Saturday, February 22, 2014

Apple security flaw could allow hackers to beat encryption

A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.

If attackers have access to a mobile user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.

"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.

Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited.

But a statement on its support website was blunt: The software "failed to validate the authenticity of the connection."

Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.

Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.

After analyzing the patch, several security researchers said the same flaw existed in current versions of Mac OSX, running Apple laptop and desktop computers. No patch is available yet for that operating system, though one is expected soon.

Because spies and hackers will also be studying the patch, they could develop programs to take advantage of the flaw within days or even hours.

The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovich, chief technology officer at security firm CrowdStrike Inc. Adam Langley, a senior engineer at Google, agreed with CrowdStrike that OS X was at risk.

Apple did not reply to requests for comment. The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple's stature and technical prowess.

The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.

Friday's news suggests that enterprising hackers could have had great success as well if they knew of the flaw.

Saturday, February 15, 2014


A small number of Bitcoin wallets have been raided by a newly discovered Trojan that gobbles up credentials used to guard the digital currency.

OSX/CoinThief.A was found in the wild by a security consultancy specializing in Apple security called SecureMac; the malware was spreading on GitHub via a malicious app, which has since been removed from the code repository.

“At this time we’ve seen multiple reports on Reddit and other Bitcoin forums with users indicating that they’ve fallen victim to the malware, but we do not yet know the full scope of the malware distribution,” SecureMac lead developer Nicholas Ptacek said. “As news of this malware spreads, more victims will probably come forward.”

A Reddit discussion about the incident seems to link the author of the app called Stealthbit used to spread CoinThief to a previous attack targeting Bitcoin credentials carried out through an app called Bitvanity. The author of CoinThief went by the handle trevorscool or Thomas Revor, while the Bitvanity GitHub account was registered to a Trevory. The person posting said the Bitvanity app lifted more than 20 Bitcoins—an approximate value of $14,000 USD.

“The malware author tried to take down the malicious binary from Github yesterday, and possibly didn’t realize that it would still be available from the commit history,” Ptacek said. “At some point in the afternoon, the entire Github page for StealthBit was 404′ing, but we are not sure if the malware author deleted his account, or if the page was taken down by Github.”

StealthBit pretends to be an app used to send and receive payments on Bitcoin Stealth Addresses. Instead, when victims install it, their web browsing traffic is monitored by the Trojan, which sniffs out login credentials for Bitcoin wallets.

“At this time there does not appear to be any vulnerability that the malware is exploiting, but rather it is a classic case of social engineering,” Ptacek said. “The infected users thought they were installing an app to send and receive payments on Bitcoin Stealth Addresses, but the app did more than was advertised when it installed the malware. Since the user was intending to install the app, Gatekeeper warnings wouldn’t have been effective at stopping those users from running the app.”

The consultancy said the CoinThief Trojan is a dropper that installs browser extensions on Safari and Chrome running on OS X. The extensions keep tabs on Web traffic from the browsers and watches for log-in attempts on pre-loaded Bitcoin exchanges such as Mt. Gox and BTC-e and wallet sites such as The extensions, meanwhile, are generically named “Pop-up Blocker,” and arrive with an equally generic description that wouldn’t raise suspicions with the user or security researchers.

“Additionally, the malware appears to monitor specific file locations on disk, checking to see when they are modified. Analysis of this malware is still in the early stages, so more information is likely to come to light moving forward,” Ptacek said.

The attackers hosted the source code and a precompiled version of the app on GitHub, SecureMac said. The source code and app, however, were not a match. The pre-compiled app contained malware not present in the source code and infected OS X users with CoinThief. Not only does the malware watch Web traffic, but it connects to a remote command and control server where it sends the stolen credentials and also receives updates from the attackers.

“Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,”  SecureMac said on its site.

Ptacek said the remote server was registered in Australia via bitcoinwebhosting[.]net, but appeared to be hosted elsewhere. The remote server was located at www[.]media02-cloudfront[.]com, with a current IP address of 217[.]78[.]5[.]17, but it appears to be down at this time, Ptacek said.

Apple’s security restrictions make it highly unlikely the malware would have made its way onto the Apple App Store. Also, there is no indication of a mobile component of this Trojan for iOS devices.

