Tag Archive for F-Secure

| November 22, 2011
7 comments

Apple OS X Security Update

Apple OS X Security UpdateThe magical virus-proof Apple operating systems have had a rough couple of weeks. Apple (AAPL) released security updates for OS X Lion and Snow Leopard, iOS, Numbers for iOS, and Pages for iOS. UK-based security company Sophos says that the OS X patch addressed 75 known vulnerabilities. Most of the vulnerabilities could lead to arbitrary code execution, while others lead to denial of service or privilege escalation. The bug fix weighs in at a whopping 880MB with recovery download.

Apple OS X LionNext Apple released a gargantuan update to iTunes for Windows that fixes 79 vulnerabilities. Sophos reports that the patch fixes 73 holes that could cause remote code execution in WebKit, used to render HTML content. Other fixes resolve remote code execution bugs.

Despite the huge patches, cyber-criminals have figured out how to disable the rudimentary anti-virus protection XProtect Apple has built into Mac OS X by enhancing an existing trojan horse Flashback. The Flashback trojan leaves the Mac vulnerable by preventing XProtect from receiving security definition updates. Sophos makes the point that Mac malware writers are eager to infect Apple computers because of the potential financial rewards.

Sophos logoThe Mac malware authors are not resting on their laurels. Within days, of spotting Flashback in the wild, Sophos reported that Tsunami, a new backdoor trojan horse for Mac OS X, had been discovered. Sophos indicates that the new Mac malware may be a port of Kaiten, a Linux backdoor Trojan horse that uses an IRC channel for instructions.

Code like this is used to commandeer compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic. ESET notes that as well as enabling DDoS attacks, the backdoor can enable a remote user to download files, such as more malware or updates to the Tsunami code.  The malware can also execute shell commands, giving it the ability to essentially take control of the affected Mac.

Tsunami, a new backdoor trojan horse for Mac OS XOnly a few more days passed before the DevilRobber (Miner-D) Mac OS X Trojan horse was discovered. DevilRobber was embedded in hacked versions of Mac OS X image editing app GraphicConverter version 7.4 distributed via file-sharing torrent sites such as PirateBay. Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time. GPUs are better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.

Sophos reports that in addition to Bitcoin mining, Miner-D also spies on its victim by taking screen captures and stealing usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), Safari browsing history, and .bash_history. To complete the assault – if the malware finds the user’s Bitcoin wallet it will also steal that.

DevilRobbe Mac OS X Trojan horse was discovered.DevilRobber was recently been updated according to F-Secure researchers. F-Secure researchers point out that the newly discovered Trojan is the third iteration of the malware and that it poses as the popular image-editing app PixelMator.

Help Net Security says this version of DevilRobber has new features that the original version is lacking. It tries to harvest the shell command history, the system log file, and the contents of 1Password, the popular software for managing passwords. Unfortunately, its Bitcoin mining and stealing capabilities are still there, as well.

rb-

safe computing.So despite Apple’s continued instance that their machines do not need anti-malware software, standard malware prevention techniques apply to Macs. Clearly, Mac users like their Windows cousins should practice safe computing. Some of the safer computing practices for Mac and Windows users include

  1. Never open an email attachment unless you are POSITIVE about the source.
  2. Do NOT click on any pop-up that advertises anti-virus or anti-spyware software especially a program promising to provide every feature known to humanity.
  3. Use an AntiVirus program. A free one is better than none. There are several free versions that work well, like Microsoft Security Essentials which is also free has had good reviews.
  4. Keep your OS and AV updated. Make sure that you install those important updates. An out-of-date antivirus program does not help in detecting new infections.
  5. Use a personal firewall. Use a firewall between your DSL router or cable modem and the computer will protect you from inbound attacks. A software firewall on the computer can protect you from both inbound and outbound attacks.
  6. Do NOT download freeware or shareware unless you have must. These often come bundled with spyware, adware, or fake anti-virus programs. Be especially wary of screensavers, games, browser add-ons, peer-to-peer (P2P) clients, and any downloads claiming to be “cracked” or free versions of expensive applications.
  7. Avoid questionable websites. Some sites may automatically download malicious software onto your computer.
  8. Browse responsibly. Sometimes you might not even have to download and install something but just open a website in your browser for a rogue program to infect your computer. So be careful where you go when you are browsing.
  9. Pay attention to your incoming e-mails. Some of them can contain viruses or content pointing to malicious sites. Don’t click on links provided by false institutes that invite you to change passwords or similar.
  10. “Phishing” describes scams that attempt to acquire confidential information such as credit card numbers and passwords by sending out e-mails that look like they come from real companies or trusted people. If you happen to receive an e-mail message announcing that your account will be closed, that you need to confirm an order, or that you need to verify your billing information, do not reply to the e-mail or click on any links. If you want to find out whether the e-mail is legitimate, you can go to their website by directly typing their address into your browser or by calling them.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| April 2, 2011
Comments Off on Adobe Notes

