using its services or choose shops you’ve already tried with other occasions.

Third, spammers will also take a shot and try to trick people into accessing either certain sites advertising knock-off jewelry, accessories and pills or clicking links that will make the online shoppers land on various malicious sites where they can get a keylogger, a backdoor or a good old exploit from. And then all the critical data typed in may get into the wrong hands.

Lately, spam bundles with malware seems to have a strong comeback: with a bit of social engineering, people are convinced to download and open attachments that at a fist glance appear to be plain Microsoft® Word® documents but are in fact executable files rigged with malware.

For instance, these past days, a spam mail has circulated in which the message reads that you’ve just received your “order confirmation” from a purchase you made from a well-known online jewelry store that advertises amongst others custom made mother’s day rings. And if you happen to have searched for this kind of gifts, then you might fall for the trick and pay a considerable sum of money for the ring that will never be sent. Plus, all your credit card credentials will get into the malicious ill-intentioned hands.

Spam message and its attached malware

Malware-bundled greeting cards once again make it into the top five online threats around Mother’s Day. Spyeye, once known as Zbot or the notorious Koobface use every means and media to spread in search for your money. You may think that you have in your inbox a nice e-card, but in fact these bots use this beautiful disguise to send you attached malware.

If you’re shopping for mother’s day gifts using a smartphone, make sure that you see the whole address of your webshop of choice. Since cyber-crooks know that the small display of the smartphones might hinder the user from seeing the entire URL of the requested webpage, they usually set up spoofed webpages resembling webshops or other commercial services and wait for you to enter your credit card details. You are therefore advised to type in the entire URL manually and check if the website’s SSL certificate is in place.

In order to protect the integrity of your computer and data, make sure that you follow these safety guidelines:

•Install and update a security solution that contains at least antimalware, antispam and antiphishing modules.
•Do not open attachments that come from unknown senders; if you really need to do so, make sure that you download the attachment and scan it with your locally installed antivirus solution.
•Never use public computers to perform e-banking transactions or other online purchases. These computers may be laden with keyloggers or banker Trojans.
•Avoid shopping online when using public WiFi hotspots such as those in airports, coffee shops or malls. Usually, data exchanged between you and the online shop of choice flows through an unencrypted channel and can easily be intercepted by an attacker.

Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.