“The Trojan only works on OS X, and we haven’t seen any indication of the presence of an iOS version,” Ptacek said. “Furthermore, due to the security restrictions Apple has built into iOS, this malware would not be able to function on iOS.”

Tuesday, February 4, 2014

Flaming iPhone 5c Battery Sets 13-Year-Old’s Pants On Fire


Batteries are potentially volatile things, stuffed with electrochemical cells practically humming with electrolytes. Every once and a while, then, they’re sure to break down, and companies like Apple do literally everything in their power to make sure it doesn't happen.

Here’s why. An iPhone 5c that exploded in the pocket of a 13-year-old girl resulted in a fire so severe that she was rushed to the hospital with second-degree burns.

The iPhone was in the girl’s back pocket at the time, so it appears that the failure of the two-month iPhone might have been due to stress. She may have cracked it sitting down.

As a bigger guy who stuffs his iPhone in his own back pocket, I should probably pay attention to this girl’s misfortune before I set my ass on fire.

Friday, January 24, 2014

New OSX/Crisis Variant Invokes Pope Francis

A new sample of OSX/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab during the weekend. We currently do not have information about the origin of the file on VirusTotal, named “Frantisek,” but it is an Eastern European first name meaning Francis. Could it be related to Pope Francis?

Like the previous variants, OSX/Crisis.C is delivered through a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, Hacking Team has updated some of the dropper code and the backdoor configuration file format.

The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program. For this reason, an incautious researcher using a debugger could get infected without even noticing it. While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware.

When the dropper runs successfully, it hides the following files in the user’s home directory (in the Library/Preferences folder), inside a fake application bundle called

  • 1 backdoor: 8oTHYMCj.XIl (32-bit)
  • 1 configuration file: ok20utla.3-B
  • 2 kernel extentions: Lft2iRjk.7qa (32-bit) and 3ZPYmgGV.TOA (64-bit)
  • 1 scripting addition: EDr5dvW8.p_w (FAT)
  • 1 XPC service: GARteYof._Fk (FAT)
  • 1 TIFF image, a System Preferences icon, ripped of Linkinus preferences panel: q45tyh
  • Then it executes the backdoor and finishes the installation by creating a LaunchAgent file,

Similar to OSX/Crisis.B, this binary is obfuscated using MPress packer. It doesn’t run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an “Image not found” exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes).

Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit.

At the time of this writing, the overhaul detection rate on VirusTotal is very low.

Intego VirusBarrier with up-to-date malware definitions protects Mac users against this malware, detected as OSX/Crisis.C.

