Monday, May 16, 2011

Mac® OS X Threats in Review: from Rogue AV to Dedicated Malware Kits

OS X security myths dismantled by the recent developments in the malware landscape.

The past couple of weeks have mostly been about Mac threats. Once touted as being the crème de la crème of system security, the Mac OS X systems are now faced with an assortment of e-threats ranging from intelligently-crafted rogue antivirus utilities to highly advanced malware development tools. On top of that, the large number of 0-day exploits and flaws in both Apple software and third-party apps make it harder for the regular Mac OS X user.

MacDefender: classical Rogue AV with a twist

Rogue antiviruses may not be breaking news for the OS X user, since they have been around for a while, but the new contender called MacDefender takes the business to a whole new level. This classic example of truly efficient search engine poisoning paired with the “Open ‘Safe’ files after downloading” option in Safari made it easier for the crooks behind the MacDefender business to automate the extraction process of the malware from its archive and launch it without the user’s interaction.In order to get installed, the application still asks for the administrator’s password, but most inexperienced users will actually fall for this.



The MacDefender Rogue AV is hard at work

The installation process goes like this: the Mac user performs an image search query (such as lookups for pictures related to Osama Bin Laden’s death). When clicking on a poisoned link, a fake scanner pops-up on the screen, initializing a bogus scan that ends up triumphantly announcing the user that his system is swarming with malware. This is common practice in case of a rogue AV. At this point, the victim is hooked and ready to open his wallet in order to pay for a solution to this problem.

The fake scanner offers the answer: a not-yet-registered antimalware solution appears on the screen. The user only needs to download a .zip file with a filename like "BestMacAntivirus2011.mpkg.zip". It will start disinfection the moment the user pays a “small” fee that the victim perceives, under the circumstances, as a blessing. Apart from the sum of money, the cyber-crook has at this point the user’s credit card credentials as well.

This piece of malware has been originally discovered on May 2nd and ever since, new morphed variants are emerging under different names, such as MAC Defender, Mac Security and Mac Protector.

Heavy Duty malware kits

Next in line is a DIY crimeware kit we have got word of since last month. Known by now under the name of Weyland-Yutani, this malware creation tool is meant to grow a nice new botnet with the help of cybercriminal wannabes. The builder has been sold on the underground forums for a while now and lets less tech-savvy cyber-thugs create their own malware by simply filling in some info in its builder. The Weyland-Yutani kit is equipped with a builder, an admin panel and it can also support encryption. The resulting bots support web injects and form grabbing in Firefox and – judging by the claims of its author - both Chrome and Safari will soon follow. The web-injects templates are identical to the ones used in Zeus and SpyEye. It is true that there have been other attempts at creating Do-It-Yourself malware kits for Mac OS X users, such as the HellRaiser bundle, but the Weyland-Yutani bundle is much more sophisticated.

The good news is that its author does not sell the kit anymore to individuals, which means that there are only a few builders bought by now. The bad news is that we’ve seen this move back in the heyday of Zeus, when the original DIY kit was pulled off just to be improved and get sold as SpyEye.

Software flaws leading to remote code execution

Last month’s update pack coming from the Cupertino-based vendor has an impressive log. According to the Apple Security Bulletin for April, the company has delivered no less that 9 fixes for various types of attacks ranging from buffer overflows to memory corruption in multiple applications and libraries. All of these flaws allow arbitrary code execution when a malicious movie file or image is opened. To be more specific, when you open a movie or image from the web, someone may actually execute code (plant malware) on your OS X computer without your intervention. No administrator password required.

Other fixes address buffer overflow and memory corruption issues in font-handling components that also allow a remote attacker to install malware on the computer without the user’s interaction. Things go as simply as visiting a website containing a specially crafted embedded font. Privilege escalation is also present in the bulletin: “A privilege checking issue in the i386_set_ldt system can result in a local user being allowed to execute arbitrary code with system privileges,” quotes the document. This means that, in special circumstances, non-administrators are able to execute and install software, which makes social engineering a lot easier.

I’m not going discuss the other vulnerabilities in third-party software that can get your Mac-running machine owned, but it’s worth mentioning that Skype issued an advisory documenting a flaw that allows an attacker to take control of the system by simply sending a specially crafted message. That’s easy, eh?

Bottom line

Now that Mac OS X has gained well above 10 percent of market share, cyber-crooks seem to have taken the users into their crosshair. If you think that you still don’t need a security solution just because you’re running a Mac OS X, then you’d probably be shocked to learn that during the latest Pwn2Own conference a fully-patched Mac OS X 10.6.6 computer running Safari 5.0.3 was owned in less than 5 seconds, leaving it open to further attacks.

Click Computers – Computer Repair Utah
Click Computers is Utah’s Onsite Computer Repair Specialists for your Home and Business.

1 comment:

  1. SOFT TECH GEEKS
    Soft Tech Geeks is a chinese underground organisation of computer experts and hackers. We stay discrete in order to prevent the identity of our clients from FEDs and individuals.
    • Hacking really takes the right tools and equipment (Spywares and other necessary softwares).
    Most people really think that a hacker can just breaking into a security system just by browsing through the site.
    But if you really need a hacker we are here for you. We give you full details of our strategy on how we are going to get the job done, then you can decide if we are really or not.

    HOW WE WORK:

    • We don't ask personal questions about you and we dont give out our personal information.
    We strictly do business and don't expose you or your service to you to anyone.
    That's how discrete we are.

    OUR HACKING SERVICES:
    As long as technology is involved anything can be hacked.
    *Most people want to Hack a target's email I.D, social media websites or apps, smartphones, for many reasons such as husband cheating on wife, girlfriend cheating on boyfriend.
    *if you need to hack a particular organisation so as to sniff, delete, change a particular information or records.
    *as a parent you might need to monitor what your children are doing on social media and on their personal computers or even clone their phones to also hear their calls or see text messages on any app they chatting with, so that they don’t get into trouble.
    *if you want to hack a private domain email account(business email).
    *you want to eraze your name from court’s criminal records, perhaps you might want to Hack into the database of any government agency,
    *you want to spend someone's money by cloning another credit card to their account without bank or the user's notification,
    *some people want to mine bit coin, we can create a platform for you to mine bit coin without having to cheat anyone.
    All these are what we can get done within few hours.

    OUR ASSURANCE TO YOU:
    Fankly speaking, we always give a 100% guarantee on an job we take. Time to complete a job depends on the complication of the job and if we take your job then be rest assured that it will be done, and we give you a 100% assurance that we cover our tracks well enough, so when we do a job its like we were never there. We have also come across FAKE HACKERS claiming they will get the job done in a short time , and sharing testimony of themselves but they are all scams (AVOID THEM).
    REMEMBER THIS "AS LONG AS IT'S TECHNOLOGY IT CAN BE HACKED"

    We look forward to working for you.
    SOFT TECH GEEKS
    softtechgeeks@gmail.com

    ReplyDelete