Adobe Notes

Malicious PDF Files Becoming the Attack Vector of Choice

Adobe PDF ZDNet points out a report from Symantec’s MessageLabs that malicious PDF files outpace other malicious attachments used in targeted attacks and now represent the attack vector of choice for malicious attackers compared to media, help files, HTMLs and executables.

The report says that office-based file formats are a popular and effective choice used in some targeted attacks. Cybercriminals attempt to bypass spam and email filters by distributing the ubiquitous PDF that is often allow to pass through these layers of protection. In 2009, about 52.6% of targeted attacks used PDF exploits, compared with 65.0% in 2010, an increase of 12.4%. MessageLabs Intelligence Senior Analyst, Paul Wood says,

PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware

Adobe Posts Its First Billion-Dollar Quarter

The New York Times reports that the software maker Adobe posted its first $1 billion quarter in Q4-2010. Revenue rose 33 percent to $1.01 billion from $757 million last year. Adobe, which is based in San José, CA makes Photoshop, Acrobat, and Flash software.

Targeted attacks exploiting PDF bugs are soaring

Help Net Security reports that Adobe is having a hard time fighting its bad reputation when it comes to products riddled with vulnerabilities. Help Net Security references a report from F-Secure’s Lab which says that Adobe Reader exploits are becoming the weapon of choice for many cybercriminals.

F-Secure

This makes patching and updating eminently important. As an example the latest critical vulnerability (CVE-2010-0188) which Adobe warned users to update the software to the latest version. Users who missed the memo are vulnerable, F-Secure (FSC1V) warns it is being exploited in the wild.

Upon loading the PDF file, an embedded executable is dropped on the victim’s hard disc and it immediately tries to connect with tiantian (.) ninth (.) biz to download other files.

F-Secure has warned long ago about security problems plaguing Adobe’s most famous software. The security firm has even advised users to start using an alternative PDF reader. According to Help Net Security Adobe’s, decision to schedule their updates to follow Microsoft’s Patch Tuesday is a step in the right direction.

Malicious PDF spam with Sality virus

Help Net Security highlights a Sophos warning that a malicious email containing the following text has been dropped into inboxes around the world:

Hey man..
Remember all those long distance phone calls we made.
Well I got my telephone bill and WOW.
Please help me and look at the bill see which calls where yours ok..

Sophos logoYou surely don’t remember such an occurrence or the sender of the email, since this is just a ploy to make you open the PhoneCalls(.)pdf attachment, but don’t let your innate curiosity get the better of you.

The attached file can exploit a vulnerability in how Adobe Reader handles TIFF images and proceeds to download and execute a Trojan that loads the Sality virus into your system’s memory. The virus then proceeds to append its encrypted code to executable files, deploys a rootkit, and kills anti-virus applications.

Sophos reminds everyone that opening documents attached to unsolicited emails is like the online equivalent of Russian roulette – the odds are stacked heavily against you.

Adobe, The New King Of Security Holes

Information WeekAdobe reports that Microsoft (MSFT) has spent more than a decade improving its secure software development and its response to security exploits. As a result, Microsoft is losing the lead in security vulnerabilities and being replaced by Adobe (ADBE).

With Microsoft’s improved response to security holes, the pickings in Windows itself are getting slimmer. Attackers don’t have brand loyalty, so they’ve moved on to another company with lots of PC installed base: Adobe. Security holes are being exploited in Adobe Reader and Illustrator. Adobe makes this problem worse because it has bundled unwanted applications and their AIR software platform with their free applications like Adobe Reader. Adobe is looking to create an attractive installed base for their developers, but they are also creating an attractive attack surface for the bad guys.

