Thursday, April 26, 2012

University of Iowa Student Macs Hit With Virus

University of Iowa freshman Cailie Furlong was studying online Wednesday — until she was blocked from the UI network.

Her computer, along with around 350 other Mac computers on campus, had been infected with the Flashback virus.

UI Chief Information Security Officer Jane Drews said computers received the virus from an infected website. Once installed, the virus allows its creator to access personal information such as account passwords.

"It's something to take seriously," she said.

Concern has been serious enough for the UI Information Technology Services to block infected Macs from accessing the campus wireless network. The UI's intrusion-detection system detects the Flashback virus — which accesses computers by exploiting a security flaw in Java — by catching the network activity of machines trying to access botnet, a network of hacked computers.

UI freshman Max Dehio also noticed his computer had been blocked Wednesday. He said the university IT services told him it will reformat every infected Mac on campus in order to remove the virus.

Dehio said he was surprised by the block.

"I think the university should send out an email before it kicks you off the network," he said.

Drews said some students with Macs should take precautions by getting the most current operating system — OS10.7 — and running software updates, installing antivirus software, and turning on firewall programs.

Because reformatting deletes everything on a computer, UI computer-science Associate Professor Doug Jones recommended students back up any important information.

"In general, the important thing to do is keep backups of anything that matters to you," he said. "[Because] a good thing to do if your computer does get infected is to wipe everything."

Cases such as the Flashback virus represent a decrease in antivirus effectiveness over the past few years, Jones said — especially for Macs, which are not considered as vulnerable to viruses as PCs.

"It's sort of disturbing that Macintoshes are being targeted now," he said.

Drews said Apple released a software update Tuesday to prevent Mac computers from being infected by the virus. UI ITS is testing the software to see if it clears the virus completely, she said.

If the software is effective, she said, the university will take that approach instead of reformatting and reloading infected computers.

Furlong said UI computer services were able to save all her documents and pictures, but everything else was gone.

"I couldn't do my homework last night," she said. "I couldn't even work in the ITC because it is all saved on my laptop."

Dehio said he completed all of his homework earlier in the week but was still concerned about the virus spreading around end-of-semester deadlines.

"I'm losing the time that I should be studying and researching for my essays," he said.

New Flashback Variant Emerges To Plague Unpatched Macs

Security firm Intego has discovered a new variant of the Flashback malware, called Flashback.S. This new variant continues to make use of the Java vulnerability that Apple patched earlier this month.

What's different about Flashback.S is that it installs without prompting the user for a password (which the earlier version asked for, but didn’t actually require to install). Flashback.S installs files into the following locations:


After installation, the malware then goes on to delete all files and folders in the ~/Library/Caches/Java/cache folder in order to try to avoid detection.

Interestingly, this malware checks to see if Intego VirusBarrier X6, Apple’s Xcode development platform, or Little Snitch are installed on the Mac. If it finds any one of these programs installed it will abort the installation.

All that’s needed to become infected with this malware is for the Mac user to visit a website serving the malicious code (which are believed to be hacked WordPress blogs) using the Safari browser. It’s that simple. there’s nothing to click on and no password prompt.

Flashback infections are falling, but there are obviously enough Mac users out there who have not applied the Java patch to their system to make it worthwhile for the bad guys to develop and release this new variant.

Don’t be one of those people! If you’ve not done so already, you need to patch your system immediately! The easiest way to do this is to fire up Software Update and bring in all the updates your system needs.

If you’ve already patched your system, congratulations. You’re safe. However, there are still a few steps that you might lie to take to give yourself added protections.

First, I recommend that you download and install antivirus software. Sophos Anti-Virus for Mac Home Edition and ClamXav 2 are both excellent products and won’t set you back a dime. If you’d rather go for a paid-for solution then I suggest that you take a look at Intego’s VirusBarrier X6 or Internet Security Barrier X6.