Wednesday, January 22, 2014

Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack

Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users.
In fact, it was somewhat more than that: it was one of those "undelivered courier item" emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly.
You're probably familiar with "undelivered item" scams.
The idea is surprisingly simple: you receive an email that claims to be a courier company that is having trouble delivering your article.
In the email is a link to, or an attachment containing, what purports to be a tracking note for the item.
You are invited to review the relevant document and respond so that delivery can be completed.
We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website, featuring its very own amusingly ill-Photoshopped planes, ships and automobiles.
But a competently-executed courier scam can be fairly convincing, especially if the criminals behind it know enough about you to create what becomes atargeted attack.
Even a modest amount of detail (if that is not an oxymoron) can do the trick.
For example, the crooks will sound a lot more believable if they know your address and phone number; are aware of what you do in your job; and have a general idea about some of the projects you are working on right now.
Of course, if you open the attachment or click on the link in one of these scams, you are immediately put into harm's way: the attachment might try to trigger an exploit in your unpatched copy of Word, for instance, or the link might attack an unpatched Java plugin in your browser.
Here's what the emails looked like in this attack, with some details changed or redacted for safety:
We wish to inform you that we have a pending parcel for the past 10 days bearing your name Mr. Jonathan Sidebottom,with parcel number (MV-45-QA566). The parcel was sent for delivery on the below mentioned address but nobody was there to receive it. Your parcel content has a set of engineering documents, which was discovered during our security checks of parcels brought into our head office. So, we are sending you a scanned copy of that parcel. Give your positive response, if it belongs to you.
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone.
But if Mr Sidebottom really is in the engineering business, and regularly deals with inbound documents from courier companies around the world, an email of this sort could easily pass muster.
The link, of course, doesn't really lead to, but instead takes you to a domain name that is controlled by the attackers.
If you are on a mobile device, the server delivers an error message.
If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus asMal/VBCheMan-C, a vague relative of the Zbot or Zeus malware.
But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file.
By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an empty Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:
Clicking on the download button shows you what looks like a PDF file:
There is no PDF file, as a visit to the Terminal windows quickly reveals.
Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon:
As you can imagine, the temptation is to click on what looks like a PDF file to see what it contains.
OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file:
Note that you don't get a warning about the App being from an "unknown developer" because it is digitally signed, something that happens surprisingly often with modern malware.
→ The quantity of digitally-signed malware in circulation prompted Microsoft, which sees a lot more malware than Apple, to publish a recent blog post with the uncompromising title "Be a real security pro - Keep your private keys private." In that article, Microsoft documents a malware family it calls "Winwebsec" of which it has more than 15,000 digitally-signed samples, signed with 12 different stolen keys.
If you do click the [Open] button, nothing seems to happen: you end up back at the desktop with your email software open and an empty Safari window in front of it.
But a trip back to the Terminal shows that what looked like a PDF file is now running in the background as a process named foung:
As it happens, foung, like its counterpart delivered to Windows computers, is a bot, short for "robot malware", detected by Sophos Anti-Virus asOSX/LaoShu-A.
LaoShu-A as good as hands control of your Mac over to the attackers, but its primary functions appear to be more closely associated with data stealing than with co-opting you into a traditional money-making botnet.
(You will often hear the term RAT, or Remote Access Trojan, rather than the more common term bot, used to describe this sort of malware.)
In other words, the attackers seem more concerned with digging around on your computer for what they can steal than with abusing your computer and your internet connection to aid and abet other cybercriminal activities.
Amongst other things, LaoShu-A contains code to:
  • Search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX.
  • ZIP those files.
  • Upload (exfiltrate) them to a server operated by the attackers.
However, this RAT also knows how to:
  • Download new files.
  • Run arbitrary shell commands.
For example, during our tests, LaoShu-A downloaded a second application that took a screenshot with OS X's built-in screencapture command, and tried to exfiltrate the image it had just grabbed.
But the behaviour of that second application can be varied by the attackers at any time, which is why, in our recent podcast, Understanding botnets, SophosLabs expert James Wyke warned as follows:
Without analysing the full network capture of the entire interchange between a bot and the person controlling it, you can't say for sure exactly what that bot might have done... [it] might go and download some completely different piece of malware which carries out a completely different set of functionality.
James went on to recommend:
Be more suspicious of things you get in e-mail. E-mail is still one of the most common ways people get infected, and it is predominantly through social engineering attacks... So when you receive an e-mail from someone you've never heard of before, or you've never communicated with before, and there's some interesting attachment to the e-mail or [a link to click], ...don't do that! That's one of the that most common ways people get infected.
Let's hope this malware reminds OS X users of a few simple truths that some Mac fans still seem willing to ignore:
  • Mac malware is unusual, but not impossible.
  • Data thieves are interested in what Mac users have on their computers.
  • Malware writers can often get their hands on digital certificates to give software to give it a veneer of respectability and to bypass operating system warnings.
  • Mac malware doesn't have to ask for a password before running.
  • Mac malware can run directly from a download without an installation step.
  • Bots and RATs are particularly pernicious because they can update and adapt their behaviour after you are infected.
As always, prevention is better than cure.
And that "undelivered courier item" almost certainly doesn't exist.

Saturday, January 11, 2014

Flashback trojan still infecting 22,000 Macs

A screenshot of an Apache Server log showing infected Macs connecting to a Flashback command and control server. The user agent strings and referrer strings showing Windows NT 6.1 machines, are set by Flashback. Intego has confirmed that the machines are, in fact, infected Macs.

The Flashback trojan that hijacked well over 500,000 Macs at its peak is still clinging to life, with about 22,000 infected machines in recent days, a security researcher said.

The compromised Macs were observed connecting to command and control servers that had been "sinkholed—meaning taken over for research or security purposes—by analysts from security firm Intego. During a five-day period ending January 7, 22,000 Flashback-infected computers reported to server domains recently acquired by Intego, Arnaud Abbati, a researcher with the company, wrote in a blog post. Those machines could be maliciously controlled by anyone who has access to one of the many domain names programmed into a Flashback algorithm, assuming they know how the internals of the malware works.

