November 23rd, 2009

New iPhone worm found in the wild

Posted by Jason D. O'Grady @ 9:27 am

Categories: Jailbreak, Malware, Security, Vulnerability, Worm, iPhone

Tags: Apple iPhone, Worm, Cyberthreats, Viruses And Worms, Security, Jason D. O'Grady

On November 2 a hacker was able to identify jailbroken iPhones unning SSH on T-Mobile’s Netherlands network via port scanning and used the vulnerability to change the wallpaper to display a message that demanded a 5 Euro ransom.

One November 7 another malware, dubbed ikee, “rickrolled” compromised iPhones by changing the wallpaper to a picture of Rick Astley (pictured).

Today a new, more nefarious worm that attacks jailbroken iPhone and iPod Touch devices has been discovered. According to Sophos this latest iPhone worm was discovered when a Dutch ISP reported unusual amounts of data traffic. Slashdot posted a link to a translation of a Dutch security blog post with more details.

There are some significant differences from the 5 Euro scam, the most notable of which is that this worm uses command-and-control like a traditional PC botnet. It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server (HTTP) to upload stolen data and cede control to the bot master.

Security.nl reports that the new worm changes the SSH root password making it more difficult to stop.

This worm attacks IP ranges from a larger range of ISPs, including UPC (Netherlands), Optus (Australia), and T-Mobile (Many). When an infected device is hooked up to a WiFi connection, the worm can spread more quickly to more IP addresses than on a typical 3G connection.

It’s difficult to tell if your iPhone has been compromised, but one symptom is that battery life becomes very, very short when the device is connected to WiFi, because the worm is generating so much network activity. The recommended method to remove this malware from your iPhone is to restore the Apple factory firmware using iTunes.

If you’ve jailbroken your phone and are running SSH, change the default password.

September 10th, 2009

Mac OS 10.6.1 released, squashes 9 Flash vulnerabilities (updated)

Posted by Jason D. O'Grady @ 8:19 pm

Categories: 10.6, Mac OS, Security, Software Update

Tags: Apple Macintosh, Printers, Apple Mac OS, 3G, Desktops, Operating Systems, Hardware, Peripherals, Software, Cellular Phones

Apple tonight released Mac OS 10.6.1 (build 10B504) via Software Update.

The 74MB update (download page) fixes several bugs, as noted below, and includes “general operating system fixes that enhance the stability, compatibility, and security of your Mac.”

Bug fixes mentioned in the release notes include:

• compatibility with some Sierra Wireless 3G modems
• an issue that might cause DVD playback to stop unexpectedly
• some printer compatibility drivers not appearing properly in the add printer browser
• an issue that might make it difficult to remove an item from the Dock
• instances where automatic account setup in Mail might not work
• an issue where pressing cmd-opt-t in Mail brings up the special characters menu instead of moving a message
• Motion 4 becoming unresponsive

On the security side of things Apple’s 10.6.1 update patches several critical Flash bugs. Our own Ryan Naraine reports that 10.6.1 fixes an issue with the version of Flash Player that was included with 10.6.0 which was discovered to have nine different vulnerabilities, the most serious of which could lead to computer takeover attacks via rigged Web pages.

Apple recommends that all users running Snow Leopard install 10.6.1 immediately, but I’d give it at least 72 hours to marinade — especially if your running mission critical software.

UPDATE: For users note running 10.6 Apple separately shipped Security Update 2009-005 which fixes several “arbitrary code execution” vulnerabilities and includes the patched Flash Player plug-in mentioned above.

August 27th, 2009

Apple confirms malware protection in Snow Leopard (Updated)

Posted by Jason D. O'Grady @ 12:01 am

Categories: 10.6, Security, Snow Leopard

Tags: Apple Macintosh, Malware, Apple Inc., Snow Leopard, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Jason D. O'Grady

Although it’s not advertised on any of its Snow Leopard pages (1, 2, 3) Apple has confirmed a report by Ryan Naraine on his Zero Day blog that Mac OS 10.6 includes malware protection. As it turns out, it’s not entirely new though.

Naraine notes that Apple’s new malware blocker, discovered by Intego, appears to be scanning installation packages for signs of known Mac malware.

Few details are available about how Apple is handling the package scans for signs of malicious software but Naraine has confirmed that Apple is not using the open-source ClamAV engine to handle the scans indicating that Apple may have licensed the technology from a commercial anti-virus company.

Yesterday The Loop confirmed that Snow Leopard uses Apple’s File Quarantine technology to check for known malware signatures in files downloaded by Safari, iChat and Mail and that it first appeared in Mac OS X Tiger (Mac OS 10.4). When malware is found, Snow Leopard will recommend moving the file to the trash, as seen the the screen shot from Intego (above). Snow Leopard is also be able to download updated malware signatures via Software Update.