Then, I recommend disabling Java in your Mac’s web browser. If you don’t use Java – and not many people do nowadays, which is why Apple doesn’t include it with OS X 10.7 ‘Lion’ – then I recommend uninstalling it completely so you get rid of a serious source of vulnerabilities.

Tuesday, April 24, 2012

Flashback Still Plagues Macs


Contrary to reports by several security companies, the Flashback botnet is not shrinking, the Russian antivirus firm that first reported the massive infection three weeks ago claims.

Dr. Web, which earlier this month was the first to report the largest-ever successful malware attack against Apple's OS X, said Friday that the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.
Also on Friday, Liam O Murchu, director of operations at Symantec's security response center, confirmed that Dr. Web's numbers were correct.

Optimism Refuted

Both Dr. Web's tally and its contention that infections are ongoing flew in the face of other antivirus companies' assertions. Kaspersky Lab and Symantec, which have each "sinkholed" select domains -- hijacked them before the hackers could use them to issue orders to compromised machines -- used those domains to count the Macs that try to communicate with the malware's command-and-control centers.

Earlier this week, Symantec said the Flashback botnet had shrunk by 60 percent and was down to 142,000 machines. Kaspersky claimed that its count registered only 30,000 infected Macs.
Not even close, said Dr. Web in a Friday blog post.
"The number is still around 650,000," said Dr. Web.
On April 16, the company continued, it said 595,000 different Macs were registered on the botnet, while the next day, April 17, the count was over 582,000.
Symantec's O Murchu said Dr. Web is right.
"We've been talking with them about the discrepancies in our numbers and theirs," said O Murchu in an interview Friday. "We now believe that their analysis is accurate, and that it explains the discrepancies."
When asked for comment, Kaspersky Lab said it was looking into the matter.

Malware Outsmarts Monitors

According to Dr. Web, counts by others were incorrect because of how the malware calculates the locations of command-and-control (C&C) servers, and how it communicates, or tries to, with those domains.
Dr. Web said it had sinkholed the primary Flashback C&C domains at the beginning of the month, and that after an infected Mac asks those servers -- controlled by Dr. Web -- for instructions, they then reach out to another domain.

Dr. Web said it did not know who controlled that follow-up domain, but O Murchu suspected it is another security company or researcher.
But Dr. Web did know what happens next in Flashback's complex communication scheme.
"This server communicates with bots but doesn't close a TCP connection," wrote Dr. Web. "As [a] result, bots switch to the stand-by mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec].
"This is the cause of controversial statistics," said Dr. Web.
Firms that reported a decrease in the Flashback botnet attributed the decline to the Java update that Apple distributed April 3, the detect-and-delete tool it shipped on April 12, similar tools issued by several antivirus vendors and the intense media attention paid to the outbreak.
Dr. Web's numbers hint that all of that was in vain.
Flashback's primary attack vector has been a Java vulnerability that Oracle patched in February, but Apple fixed only seven weeks later. Apple maintains its own version of Java for Mac OS X.
The French security company Intego first spotted the Flashback variant that exploited the then-unpatched Java bug in late March.

Saturday, April 14, 2012

New targeted Mac OS X Trojan requires no user interaction


Summary: A new Mac OS X Trojan referred to as Backdoor.OSX.SabPub.a or SX/Sabpab-A is also exploiting Java vulnerabilities in a way that requires no user interaction. It is being used in targeted attacks.
Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kasperskyrefers to it as “Backdoor.OSX.SabPub.a” while Sophos calls it at “SX/Sabpab-A.”
After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user’s current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity.
The remote C&C website appears to be hosted on the free dynamic DNS service Interestingly, the IP address in question has been used in other targeted attacks (known as Luckycat) in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.
The Trojan may have been created on March 16, 2012. It was compiled with debug information, meaning analyzing it wasn’t hard, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:
The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMasterto avoid detection by anti-malware products. The low number of infections and its backdoor functionality indicates that it is most likely used in targeted attacks.
The good news is this means that this Trojan is not believed to be anything as widespread as Flashback, and if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe. The bad news is these Trojans will just keep coming, likely at an increasing rate.
This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Wednesday, April 11, 2012

