Tag Archive for F-Secure

RB | November 22, 2011
13 comments

Apple Security Update

Apple securityThe magical virus proof Apple operating systems have had a rough couple of weeks. Apple (AAPL) released security updates for OS X Lion and Snow Leopard, iOS, Numbers for iOS and Pages for iOS.

Mac OS X LionUK-based security company Sophos says that the OS X patch addressed 75 known vulnerabilities. Most of the vulnerabilities could lead to arbitrary code execution, while others lead to denial of service or privilege escalation. The bug fix weighs in at a whopping 880MB with recovery download.

Next Apple released a gargantuan update to iTunes for Windows that fixes 79 vulnerabilities. Sophos reports that the patch fixes 73 holes that could cause remote code execution in WebKit, used to render HTML content. Other fixes resolve remote code execution bugs.

SophosDespite the huge patches, cybercriminals have figured out how to disable the rudimentary anti-virus protection XProtect Apple has built into Mac OS X by enhancing an existing trojan horse Flashback.The Flashback trojan leaves the Mac vulnerable by preventing XProtect from receiving security definition updates. Sophos makes the points out that Mac malware writers are eager to infect Apple computers because of the potential financial rewards.

TsunamiThe Mac malware authors are not resting on their laurels. Within days, of spotting Flashback in the wild, Sophos reported that Tsunami, a new backdoor trojan horse for Mac OS X, had been discovered. Sophos indicates that the new Mac malware may be a port of Kaiten, a Linux backdoor Trojan horse that uses an IRC channel for instructions.

Code like this is used to commandeer compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic. ESET notes that as well as enabling DDoS attacks, the backdoor can enable a remote user to download files, such as more malware or updates to the Tsunami code.  The malware can also execute shell commands, giving it the ability to essentially take control of the affected Mac.

Mac DevilRobber Trojan horseOnly a few more days passed before the DevilRobber (Miner-D) Mac OS X Trojan horse was discovered. DevilRobber was embedded in hacked versions of Mac OS X image editing app GraphicConverter version 7.4 distributed via file-sharing torrent sites such as PirateBay. Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time. GPUs are better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.

Sophos reports that in addition to Bitcoin mining, Miner-D also spies on its victim by taking screen captures and stealing usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), Safari browsing history, and .bash_history. To complete the assault – if the malware finds the user’s Bitcoin wallet it will also steal that.

F-SecureDevilRobber was recently been updated according to F-Secure researchers. F-Secure researchers point out that the newly discovered Trojan is the third iteration of the malware and that it poses as the popular image-editing app PixelMator.

Help Net Security says this version of DevilRobber has new features that the original version is lacking. It tries to harvest the shell command history, the system log file and the contents of 1Password, the popular software for managing passwords. Unfortunately, its Bitcoin mining and stealing capabilities are still there, as well.

Email protectionrb-

So despite Apples continued instance that Apples do not need anti-malware software standard malware prevention techniques apply to Macs. Clearly, Mac users like their Windows cousins should practice safe computing. some of the safer computing practices include

  1. Never open an email attachment unless you are POSITIVE about the source.
  2. Do NOT click on any pop-up that advertises anti-virus or anti-spyware software especially a program promising to provide every feature known to humanity.
  3. Use an AntiVirus program. A free one is better than none. There are several free versions that work well, like Microsoft Security Essentials which is also free has had good reviews.
  4. Keep your OS and AV updated. Make sure that you install those important updates. An out of date antivirus program does not help in detecting new infections.
  5. Use a personal firewall. Use a firewall between your DSL router or cable modem and computer will protect you from inbound attacks.A software firewall on the computer can protect you from both inbound and outbound attacks.
  6. Do NOT download freeware or shareware unless you have must. These often come bundled with spyware, adware or fake anti-virus programs. Be especially wary of screensavers, games, browser add-ons, peer-to-peer (P2P) clients, and any downloads claiming to be “cracked” or free versions of expensive applications.
  7. Avoid questionable websites. Some sites may automatically download malicious software onto your computer.
  8. Browse responsibly. Sometimes you might not even have to download and install something but just open a website in your browser for a rogue program to infect your computer. So be careful where you go when you are browsing.
  9. Pay attention to your incoming e-mails. Some of them can contain viruses or content pointing to malicious sites. Don’t click on links provided by false institutes that invite you to change password or similar.
  10. “Phishing” describes scams that attempt to acquire confidential information such as credit card numbers and passwords by sending out e-mails that look like they come from real companies or trusted people. If you happen to receive an e-mail message announcing that your account will be closed, that you need to confirm an order, or that you need to verify your billing information, do not reply to the e-mail or click on any links. If you want to find out whether the e-mail is legitimate, you can go to their website by directly typing their address into your browser or by calling them.

Related articles

Category: Security | Tags: , , , , , , , ,
RB | April 2, 2011
No comments

Adobe Notes

Malicious PDF Files Becoming the Attack Vector of Choice

Adobe PDF ZDNet points out a report from Symantec’s MessageLabs that malicious PDF files outpace other malicious attachments used in targeted attacks and now represent the attack vector of choice for malicious attackers compared to media, help files, HTMLs and executables.

The report says that office-based file formats are a popular and effective choice used in some targeted attacks. Cybercriminals attempt to bypass spam and email filters by distributing the ubiquitous PDF that’s often allow to pass through these layers of protection. In 2009, about 52.6% of targeted attacks used PDF exploits, compared with 65.0% in 2010, an increase of 12.4%. MessageLabs Intelligence Senior Analyst, Paul Wood says,

PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware

Adobe Posts Its First Billion-Dollar Quarter

AdobeThe New York Times reports that the software maker Adobe posted its first $1 billion quarter in Q4-2010. Revenue rose 33 percent to $1.01 billion from $757 million last year. Adobe, which is based in San José, CA makes Photoshop, Acrobat and Flash software.

