Scammers exploiting Winehouse, Norway tragedies

Originally posted 07/27/2011 on lubbockonline.com

Bill Brenner of CSO online reports that scammers are taking advantage of the death of Amy Winehouse and the tragedy in Norway. The attacks use social engineering to convince people to click on links that will infect their computers with malware.

It sounds paranoid, but you should be suspicious of any shared link. Creating emails, tweets, and updates that will allow scammers to hijack legitimate accounts to spread their (mal)wares has become both a science and an art. Even seasoned, super suspicious security experts can find themselves hooked by a well crafted scam. So be a little paranoid, and be a lot safer.

New Mac Malware on Facebook, New Mac Defender bypasses Apple fix

Originally posted 06/02/2011 on lubbockonline.com

It's been a busy couple of days in the malware world.

New Mac and PC malware reported on Facebook

F-Secure reported "a significant malware" affecting both Mac's and PC's circulating on Facebook, then reported that Facebook finally blocked it. I'm not sure how significant it really was - by the time I checked the Openbook link in F-Secures initial post there were only two examples of the bogus links popping up, and the good folks at F-Secure couldn't manage to get infected by it even though they were trying. But if you should see messages or updates with the following subjects, don't click on the links:

 

 

At 17:00 GMT the attack changed subject line to:

one more stolen home porn video ;) Rihanna and Hayden Panettiere and…

Rihanna And Hayden Panettiere !!! Private Lesbian HOT Sex Tape stolen from home archive of Rihanna! Hot Lesbian Video - Rihanna And Hayden Panettiere !!

 

Apple in escalating war with Mac Defender?

On Tuesday, 05-31-11 Apple released Security Update 2011-003 for Mac OS X 10.6.7 and Mac OS X 10.6.7 Server. The update warns users when they download a known variant of Mac Defender and scrubs the malware from systems that have already been infected. It also has a daily update function to download definitions of new Mac Defender variants (and presumably other malware that may pop up).

It's a good thing Apple had the foresight to make their fix upgradeable. On Wednesday, 06-01-11 a new variant of Mac Defender that bypasses the Apple fix appeared. I'm sure that by the time you read this, or no later than Friday, 06-03-11 an update will take care of the new variant, and a day or so later a 'fixed' Mac Defender will appear to bypass Apple's update. And so on, and so on, and so on. That's not a knock on Apple, it's just the way these things work. The attacked company, in this case Apple, cannot ignore the malware, and the malware authors aren't going to let Apple beat them. Not for a while, anyway.

I'm glad Apple has built a fix for the latest version of OS X, but I wonder if Mac Defender runs on earlier versions. Not just earlier versions of Snow Leopard, but Leopard and Tiger, too. There are a lot of people still using them, but Apple's just leaving them in the cold. Hopefully Apple will release a version for Leopard, at least.

New MacDefender variant doesn't ask for admin password to install

Originally posted 05/26/2011 on lubbockonline.com

If you use Safari, go to Safari-Preferences and select the General tab. Uncheck open safe files option (see image). If you surf the web in your admin account, create a normal user account and start using it. There is a new variant of Mac Defender that doesn't require an admin password to install if you are logged into an admin account. If you wind up at one of the bogus download sites, are logged in as admin and have "Open Safe Files" selected, it will install without asking your permission. Most people in the Mac community still use the default account setup when they first started their Mac. That is an admin account.

MacGuard is still a relatively low risk piece of Malware. Intego is rating it as a medium threat, but it's hard to say if that's an over or underestimate. It is a step up the threat scale from MacDefender. It won't just affect naive users who say ok to any dialog that pops up. No dialog will pop up to ok.

It might be too early to say that if you run a Mac you need to run anti-virus, but if you're starting to get antsi about it, Sophos' free version of it's Mac anti-virus protects against Mac Defender and I'm sure will be quickly updated to protect against MacGuard. And there are always the paid version from Sophos as well as Symantec, Avast, and others.

This is not the end of the Mac experience as we know it, but it is the end of telling people there is no malware on the Mac. The good news for now is, all you have to do protect yourself is do your everyday computing in a non-admin account and make sure you know what it is you're okaying before you click the blue button. And turning off the "open safe files" option in Safari wouldn't hurt.

Even Apple had to admit it: Mac Defender is real malware for the Mac.

Originally published 05/25/2011 at lubbockonline.com

 

Mac now has real malware. First announced May 2nd by Intego, it's similar to numerous fake anti-virus and anti-malware programs on the Windows side. As far as danger, it's a standard scam to get your credit card number and other identifying information. Unlike some other trojan software it doesn't do anything to your computer or the data on it.

 

Apple spent 3 weeks seemingly ignoring the problem, but on Monday they added a knowledgebase article on avoiding or removing the malware. They are also preparing an OS update that will explicitly warn if a user downloads Mac Defender or one of it's variants. They haven't said what versions of Mac OS will be getting the update, but hopefully they will cover all the affected OS's, not just OS X 10.5 and 10.6.

Warning a user that they're downloading malware is all well and good, but as time goes on and the list of malware grows that could become pretty unwieldy. Hopefully now that there is a piece of malware for OS X that is real, widespread, and effective at what it does Apple will pay more attention to the reality that, like all other software, OS X is not bulletproof and needs serious attention paid to security.

Apple, Trojans, and FUD

Originally published 3/1/11 on lubbockonline.com/glasshouses

People seem to really enjoy finding any type of malware for Mac OS. In the decade since Apple introduced OS X there have been a handful (barely) of malicious softwares introduced for it, but only one really had the potential to be serious. I wrote about OSX/Koobface.A because it was the first serious malware for OS X - or would have been if it hadn't been broken in porting it and never fixed.

Now we have Blackhole RAT, which is being hailed as a new trojan for MacOS - again, a piece of Malware that has been ported over from Windows.

But wait. What is Blackhole RAT? What does it do? By itself, Blackhole RAT is just another remote administration tool like VNC, Apple's Remote Desktop, or Microsofts Remote Desktop. Sure, it allows someone to take over your computer across a network, but so do a host of other tools. Blackhole RAT isn't, by itself, malware. It has to be installed - probably using a trojan. It's not a trojan itself, it would be the soldier inside the horse. In the computer world, that's usually referred to as the "payload." 

So should you be worried about Blackhole RAT on a Mac? I don't think so. Apple Remote Desktop is as much a concern. Before worrying about remote administration tools (RATs) you need to understand how many ways there are to install them on your system. On a Mac, the answer is, not many.

So why am I writing about a non-issue? Because so many reputable publications are, such as PCWorld and MacWorld. But they are spreading the FUD (Fear, Uncertainty and Doubt) rather than calm, reasoned information. Someone needs to be the voice of reason.

If you are concerned about malware, Sophos offers a free antivirus software for home use. But don't panic, the Mac universe is still relatively safe unless you're exploring the seamier side of the internet. If you're doing that, I hope you're already aware of the risks.

The first free anti-virus for OS X

On November 2nd PCMag.com reported that Sophos is releasing a free antivirus for the Mac. Other security companies are releasing software for the Mac, but Sophos is the only one to release free AV software.

The recent release of Koobface for Mac is only the latest malware designed for Mac. It was dead on arrival, but that was most likely a coding error, so a virulent version could show up any time. Sophos free software is available now and offers protection against Koobface and the other known Mac malware. There is a forum for discussing the software here and you can download it here

There are still people who argue that anti-virus on a Mac is unnecessary. Well, that may be true for now, but that will soon change as Koobface Mac was a hairs breadth from being the real deal. Mac users can't afford to keep being complacent about malware.

Welcome to the world of dangerous malware, OS X

We have another piece of malware for MacOS X. Once again, it had a few moments of fame, but is a dud because it doesn't actually do anything. But there is a difference this time, and that difference makes OSX/Koobface.A potentially a serious threat to Mac users.

Until now all of the malware created for OS X has been distributed through relatively limited channels. Compared to Facebook and Twitter, extremely limited channels. A few porn sites and a couple of infected pirated programs add up to next to no traction for Mac malware. But a variant of a successful Windows trojan written in Java so it attacks all the major computing platforms and spreads through Facebook and/or Twitter and you have malware gold. The only thing that prevented a major outbreak of MacOS malware was what appears to be a bug in the malware that prevents it from downloading the files that would infect the computer.

This piece of malware suffers from the same weakness any Mac malware has - the user has to ok the install. You hope that Mac users wouldn't be that careless, but the truth is Mac users are people, and a lot of people hit those dialogs without thinking.

With somewhere around 600,000,000 users on Facebook there should be about 60,000,000 Mac users. If only 10% of them allowed the trojan to be installed that would be 6 MILLION infected Mac's. Plus all the infected Windows computers since it's a cross platform piece of malware. All it will take is a bug fix and OSX/Koobface.A will be the first successful piece of OS X malware.

But even if it does get fixed you and I don't have to be victims. Don't click on links posted to your wall or twitter feed without verifying their authenticity. Don't authorize any installations that you don't initiate yourself.

It always feels like there should be a third item in the list. But those two will probably be enough. Until someone finds and uses an OS X exploit that allows privilege escalation.

If you want more details about all the things OSX/Koobface.A will do once it's fixed, check out Intego's writeup.

Is social media safe for work?

As we become ever more involved with Facebook, Twitter and the like it's becoming more common for companies to allow employees to access them online. But is that a wise decision? Both Facebook and Twitter have been hit by malware recently, and it is only expected to happen more often. Facebook is built on trust - a commodity that has to be earned in less open environments.

While social networks rely on people trusting each other, in a business environment a certain amount of paranoia can be a good thing. Clicking the wrong link or friending the wrong person can place a companies data and resources - even the most important resource, the customers, in jeopardy. Spam and phishing email rely on people's trusting nature. Facebook encourages it.

Companies often block websites that are known malware hosts. Many block, or used to block, Facebook, Twitter and other social networks. As they have become more popular and marketing departments see promotional opportunities, the demand for access at work has risen, and many companies have relaxed their policies. There are good and valid reasons for businesses to market on Facebook and other social networks, but is it necessary for them to allow all employees access to them?

Companies routinely block sites that are known to be dangerouse or objectionable. Most also have provisions for employees who need to access those sites. The same could be done with social networks. It would make sense to only allow access to social media to those who need it as part of their job. It limits the exposure and can make it easier to track down the source of an infection.

As more companies allow unlimited access to social networks it's only a matter of time before there is a major breach from access of social networks. The only question is when.