Microsoft kills botnet that hosted MacDefender scareware

Summary: The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.

Microsoft’s Digital Crimes Unit has shut down a botnet that was investigated for hosting the MacDefender scareware that preyed on Mac OS X users.

The botnet, known as Kelihos or “Waledac 2.0,” has been linked to spam messages, ID-theft attacks, pump-and-dump stock scams and websites promoting the sexual exploitation of children, according to Microsoft senior attorney Richard Domingues Boscovich.

The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.

For the first time since Microsoft’s anti-cybercrime team started disabling botnets, the company moved to the U.S. court system and identified a defendant that allegedly owned the domain that controlled the botnet.

In the complaint [PDF], Microsoft names Dominique Alexander Piatti alongside dotFREE Group SRO and John Does 1-22 and said they owned domains and subdomains that were used to operate and control the Kelihos botnet.

“Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities,” Boscovich said.

In addition to hosting the Kelihos botnet, Microsoft said its investigations revealed that the defendants’ cz.cc domain was previously linked to sub-domains responsible for delivering MacDefender, a type of scareware that infects Apple’s operating system.

In May 2011, Google temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware, although Google reinstated the subdomains after the defendant allegedly corrected the problem.  (See this public gripe from Piatti about the blocked domains).

Boscovich said the botnet was also used to promote potentially dangerous counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers. Kelihos also abused Microsoft’s Hotmail accounts and Windows operating system to carry out these illegal activities.

[T]his case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.

Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.

Piatti, who is based in the Czech Republic, has been served notice of the lawsuit.  Microsoft said it is in discussions with Piatti to determine which of his sub-domains were being used for legitimate business, so that those customers could be reconnected.

Read More...

New Mac malware poses as PDF doc

The Trojan code is crude and can't yet connect to control server, say security firms

Security firms today warned Mac users of a new Trojan horse that masquerades as a PDF document.

The malware, which was spotted by U.K.-based Sophos and Finnish antivirus vendor F-Secure, uses a technique long practiced by Windows attackers.

[ Discover the key Mac, iOS, and Apple tech trends for business users. Read InfoWorld's Technology: Apple newsletter. ]

"This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a '.pdf.exe' extension and an accompanying PDF icon," said F-Secure today.

That practice relies on what is called the "double extension" trick: adding the characters ".pdf" to the filename to disguise an executable file.

The Mac malware uses a two-step process, composed of a Trojan "dropper" utility that downloads a second element, a Trojan "backdoor" that then connects to a remote server controlled by the attacker, using that communications channel to send information gleaned from the infected Mac and receiving additional instructions from the hacker.

Because it doesn't exploit a vulnerability in Mac OS X -- or any other software -- the malware instead must dupe users into downloading and opening the seemingly-innocuous PDF document, which is actually an executable.

Once run, the dropper downloads the second-stage backdoor and opens a Chinese-language PDF. F-Secure said that the PDF was another sleight-of-hand trick: "[The dropper component] drops a PDF file in the /tmp folder, then opens it to distract the user from noticing any other activity occurring," the company said in a description of the attack.

Both Sophos and F-Secure noted that the malware doesn't work reliably, and currently can't connect to the C&C (command-and-control) server because the latter isn't fully functional.

Mac malware is typically crude in comparison with what targets Windows PCs.
Because the C&C server is not yet operational and since it found samples of the Trojans on VirusTotal -- a free service that runs malware against a host of antivirus engines -- F-Secure speculated that the malware is still in the testing phase.

Although Apple's Mac OS X includes a bare-bones antivirus detector, it has not been updated to detect the just-noticed Trojan dropper or backdoor. Checks of several Computerworld Macs running Lion, for instance, found that Apple last updated its detector on Aug. 9.

Mac users had their biggest malware scare earlier this year, when a series of fake security programs, dubbed "scareware," were aimed at them.

Several antivirus companies, including Sophos, F-Secure and Intego, offer security software for the Mac.

nb : infoworld Read More...

Researchers find Mac OS X malware posing as PDF file

Summary: The malware installs a backdoor that contacts a remote server for instructions and can be used to steal files or capture a screenshot of the infected computer system.

Researchers at F-Secure have discovered a Mac OS X malware file masquerading as a PDF file to lure users into installing a backdoor trojan.

The malware, flagged as a trojan dropper, installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

According to F-Secure, the PDF file contains Chinese-language text related to political issues, which some users may find offensive.

The use of a PDF file as a social engineering gimmick is widely used by malicious hackers on the Windows platform and F-Secure’s research team believes this is an attempt to copy the trick of opening a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon.

 

“”The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires,” the company said.

Once installed, the trojan dropper installs a backdoor program that gives a hacker full control of the infected Mac OS X machine.

The backdoor typically contacts a remote server for instructions and can be used to steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.

F-Secure reports that the command-and-control of the malware is just a bare Apache installation that is not yet capable of communicating with the backdoor.

nb : zdnet

Read More...

Mac OS X Trojan hides behind malicious PDF disguise

A fascinating new example of Mac malware has been discovered, that appears to be adopting an old Windows-style disguise to fool users into running it.

Despite the numerous times that cybercriminals have created boobytrapped PDF files that exploit vulnerabilities to infect unsuspecting users, many people still think that PDF files are somehow magically safer to open than conventional programs.

The OSX/Revir-B Trojan plays on this by posing as a PDF file.

When the malicious Macintosh application file is run it tries to drop a PDF embedded inside it onto the user's hard drive. The Chinese language PDF file displayed is about a controversial topic, "Do the Diaoyu Islands belong to Japan?"

The Diaoyu Islands (known as the Senkaku islands in Japan) are the subject of a long-running dispute between the two countries, with both claiming sovereignty.
Because the document is opened, users may believe that they have opened a harmless PDF rather than run a program.



When we tested the malware inside our labs, we couldn't manage to get it to execute as the author probably intended - however, strings embedded deep inside its code make it clear that it was written with malicious intent.



The malware attempts to install a backdoor Trojan horse (detected by Sophos as OSX/Imuler-A) which would give malicious hackers remote access to your Apple Mac computer.

As our friends at F-Secure point out, we have seen plenty of Windows malware in the past which has pretended to be a PDF rather than an EXE - sometimes using techniques such as the double-extension trick (for instance, filename.PDF.EXE).

It's quite possible that this is evidence that Mac malware authors are attempting something similar, moving on from the fake anti-virus alerts that blighted many Mac users earlier this year.

Customers of Sophos, including users of Sophos's free anti-virus for Mac, are protected against the malware.

nb : nakedsecurity.sophos

Read More...