Thursday, November 29, 2007

Secunia report regarding Apple QuickTime RTSP "Content-Type" Header Buffer Overflow


It's Secunia Weekly Summary day! (Every Thursday afternoon). In today's issue they reported the current QuickTime problem. As is typical of Secunia they blew the problem out of all proportions, saying the problem is 'Extremely critical' simply because it affects an Apple program. Big yawn. Nothing new from them. Nonetheless, I really like their analyses once the FUD is stripped away.


You can read their full report at:

http://secunia.com/advisories/27755/

Secunia's (admittedly minimal) advice:

"Do not browse untrusted websites, follow untrusted links, nor open untrusted QTL files."

Trust, trust, trust. It's all about trust.

Just so Mac users don't feel so bad, here are some statistics for you:

1) This past week Secunia collected 193 NEW Windows malware descriptions from anti-malware providers.
(Keep in mind folks that the term 'virus' is very specific to self-replicating malware. Therefore I never use the term unless it does indeed refer to an actual virus as opposed to some other kind of malware).

2) Vulnerabilities for nine Windows applications were reported this week, including two for IBM Lotus notes.

3) The FBI believes over 2.5 MILLION computers have been hacked into botnets. This is known as zombieing. Since 2005 the FBI estimate over $20 million in losses and theft have resulted from botnet activity. Meanwhile, the computer industry, based on studies from Symantec, believe the figure is more like 5 MILLION zombied computers exist. And guess what folks: NOT ONE OF THEM IS A MAC, unless of course they are running Windows. But do keep in mind that every OS in existence has vulnerabilities and you need to be secure with your Mac when it's on the Internet.

http://www.cnn.com/2007/TECH/11/29/fbi.botnets/index.html


4) There is still only one piece of Mac malware in the wild, the so-called 'Porn Trojan'. (HAHAHA!)

5) There weren't any other Mac platform vulnerabilities reported this week.

*** REMINDER:
I know this has a high 'DUH!' factor among the cognoscenti, but for the rest of us: Remember that Windows malware works just as well when you run Windows via BootCamp, Parallels, or VMWare. You REQUIRE anti-malware AND the Windows firewall turned ON (unless of course you run a separate firewall on top of Windows).

Also, if you are sloppy about your WiFi router security, you can get away with it using Mac OS X. But EXPECT to be infected or zombied if you run Windows on your Mac. Therefore:

(A) Password protect your WiFi router with a nasty-difficult-unguessable password.
(B) Password protect you Mac accounts with a nasty....
(C) Turn on and use the best encryption your WiFi router will allow. WEP sucks but is better than nothing. Aim for WPA or WPA2.
(D) If you don't have visitors connection to your WiFi network regularly, use MAC address authentication.
(E) And if you feel comfortable with it, stealth both your WiFi Macs and your router so no one war-driving even knows you're there.

I'll do a rant session on freeware Windows anti-malware apps, WiFi routers and war-driving in future posts.

Share and Enjoy,

:-Derek

Monday, November 26, 2007

QuickTime RTSP Content-Type header stack buffer overflow


If you have been keeping up with Mac OS X security over the last year, you'll know that the Apple software with the most vulnerabilities has been QuickTime. The security company Secunia have been harping at Apple to get all the holes patched, but the going has been slow. The problem became acutely evident in December 2006 when poor programing in the MySpace interface allowed exploitation of a scripting vulnerability in QuickTime that allowed MySpace sites infected with script malware to infect the MySpace page of visitors. Apple came out with a quick patch specific to MySpace but the overall cleanup of QuickTime's problems has been ongoing.


The new vulnerability, on both Mac and Windows, affects a streaming technology built into QuickTime called RTSP. Hackers are already exploiting the security hole. You can read the details at the US-CERT (United States Computer Emergency Readiness Team) website:

http://www.kb.cert.org/vuls/id/659761


Keep in mind that these are the folks that have been so incredibly inept that the US federal government computer system has been vastly compromised by bots that have been sending secure computer data to China in that country's secretly declared technology war against the rest of the world. So if US-CERT believes this problem with QuickTime is important, it is useful to believe them.