Protecting yourself from Adobe’s security holes can be difficult.  There are non-Adobe solutions such as Foxit Reader, which is much faster and lighter than Adobe Reader but has had problems with  PDF documents with editable fields. InfoWeek provided some specific tips that may help avoid security problems.

  • Uninstall any Adobe Reader version earlier than 9,  and install version 9.
  • With ver. 9 go to the Edit/Preferences menu. Make sure that Security(Enhanced) is turned on; (Adobe ships it turned off).
  • Launch the Updater and be sure you’re checking for updates, install updates ASAP.
  • Go to Trust Manager and uncheck the option for “Allow opening of non-PDF file attachments.”
  • Finally, unless you know you need JavaScript in your Acrobat documents, disable JavaScript.
  • RB- Don’t go to ver. 10, I hate it.
Related articles
  • Iranian Nuclear Program Used as Lure in Flash-based Targeted Attacks (pcworld.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| December 21, 2009
Comments Off on Botnets Attacking Servers

Botnets Attacking Servers

Botnets Attacking Servers Web servers, FTP servers, and even SSL servers are becoming prime targets for botnets. They are targets, not as command and control servers says Mikko Hypponen, chief research officer at F-Secure, in a recent DarkReading article, “but in some cases to execute high-powered spam runs.”

Botnet operators are going after certain types of servers specifically to harness their horsepower and bandwidth says Joe Stewart, director of malware research for SecureWorks. These bots are typically used as spamming engines: “The general purpose of these attacks is to send spam, either email spam or blog spamming,” Stewart told DarkReading. “The benefits are having a large amount of bandwidth available and enhanced processing capacity to maximize the amount of spam you can send out.

Source of Web attacks

Marc Maiffret, chief security architect at FireEye says he expects trusted and legitimate Websites will start to become the source of the majority of Web attacks in 2010. “I think that the focus there on servers is really again more to help more easily infect a larger number of desktops,” Maiffret says.”You can think of this SQL/Web-spread vector as the modernized version of what use to happen with email and such many years ago.”

FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots,” says Hypponen. Botnets often use stolen FTP credentials to break into other parts of the system, says Bill Ho, vice president of Internet products for Biscom. “FTP is being used to transfer bot code to other machines, servers, and users,” Ho says. “If the FTP server is not secured properly and an FTP site has access to other parts of the system with vulnerabilities, the attacker can install [malware] at that location and infect and compromise that server.”  Paul French, vice president of products and solutions marketing for Axway laments that. “FTP is pretty ubiquitous … The reality is that FTP has been around long enough for people to know the risks associated with it. But sometimes convenience outweighs good IT security [practices].”

Botnets using SSL servers

Another thing we’ve noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-downloads” according to Hypponen.

Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,” Hypponen explains.

Botnet operators are using these networks of captured servers to expand their operations. The servers are used to host exploits, serve up drive-by downloads, and help them distribute more malware to the bot-infected PCs in the botnet, DarkReading concludes.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| April 10, 2008
Comments Off on Malware to exceed 1 Million in ’08

Malware to exceed 1 Million in ’08

Malware to exceed 1 Million in '08The total number of viruses will reach one million by year’s end, according to Sophos chief technology officer Paul Ducklin in an article in PC World. Most striking to me is that Ducklin claims 25 percent of unique malware have been created in the last six months of its 20-year history. That translates into 250,000 attack vectors in 6 months or nearly 60 unique malware vectors (as defined by Sophos) an hour.

Ducklin offers some hope, “About 85 to 90 percent of malware families have a fix created for them almost immediately,” which leaves over 50 new attack vectors an hour that have to be identified, code written and updates distributed.

In the same PC World article F-Secure Asia-Pacific vice president Jari Heinonen said it logs about 25,000 malware samples each day, the highest on record.

The total number of viruses and Trojans will pass the one million mark by the end of 2008 if this trend continues,” Heinonen said.

Both Sopho’s Ducklin and F-Secure’s Heinonen say that drive-by-downloads of malware, due to iframes vulnerabilities are growing. F-Secure’s Heinonen “Drive-by downloads are the preferred way of spreading malware [because] they happen automatically by visiting a Website unless users have a fully patched operating system, browser, and plug-ins.

Heinonen also predicts that malware will increasingly target the kernel sector through rootkits such as Mebroot, which attacks the bootstrap sector. A resurgent Mebroot was detected last month, some 15 years after the DOS-based malware was created.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , ,