Tuesday, July 23, 2013

Apple’s OS X FBI Ransomware Goes Global

form blog.malwarebytes.org

Last week we blogged about how Apple’s Mac OS X users are vulnerable to the FBI Ransomware attacks. These social engineering scams come in the form of a stern warning from the FBI stating you have been caught doing something illegal. The user’s machine is then locked and a ransom of $300 must be paid to restore normal access to the computer.

The ransom pages came with two designs based on the victim’s geolocation: FBI or Europol.

Today, I discovered further customizations showing that the bad guys are busy updating their templates for each country’s police force.
sample: click to enlarge

A couple things to note:

Google has updated their Google Chrome on Mac and can now defeat the ransom page. You can close it despite the JavaScript loop that attempts to prompt you 150 times.

Safari users are still stuck and must employ one of the two methods described here to get rid of the page.

Not all countries currently have their own ‘theme’ but it is only a matter of time before the bad guys roll them out.

Last week the Internet Crime Complaint Center (IC3) issued a warning that the FBI would never use such methods to apprehend criminals. It is a reminder that user awareness is the best protection against these attacks.

Monday, July 15, 2013

New Mac malware disguised with right-to-left encoding trick

Signed with a valid Apple ID, Backdoor:Python/Janicab.A uses a Unicode trick to pass as a standard document instead of an application.

F-Secure is reporting that some new malware attempts in OS X are using a spoofing technique to disguise malicious installations as standard files. The technique involves using a special Unicode character in file names that will make an application appear to be a standard document file.

While applications can be renamed with ".doc" or ".pdf" extensions in the OS X Finder, the system will append the ".app" extension to show only the name has been altered and the file is still recognized as a program. This will happen even if you have the Finder set to hide file extensions.
Of course, you can use the Terminal and some other services to change the name from ".app" to ".doc" or something else; however, doing so will break the functionality of the application package and make it appear as a standard folder.
To get around this, if you wanted to disguise a file, you could use the Unicode character "U+202e" to override the system's automatic compensation for the name change, and keep the .app extension hidden while showing only the fake one. For example, copy an application such as TextEdit to your Desktop, and then edit its name to append ".pdf" to the end of it. When you do so, the system will append ".app" to the name as expected. Now remove the change so the name appears only as "TextEdit" with no extensions.
Following reverting the name, enable the OS X Character Viewer and activate the panel from the input menu. With the panel open, search for "U+202e" to find the "Right-to-left" character. This will not show up as a symbol, but can be selected and input at the point of the cursor as a character. With this character ready, you would follow these steps:

1. Select TextEdit and press Enter to edit its name.

2. Move your cursor to the end and type a period to begin the suffix.

3. Double-click the hidden "U+202e" character in the Character Viewer panel to enter it.

4. Type "fdp" or "cod" ("pdf" and "doc" backward).

5. Press Enter again to apply the name change.

When you do this, the TextEdit application will assume the ".pdf" extension, but still maintain its status as a valid application bundle with the .app extension hidden. This results in a file that appears to be a PDF by extension, but which will still have a hidden .app extension and will run as an application when opened.
Overall, this way of disguising programs does not constitute much of a threat, especially if you have Apple's Gatekeeper feature set to allow only programs from the App Store or an approved developer ID to run; however, F-Secure outlines that this spoofing technique has been found in recent malware that is signed with a valid Apple developer ID.
F-Secure has given the new malware the name Backdoor:Python/Janicab.A. Using the technique described above, it tries to disguise itself as a file other than an application bundle. When run, the malware will open a decoy PDF document, and then create a "cron" entry to automatically launch Python scripts that attempt connections to remote command-and-control servers. The malware then attempts to upload screenshots and audio recordings to these servers.

As with prior malware signed with Apple developer IDs, Apple simply needs to revoke the ID and Gatekeeper will flag it as a potentially problematic program. Alternatively, if you wish to take more active measures to avoid interacting with rogue programs, you can go to the Security & Privacy system preferences and set Gatekeeper to allow only programs from the Mac App Store to run without explicit authorization.
This setting will ensure that all programs except those vetted by Apple's App Store team will be prevented from running the first time if you open them in the Finder. To open them, you will have to right-click them and choose "Open," followed by confirming you want to do this, and then authenticating to add an exception for this program to the Gatekeeper rules. Alternatively, you can set up custom Gatekeeper rules manually to accommodate other applications.

Friday, July 5, 2013

Apple's iPhone 5 is the most hated handset

form dailymail.co.uk

  • The iPhone 5 was the most criticised handset on social networks 
  • One in five comments about the phone were negative following its launch
  • Samsung's Galaxy S4 received the least complaints on Twitter and blogs

Apple's iPhone 5 received the biggest customer backlash following its launch in 2012, according to new research.
One in five posts on social networks were critical of Apple's most recent handset, with the majority of people complaining about the introduction of a new power socket, the inaccuracy of Apple Maps and how similar the phone was to previous models.
Samsung's Galaxy S4 received the least complaints - just 11 per cent - according to figures from analysts We Are Social.

We Are Social scanned Twitter, blogs and forums following the launch of four major handsets - Apple's iPhone 5 in September 2012, Samsung Galaxy S4 in March this year, the BlackBerry Z10 launch event in January and Nokia's launch of the Lumia 920, first announced in September 2012.

The iPhone 5 came in for a barrage of complaints for everything from its lack of innovation to its new power connector socket and its mapping application. Apple added a Lightning to 30-pin power socket to the iPhone 5, which meant previous Apple users couldn't use their older chargers to charge the new device.
Apple then charged extra for an adapter.  Previous iPhones used a Google mapping application but this was replaced with Apple Maps in the iPhone 5. This led to complaints about misplacement of landmarks, poor satellite images and wrong directions.

Less than a fortnight after the launch, Apple issued a statement apologizing for the frustration Apple Maps had caused customers and recommended they try alternative mapping apps.
There were also complaints about picture quality of photos taken on select iPhone 5s, with some customers saying there was a purple discolouration on images.
Other iPhone 5 owners were left angry when the coating on their handset chipped off, exposing bright aluminium underneath.