According to US-CERT the impact of this problem is:

"By convincing a user to connect to a specially crafted RTSP stream, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. An attacker can use various types of web page content, including a QuickTime Media Link file, to cause a user to load an RTSP stream."


At this time there is no single solution to the problem. Check the US-Cert link above for some temporary measures that may help. At the very least, have your firewall ON. If you want to complete the firewall cycle, blocking outgoing calls to the Internet, download and try out LittleSnitch, $25 shareware. You can get it from the usual places such as MacUpdate.com or VersionTracker.com. I am going to read up a bit more on how this vulnerability is exploited to know whether LittleSnitch is any help in this case. If you are using LittleSnitch I would at the very least turn OFF the iTunes and QuickTime player settings to "Allow Any Connection" and "Allow TCP connections to port 554 (rtsp)". Instead you should approve of such connections temporarily one at a time.

:-Derek

Thursday, November 15, 2007

Mac-Security Column for November 2007


Mac-Security Column

2007-11-11
© Derek Currie

Until the beginning of November, Macintosh security has been a mute subject. Suddenly it is entirely relevant thanks the very first piece of Mac malware loose in the wild. This has inspired me to fill the Mac security niche with a regular column on the subject.

A quick introduction: I became interested in knowing the facts about Macintosh security in August of 2005 when Symantec where having trouble selling their Norton Anti-Virus for Mac. The program had proven to be very buggy as well as irrelevant. In response Symantec perpetrated a FUD attack against the Mac community, attempting to scare people into buying their software. (FUD is an extremely popular form of propaganda. It is an abbreviation for "Fear, Uncertainty and Doubt.") In response to Symantec I got to work understanding the entire subject of computer security. I point out my favorite sources of knowledge at the bottom of the article. For now, suffice it to say I began writing about the subject in the Macintosh Usenet Newsgroups in order to help other folks understand reality versus FUD. My column here is an expansion of my writing on the subject over the last two years.

Today's column is going to be a crash course relevant to the malware at hand. It is a Trojan horse called OSX.RSPlug.A.

Malware is the overall term for ANY software that is malicious toward a computer. The word 'mal' means 'sick' in French. Trojan horses are applications that have to be hand installed onto a computer to do their dirty work. They are NOT viruses or worms in that by definition they have no ability to self-propagate. Typically they pretend to be something useful and harmless, but they are not. They have what I call a 'Squink' factor. This is a personal term that refers to anything that looks good but is not. In the case of OSX.RSPlug.A it disguises itself as the installer of a QuickTime component codec. Once you provide your administrative password to allow the installation, your goose is cooked and the thing can do whatever it likes on your computer. The current version sets itself up as a replacement of any DNS server you may have running. Anyone accessing your DNS server is NOT sent to the correct IP address they need. Instead they are sent to fraudulent phishing sites that pretend to be what they are not. They have what I call a 'Zunipus' factor. This made up word refers to anything that purports to be honest and true but is not. At the phishing site you are fooled into providing personal information, resulting in identity theft.


OSX.RSPlug.A was at first only available at particular pornography sites on the Internet. Recently it has been found at a variety of other web sites as well. There has been a lot of spam around the Internet enticing readers to these sites. Once you get there and try to play the videos, you are told you need a codec to access them. You are then provided with a link to download the installer. You install it, and the deed is done. This method of lying to you in order to trick you into some sort of detrimental behavior is called 'Social Engineering.' It has been a developing and popular craze in the field of malware for years. Windows users are all too familiar with it. Undoubtedly you have yourself received email enticing you to a fraudulent version of a trusted website where you are asked to provide personal information, such as an ID and password to access the site. This form of social engineering is phishing. In the case of OSX.RSPlug.A, social engineering is expanded to fool you into installing malware.

So, now that the rat is out of the bag, what can you do? As our Mac friend Douglas Adams said: "Don't Panic!" It is remarkably unlikely you are going to fall for the Squink factor of this malware. But this is an occasion to start becoming familiar with Macintosh security strategies. Below is a quickie list of useful tools:

1) Self-education: What you can teach yourself is to never take software for granted. Always download software from reliable sources, such as VersionTracker or MacUpdate. If you download from somewhere other than the proven source site of the developer of the software be very suspicious and do some homework to learn about what exactly this software is. Google is a great tool. Just type in the name of the software and dig around.