It’s ironic that Apple is promoting the Mac’s immunity to malware at the same time as they add OS-level scanners for it.

Update: 9to5Mac (via Danco Danchev) reports that the malware protection in Snow Leopard comes in the form of a XProtect.plist file containing five signatures including two for the most popular Mac OS X trojan horses: OSX.RSPlug and OSX.Iservice. While just an initial step, Apple can update the signatures as new vulnerabilities are found via the software update plumbing that’s built into Snow Leopard.

August 5th, 2009

Security software maker PC Tools enters Mac market with antivirus utility

Posted by David Morgenstern @ 1:50 pm

Categories: Security, Software

Tags: Infection, Apple Macintosh, Antivirus, PC Tools, Threat, iAntiVirus, Threat Signature, Desktops, Security, Viruses And Worms

[Aug. 5, 2009, 5:46 PM PDT. Holy Deja Vu, Batman!! This iAntiVirus press release was received on Wed. but without a date in its copy. Now I find that it has been out in the wild before — in January. Doh! Very sorry for the redundant "news." David M.]

PC Tools on Wednesday released iAntiVirus, that offers both real-time and scanning protection, the company said. The software is offered as a free download and costs $29 for an individual license.

According to the company, said the software will remove threats in the background with little impact on system performance.

The software targets only Mac threats, the company said, which keeps the footprint and resource usage low.

Here are some of its features:

A variety of scan options

You may perform a variety of scan types using iAntiVirus, this allows you to strike a balance between the time taken to complete a scan, and its thoroughness.

Real-time protection

IntelliGuard protects your Mac against infections in real time. Whenever an infection is detected and blocked, an alert is displayed below the system menu bar. IntelliGuard automatically places detected infections in quarantine, works silently in the background and uses minimal system resources.

Quarantine

iAntiVirus quarantines all detected infections, allowing you to easily view and restore items in the case of a false positive (for example: when scanning with engine heuristics set to high).

Automatic Smart Updates

Frequent updates to detect and guard computers against new threats and viruses as well as provide enhancements to iAntiVirus are automatically installed and downloaded through the Smart Update function. Threat signatures are updated within hours of a high risk malware outbreak to protect you from the latest online threats.

Low resource usage

When in monitoring mode iAntiVirus has been designed to work silently in the background, threats are blocked and removed without any system impact, while only a small alert window is displayed to advise you that your Mac has been protected against an attack.

The company says it “employs over 250 people in Australia, China, USA, UK, Ireland and Ukraine.” It offers a number of PC security tools including Spyware Doctor and Registry Mechanic.

July 8th, 2009

Safari 4.0.2 patches two security vulnerabilities

Posted by Jason D. O'Grady @ 9:53 pm

Categories: Safari, Security, Software, Software Update

Tags: Apple Safari, Knowledgebase, Patch Management, Web Site, Security Fix, Web Site Development, Security, Internet, Jason D. O'Grady

Apple yesterday released Safari 4.0.2 via Software Update and recommends the update for users on all platforms.

According to Apple’s typically vague “release notes” the 40.2MB update improves the stability of the Nitro JavaScript engine and includes the latest compatibility and security fixes.

According to the knowledgebase article HT3666 the update addresses two security vulnerabilities that could be exploited by maliciously crafted Web sites.

The first security fix addresses a problem in WebKit’s handling of parent and top objects which may result in a cross-site scripting attack when visiting a maliciously crafted Web site. The second addresses a memory corruption issue in WebKit’s handling of numeric character references. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution.

If you use Safari 4 as your primary browser the update is highly recommended.

July 2nd, 2009

iPhone executes SMS binary code as root

Posted by Jason D. O'Grady @ 1:58 pm

Categories: Security, iPhone, iPhone OS 3.0

Tags: Apple iPhone, SMS, DailyTech, Text Messaging/SMS/MMS, Telephony, Cellular Phones, Smart Phones, Consumer Electronics, Personal Technology, Online Communications

A security flaw has been discovered in the iPhone OS that could allow attackers to gain root access to the iPhone OS and allow them to install and execute malicious programs at will.

Charlie Miller announced the discovery of the vulnerability during a presentation at the SyScan conference in Singapore on Thursday. DailyTech explains:

The iPhone apparently automatically executes binary code sent in SMS messages.  Messages are limited to 140 bytes, but this is little deterrence as longer programs can be broken up into several messages, which the phone automatically reassembles.  While other applications such as the Safari browser on the phone only enjoy access to their sandbox, the SMS system is automatically granted root access, and SMS commands execute as root.