Apple Sued by DOJ

Apple and five of the publishing industry’s top firms were accused of working together to fix prices on e-books in a Justice Department suit Wednesday. Three publishers — Hachette, Simon and Schuster and HarperCollins — agreed to settle. Apple, Penguin Group and Macmillan did not agree to settle. Macmillan’s chief executive said Wednesday that the firm would fight the charges in court.

In its complaint, the Justice Department lays out a narrative of collusion at the highest levels of the tech giant and some of the nation’s biggest publishing houses. The filing is filled with accounts of high-priced lunches, phone calls between chief executives and barbs thrown at the “holdout major publisher,” likely Random House, which took longer to switch to Apple’s agency model.

Here are some highlights from the filing:
- The complaint paints Apple’s late co-founder Steve Jobs as dismissive toward concerns that the companies might be in unethical territory. In her remarks, acting antitrust chief Sharis Pozen pointed to a Jobs quote to illustrate that attitude. According to the complaint, Jobs told the publishers, “the customer pays a little more, but that’s what you want anyway.”
- Amazon looms large in the filing. At several points, the lawsuit quotes executives complaining about the e-reader giant’s $9.99 price point. Publishers reportedly told Apple that the “price for new releases is eroding the value perception of of their products in customer’s minds, and they do not what this practice to continue for new releases.”
- The complaints turned to fury when Amazon announced that it would let copyright holders publish their books directly through the online retailer.
Penguin USA chief executive David Shanks reportedly responded, “[on] Apple I am now more convinced that we need a viable alternative to Amazon or this nonsense will continue and get much worse.” He is quoted as saying he was “‘p****d’ at Amazon,” and the filing said Shanks “expressed his desire to screw Amazon.”
- The suit also alleges that the publishing firm chiefs coordinated an effort to stand strong against the Web retailer and maker of the enormously successful Kindle e-reader, encouraging members to “hold back your books from Amazon.” At one point, Macmillan asked Amazon to convert to Apple’s agency model. When Amazon refused, the publishing firm essentially stopped selling its books on the Web site. The suit quotes the chief executive of another publishing firm telling Macmillan’s CEO: “I can ensure you that you are not going to find your company alone in the battle.”
- The suit accuses Penguin and Shanks of taking lead in criticizing a “holdout major publisher,” telling that publisher that it was “not helping” the group.
According to the complaint, Jobs refused to sell books from the holdout publisher unless it “agreed to an agency relationship substantially similar” to Apple’s arrangements with the other companies.
- Justice has also presented evidence that the publishers agreed to sign on to the agency model only if all did so together, and that two CEOs admitted under oath that they had called other publishers “specifically to learn” whether they would sign with Apple before the iPad launch.

