Tuesday, April 17, 2012

Security Smorgasbord, vol 4 no 2

Malware in Macland

More Mac OS X trojan activity:
Last week, Apple released two urgent updates to Mac OS X to:

1. Remove the Flashback malware about which we have already written

2. Automatically deactivate the Java browser plugin and Java Web Start, effectively disabling java applets in browsers

Particularly, the second step shows the severity of the CVE-2012-0507 vulnerability exploited by Flashback to infect almost 700,000 users via drive-by malware downloads.

Actually, it was the right decision because we can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits.

This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.
Apple has been pretty immune to this sort of thing in the past, while their market share was too small to attract the attention of the Bad Guys.  Those days are over.  loadlin, baby!

Malware in Androidland

Borepatch's First Law of security is "free download" is Intarwebz speak for "open your mouth and close your eyes".  We've seen malware in the Android app store, and that doesn't look like it's changing:
Recently we discovered a new Android Trojan in the official Google Play market that displays a video downloaded from the Internet–but only if some sensitive information is previously sent to a remote server. The malicious applications are designed for Japanese users and display “trailers” of upcoming video games for Android.
It grabs the Android device ID, the phone number, your contacts list, etc, and beams it to somewhere on the 'net.  Seems over 70,000 people have downloaded it.  Me, I don't use apps.

Malware in Google Chrome browser extensions

Google has a web store for extensions to their Chrome browser.  Guess what showed up in the store?
Crooks have found a new venue to push malware: the official Google Chrome Web Store. It was recently used to hawk Chrome browser extensions secretly hijacking users' Facebook profiles.

According to Kaspersky Lab expert Fabio Assolini, one malicious extension hosted on Google's own servers contained hidden code that "can gain complete control" of the user's Facebook profile. The extension then used that access to spread malicious messages and register Facebook Likes for certain items, also inviting fellow users to install it. The same operators advertised a service that delivered Likes of companies looking to promote their profiles. It costs about $27 per 1,000 Likes.
Notice a common thread here?  Security - it's not just a good idea.  It's Borepatch's Law.

4 comments:

R.K. Brumbelow said...

I use OpenDNS and it has been quite good at locking out the drive by payloads. Plus, it is helpful from an accountability perspective as well.

Apple's fix has been to disable Java in Safari, which I tend to do by default anyways. I have a sandbox with Java enabled for when I need it.


Oh and as a first time poster, thanks for all your posts.

kx59 said...

So, now that apple has gotten all embiggenified again,they've attracted the attention of the hackers.
Let's hope that linux stays small.
I have to wonder what the endgame of these malcontents is. To kill the computer industry completely?
Oh, wait, it should all be free...
What do they plan on doing with themselves after success? Where will they get their free porn?
I'll be passing this on to my daughter, the family heretic mac owner btw.

Borepatch said...

R K Brumbelow, that's quite a good idea. Although there's quite a lot of Java out there. Personally, I'd lock out Javascript as well, except that would entirely break the Internet.

Thanks for stopping by, and leaving a comment.

kx59, they're (a) looking for online banking credentials, (b) looking for credit card and verification code, or (c) assembling a spam botnet. It's nothing personal, it's all about the money.

But your daughter needs anti malware protection of some sort, although that really doesn't work very well. But it's better than nothing.

AuricTech said...

Clearly, the Galactic Empire in Star Wars didn't overly concern itself with computer security....