Targeted attacks exploiting PDF bugs are soaring

Help Net Security reports that Adobe is having a hard time fighting its bad reputation when it comes to products riddled with vulnerabilities. Help Net Security references a report from F-Secure’s Lab which says that Adobe Reader exploits are becoming the weapon of choice for many cybercriminals.

F-SecureThis makes patching and updating eminently important. As an example the latest critical vulnerability (CVE-2010-0188) which Adobe warned users to update the software to the latest version. Users who missed the memo are vulnerable, F-Secure (FSC1V) warns it is being exploited in the wild.

Upon loading the PDF file, an embedded executable is dropped on the victim’s hard disc and it immediately tries to connect with tiantian dot ninth dot biz to download other files.

F-Secure has warned long ago about security problems plaguing Adobe’s most famous software. The security firm has even advised users to start using an alternative PDF reader. According to Help Net Security Adobe’s, decision to schedule their updates to follow Microsoft’s Patch Tuesday is a step in the right direction.

Malicious PDF spam with Sality virus

Help Net Security highlightsSophos warning that a malicious email containing the following text has been dropped into inboxes around the world:

Hey man..
Remember all those long distance phone calls we made.
Well I got my telephone bill and WOW.
Please help me and look at the bill see which calls where yours ok..

SophosYou surely don’t remember such an occurrence or the sender of the email, since this is just a ploy to make you open the PhoneCalls.pdf attachment, but don’t let your innate curiosity get the better of you.

The attached file  can exploit a vulnerability in how Adobe Reader handles TIFF images, and proceeds to download and execute a Trojan that loads the Sality virus into your system’s memory. The virus then proceeds to append its encrypted code to executable files, deploys a rootkit and kills anti-virus applications.

Sophos reminds everyone that opening documents attached to unsolicited emails is like the online equivalent of Russian roulette – the odds are stacked heavily against you.

Adobe, The New King Of Security Holes

Enigma SoftwareInformation Week reports that Microsoft (MSFT) has spent more than a decade improving its secure software development and its response to security exploits. As a result, Microsoft is losing the lead in security vulnerabilities and being replaced by Adobe (ADBE).

With Microsoft’s improved response to security holes, the pickings in Windows itself are getting slimmer. Attackers don’t have brand loyalty, so they’ve moved on to another company with lots of PC installed base: Adobe. Security holes are being exploited in Adobe Reader and Illustrator . Adobe makes this problem worse because it has been bundling unwanted applications and their AIR software platform with their free applications like Adobe Reader. Adobe is looking to create an attractive installed base for their developers, but they are also creating an attractive attack surface for the bad guys.

Protecting yourself from Adobe’s security holes can be difficult.  There are non-Adobe solutions such as Foxit Reader, which is much faster and lighter than Adobe Reader but has had problems with  PDF documents with editable fields. InfoWeek provided some specific tips that may help avoid security problems.

  • Uninstall any Adobe Reader version earlier than 9,  and install version 9.
  • With ver. 9 go to the Edit/Preferences menu. Make sure that Security(Enhanced) is turned on; (Adobe ships it turned off).
  • Launch the Updater and be sure you’re checking for updates, install updates ASAP.
  • Go to Trust Manager and uncheck the option for “Allow opening of non-PDF file attachments.”
  • Finally, unless you know you need Javascript in your Acrobat documents, disable Javascript.
  • RB- Don’t go to ver. 10, I hate it.
Category: Malware, Security | Tags: , , , , , , , , ,
RB | December 21, 2009
No comments

Bots Attacking Servers

malware fsecureWeb servers, FTP servers, and even SSL servers are becoming prime targets for botnet operators, not as command and control servers says Mikko Hypponen, chief research officer at F-Secure, in a recent DarkReading article, “but in some cases to execute high-powered spam runs.

Botnet operators are going after certain types of servers specifically to harness their horsepower and bandwidth says Joe Stewart, director of malware research for SecureWorks. These bots are typically used as spamming engines: “The general purpose of these attacks is to send spam, either email spam or blog spamming,” Stewart told DarkReading. “The benefits are having a large amount of bandwidth available and enhanced processing capacity to maximize the amount of spam you can send out.”

ftp Marc Maiffret, chief security architect at FireEye says he expects trusted and legitimate Websites will start to become the source of the majority of Web attacks in 2010. “I think that the focus there on servers is really again more to help more easily infect a larger number of desktops,” Maiffret says.”You can think of this SQL/Web-spread vector as the modernized version of what use to happen with email and such many years ago.”

“FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots,” says Hypponen. Botnets often use stolen FTP credentials to break into other parts of the system, says Bill Ho, vice president of Internet products for Biscom. “FTP is being used to transfer bot code to other machines, servers, and users,” Ho says. “If the FTP server is not secured properly and an FTP site has access to other parts of the system with vulnerabilities, the attacker can install [malware] at that location and infect and compromise that server.”  Paul French, vice president of products and solutions marketing for Axway laments that. “FTP is pretty ubiquitous … The reality is that FTP has been around long enough for people to know the risks associated with it. But sometimes convenience outweighs good IT security [practices].”

ssl“Another thing we’ve noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-downloads” according to Hyppomen.

Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,” Hypponen explains.

Botnet operators are using these networks of captured servers to expand their operations. The servers are used to host exploits, serve up drive-by downloads, and help them distribute more malware to the bot-infected PCs in the botnet, DarkReading concludes.

Category: Malware, Security | Tags: , ,
 

Switch to our mobile site