Miller wouldn’t provide specific details nor would he demonstrate the vulnerability stating that he has entered under an agreement with Apple. He’d only say, “SMS is a great vector to attack the iPhone.”

Update: Apple said that it will release a fix by the end July and Miller has agreed to hold off on releasing details of his attack until then. He will present the attack at the Black Hat USA 2009 conference which runs from July 25-30 in Las Vegas. Miller is the author of The Mac Hacker’s Handbook.

April 20th, 2009

Mac botnet being used in DDOS attacks

Posted by Jason D. O'Grady @ 8:24 pm

Categories: Hack, Mac OS, Security

Tags: Software, Apple Macintosh, Researcher, Malware, Distributed Denial Of Service, Desktops, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security

Back in January pirated versions of iWork ‘09 being shared on P2P networks were discovered to contain a trojan horse called “iWorkServices.” The author of the malware did his thing by adding a malicious binary to the trial version of the software package.

ZDNet’s own Ryan Naraine in “iBotnet” notes that researchers at Symantec claim that the resulting botnet of thousands of Macs is already being used for nefarious purposes.

Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine.

The symptom of an infected Mac is a PHP script, running as root, launching attacks against an unknown Web site as described in this blog entry. It’s being described as the “first real attempt to create a Mac botnet.”

The scariest part of Naraine’s piece comes at the end

“The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it – and therefore we would not be surprised to see a new, modified variant in the near future,” the researchers added.

I guess the lesson here is to avoid downloading illicit software from P2P sites and to scan your Mac ASAP if you’ve been, ahem, promiscuous in your choice of software distribution systems.

Image: joseloya’s Flickr photostream

March 25th, 2009

Charlie Miller: Macs lacking in security

Posted by Jason D. O'Grady @ 1:38 pm

Categories: Security

Tags: Apple Macintosh, Desktops, Linux, Security, Hardware, Operating Systems, Software, Jason D. O'Grady

Charlie Miller, the man that took down MacBooks in 2008 and 2009’s Pwn2Own hacking competition shares his thoughts on OS security, Pwn2Own, and why Macs are lacking in security in an interview with Tom’s Hardware:

In neither case did I get root/admin access. That would have required additional vulnerabilities. However, just running as the user is still very bad. I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred.

When asked if he had to make a recommendation, Mac, PC, or Linux? Miller responded:

I’ll leave Linux out of the equation since I know my grandma couldn’t run it. Between Mac and PC, I’d say that Macs are less secure for the reasons we’ve discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn’t much malware out there. For now, I’d still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.

It’s a good read.

Photo: Tom’s Hardware

January 27th, 2009

MacScan releases free Mac trojan removal tool

Posted by David Morgenstern @ 2:02 pm

Categories: Security

Tags: Apple Macintosh, Trojan Horse, Tool, Spyware, Spyware, Adware & Malware, Viruses And Worms, Security, David Morgenstern

With the arrival of yet another trojan targeting the Mac, antispyware vendor MacScan on Tuesday updated and renamed its trojan removal tool.

The previous version was called the iWorkServices Trojan Removal Tool, and SecureMac changed the program’s name to the iServices Trojan Removal Tool.  The company said the updated tool is also a free download and detects and removes the new variant trojan found on pirated versions of Adobe Photoshop CS 4 for Mac OS X.

This trojan is working its way around various P2P networks and with various packages as the vector for infections. The first version was discovered in copies of iWork 09, which was introduced at Macworld Expo earlier this month.

According to MacScan:

Like its predecessor, variant B obtains root privileges, and notifies the remote host of the infected computer’s location on the Internet. It is recommended users avoid downloading pirated copies of these programs. What’s more, it is anticipated that new variants will be discovered in the coming months in other software packages distributed by third parties over the Internet.

January 22nd, 2009

Pirated version of iWork '09 may contain a Trojan

Posted by Jason D. O'Grady @ 1:22 pm

Categories: Security, Software, iWork

Tags: Trojan Horse, Apple iWork, Spyware, Spyware, Adware & Malware, Viruses And Worms, Security, Jason D. O'Grady

A pirated version of iWork ‘09 linked on The Pirate Bay allegedly contains a Trojan Horse called “iWorkServices.”

Some have claimed that iWorkServices is a legitimate part of the software designed to interface to the forthcoming iWork.com online service. I looked at Activity Monitor while running retail copies of Pages ‘09 and Numbers ‘09 and didn’t see an entry for iWorkServices.

If you have installed the pirated version of iWork ‘09, first, shame on you. Second, one commenter claims that the trojan can be removed by following these instructions:

1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

Calls to Apple to confirm have not been returned.