Flashback first came to light in 2011 when it took hold of people's machines by masquerading as a legitimate installer of Adobe's ubiquitous Flash media player. By early 2012, Flashback morphed from a socially engineered threat to one that performed surreptitious drive-by attacks by exploiting vulnerabilities in Oracle's Java software framework. Flashback was among the most sophisticated pieces of malware ever to target mainstream Mac users.

Self-encryption made it tough for researchers to reverse engineer or hijack the malware. Flashback was used primarily as a "click fraud" tool that caused infected Macs to view sponsored links that had the potential to generate millions of dollars in fraudulent ad revenue. It also had the ability to do much more, including sending spam, engaging in denial-of-service attacks, or logging passwords. Ars has published articles showing how to detect and remove Flashback here and here.

One Flashback capability included the ability to periodically generate a new set of domains that infected Macs would report to. To prevent Flashback operators from losing control of their machines, the malware was programmed to check a new pseudo-randomly generated domain each day in five separate top-level domains (TLDs). In an e-mail, Abbati explained:

"An infected Mac tries to contact the same domain on five TLDs (.com, .net, .info, .in, .kz) until it finds one correct bot response. To block that chain you can't just buy the .com; there is a chance the hacker will test for all TLDs and purchase and use the others for malicious activity. The process is that the server answers back the infected Mac with a secret data to prove that it is a Flashback botnet controller. After that handshake, the network packets are encrypted with the unique identifier given by the infected Mac on the first request to the C&C server. Then the server sends commands over the network to execute on the infected Mac, commands that can be: update your code with an external executable (by downloading it), execute a system command, launch a process, send local files from the infected Mac, etc. To resume, after the handshake with the secret data, the botnet server has a full control against the infected Mac."

Abbati went on to say that Apple countered the threat by reverse engineering the domain-generation algorithm and buying all of the names through the end of 2013. That prevented him or anyone else outside of Apple from monitoring the Flashback botnet. Then, at the beginning of the year, Apple briefly allowed those domain name registrations to expire failed to purchase some domain names, making it possible once again for Intego to peer into the inner workings of Flashback. Over the past few days, Apple has bought all of the 2014 domains. Abbati said that's a good thing for the safety of those who remain infected.

"With the number of computers still infected," he explained, "it’s conceivable that someone with malicious intent could also crack the algorithm, buy the domains, and use them to instruct the computers into nefarious action."

Friday, January 10, 2014

82% of enterprise Mac users not getting security updates

Last week I saw a post by Computerworld journalist Gregg Keizer about the fragmentation of OS X versions and how it flew in the face of Apple's plans to unite users onto OS X Mavericks.

I have worked with Gregg for years and immediately began to think of the security implications.

Paul Ducklin wrote of the security fixes included in Mavericks, but strangely it appeared that Apple had not released similar fixes for OS X 10.6, 10.7 and 10.8.

The Net Applications data Gregg quoted was interesting, but I thought I would look into how Sophos customers have approached Mavericks.

Enterprise IT departments are often far more hesitant to deploy new operating system versions quickly and this time it might come along with some rather risky security consequences.

As you can see in the charts, 55% of Sophos Anti-Virus for Mac Home Edition (Free!) users have upgraded to OS X Mavericks, whereas only 18% of enterprise users have jumped on board.

After only 77 days these numbers reflect one of the highest adoption rates of a new OS I have seen. Unfortunately, that may not be good enough.

Without saying it in so many words, or any words for that matter, Apple appears to have stopped releasing security updates for OS X 10.6.8, 10.7.5 and 10.8.5.

It is a nice gesture that OS X 10.9 Mavericks is a free upgrade, but not everyone can upgrade. OS X 10.8 Mountain Lion has only been available for 15 months and is apparently already orphaned.

Microsoft has been taking heat for discontinuing Windows XP after supporting it for more than 12 years. I think Apple might be able to do a little better than 15 months.

If you are an Apple user, please update to OS X Mavericks or if you can't, perhaps install Windows 7 or Linux.

If you must run an older version of OS X, you may want to follow the advice Duck and I had in a recent Techknow for Windows XP users to minimize the risk of compromise.