Thursday, April 5, 2012

'Rude awakening' for Mac users: serious Mac flaw needs urgent fix


Apple has released an urgent patch that will fix a security hole in its Mac operating system that has allowed some 30,000 Mac computers in Australia and more than 500,000 worldwide to be infected with malicious software (malware ).
The critical update to Apple's version of Java for Mac OS X plugs at least a dozen security holes in the program and mends a flaw that attackers have recently pounced on to broadly deploy a malicious software program, known as Flashback Trojan, both on Microsoft's Windows and Apple's Mac operating systems.
Flashback Trojan's most recent variant (it has been around since 2011) self installs after users visit legitimate websites that have been infected to distribute the program - a process known as drive-by download. Once installed, the malware sniffs data traffic from the computer in search for user names and passwords.
The update , Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507 ) that miscreants recently rolled into automated exploit kits  designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan  to infect large numbers of Mac computers with malware.
The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs (hat tip to Adrian Sanabria  who wrote on his blog "(...) many Mac users have been lured into a false sense of security, and will be, or may already be, in for a rude awakening. Apple's marketing efforts are at least partially responsible for this."). Dr.Web's post is available in its Google translated version here.
Flashback is an increasingly sophisticated malware strain that sniffs network traffic in search of user names and passwords. Early versions of it prompted Mac users to enter their password before it would run, but the most recent strains will happily infect vulnerable Mac systems without requiring a password, writes Ars Technica , among others. F-Secure has additional useful information on this Trojan attack here .
As Ars notes, although Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck "Enable Java"). In Google Chrome, open Preferences, and then type "Java" in the search box. Scroll down to the Plug-ins section, and click the link that says "Disable individual plug-ins." If you have Java installed, you should see a "disable" link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).
Delete Java
I can't stress this point strongly enough: If you don't need Java, remove it from your system, whether you are a Mac or Windows user. If you need further convincing of my reasons for this recommendation, I'd encourage you to browse through some of my past Java-related posts .
Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple's patch delays on Java  and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp – first issued an update to plug this flaw and others back on February 17. I suppose Apple's performance on this front has improved, but its lackadaisical (and often plain puzzling ) response to patching dangerous security holes perpetuates the harmful myth that Mac users don't need to be concerned about malware attacks.

Myth Busted: Apple is Not Hacker Proof

from / Marcus J. Carey 

The first thing I'd like to say is that I am an Apple fanboy and can usually be found defending them vigorously like any loyal fanboy would. I hear time and time again from other Apple users that Apple products are "hacker proof", which is a total myth. My buddy Jayson Street says Apple products are perceived as shiny magical things, which I guess adds to the myth.

Mac users are so use to hearing about exploits that only affect Windows users. I have to admit some exploits that target Macs are lame, but every once in a while there comes something that Mac users need to pay attention to. Ladies and gentlemen, now is the time to pay attention because this myth is being busticated in a major way at the moment.

Apple hasn't provided an OS X product update for a critical Java vulnerability (CVE-2012-0507), which was patched by Oracle as of February 15, 2012. This is a big deal because Apple users account for about 15% of Internet traffic. Mac users are wide open to exploitation if they are running the Java plugin in their browsers and attackers are actively leveraging the Java attack across the Internet.

The actual exploit it widely available, which means that it will appear all over the Internet. Here is a screen capture of me exploiting my "fully patched" MacBook Pro running OS X version 10.7.3 with Metasploit.
I created a video to show Mac users how to disable to Java plugin in Firefox, Safari, and Chrome. Disabling the Java plugin will prevent your system from being compromised from the CVE-2012-0507 exploit. In general you should always have the Java plugin disabled unless it is absolutely necessary. You never know when there is a zero day exploit lurking around the corner.

I was sad visiting the Apple Store yesterday knowing that every Mac in sight was exploitable (See image below). I asked a couple of the Apple Geniuses if they heard of the issue, and they told me they were unaware of it, which means few customers or owners know as well. We surely need to put this myth to rest and pray for Apple to update as soon as possible. One final request if you made it this far, please tell everyone you know to disable Java plugins.


Wednesday, April 4, 2012


New malicious software has been reported by F-secure that are running on Mac OSX a virus free operating system, the discovered malware is a Trojan horse that are exploiting vulnerability in oracle java component CVE-2012-0507.
Flashback code observed by F-secure (click to enlarge)
This critical vulnerability have been patched by oracle on February 15th but Apple have not yet released the required patch, this made most Mac OSX users open to this kind of malware and especially that a Blackhole exploit kit version is exploiting this vulnerability.
On the other hand if you are looking for a PoC than exploit already developed for the metasploit framework and you can check a video demonstration for the attack, but if you are using Apple system and while there still no patch available I think that it is time to consider the workaround by disabling java on your Apple operating system.