2) Anti-Malware application: In the case of OSX.RSPlug.A the only way an anti-malware (incorrectly called 'anti-virus') program would catch this Trojan would be if it scanned everything you downloaded as you download it. That means paying bucks for a professional application. I'll review the options in a later article. For now I believe the consensus is that no, you still don't need to buy anything.

There is a way to seek and destroy this Trojan after it has already been installed. This is through the use of the freeware program Clam. It is an Open Source project that, to be honest, is not perfect. Clam regularly has security issues of its own and must be updated, as an application, on a regular basis. Clam is also slow running and slow to provide malware definitions. But that's what you get for free, and it works. The only thing you can do with it is turn it loose on a regular basis on your hard drive. It has no ability to live scan anything except designated folders. As with any anti-malware program, you must update its malware definitions at least weekly.

There are a couple ways to get the Mac OS X version of Clam. The first is the free way. It is called ClamXav for Mac OS X:
http://www.clamxav.com/


The site has a nice set of documentation as well as a forum where you can talk with other folks about Mac security. Note: Versions of ClamXav are available all the way back to Mac OS X 10.2. You will find them at the site. Malware definition updates are made from within the program. If you like ClamXav, by all means donate some money to the cause.

My preferred way to get Clam is via Leopard Cache Cleaner (which actually works on all versions of Mac OS X back to 10.2). For $9 this is a brilliant program I highly recommend. But even if you don't want to pay for it, yet, the free options it provides are very good. This includes a full integration of ClamXav in a very simple GUI.

A new and niffy kewl feature in Leopard Cache Cleaner is the ability to scan for rootkits. What are they?! Stay tuned. It is quite a nasty subject. For now, let's just hope this form of malware never becomes an important issue on Macs.

3) The Mac OS X firewall: Apple provide it, so use it. Access Apple's Help in Mac OS X if you have questions. The version in Leopard is not-ready-for-prime-time I am sad to say. Apple is working on it. Leopard actually has a second, brilliant, but user-hostile firewall built-in as well. We will discuss it in a future article.

4) Little Snitch: This is what I call a 'reverse firewall.' It stops absolutely everything from contacting your LAN or the Internet without your permission. You have to be a bit of a geek to appreciate it as it pops up little windows asking for your permission to allow network access. But once you understand what it does and are willing to put in the effort to work with it properly, you can't do with out it. In the case of our Trojan OSX.RSPlug.A, it literally would be stopped dead in its tracks without your deliberately approving of it grabbing phishing URLs off the Internet, then sending out those URLs to suckers accessing its fake DNS service. In fact, Little Snitch can be used by malware warriors to find out from where the phishing URLs are being grabbed. Versions capable of running all the way back to Mac OS X 10.2 are available on the site. $25.

http://www.obdev.at/products/littlesnitch/


We have only touched the tip of the iceberg here regarding Mac security. Rather than overwhelm, I am simply going to point you to some other useful sources of information:

A) Apple have a dedicated support site for product security:

http://www.apple.com/support/security/


You can also subscribe to their highly recommended Security-Announce mailing list via their website or RSS:

http://lists.apple.com/mailman/listinfo/security-announce
feed://rss.lists.apple.com/security-announce.rss

B) Secunia: These folks are hyper-Apple critical. But they get results. They helped inspire the recent security improvements in QuickTime. Their website is stunning. I subscribe to their Weekly Summary mailing list.

http://secunia.com/
http://secunia.com/mailing_lists/

C) SANS Institute: These folks are outright anti-Mac bigots. Their editors are snide and anything but objective in their comments. Their underlying motivation is to FUD you into paying for their computer security courses. Big yawn. Nonetheless I find their newsletters to be very useful. I subscribe to NewsBites, @Risk and Ouch!

http://www.sans.org/newsletters/


That's it for this month.

Share and Enjoy! :-Derek

Sunday, November 11, 2007

Attack Of The Porn Trojan


Trojans have long been associated with pornography. But in this case, in the Macintosh community, we have a very bad Trojan called
OSX.RSPlug.A. It's not that someone poked holes in the Trojan, it's that the Trojan itself is the hole. You don't want this malware impregnating your Mac, so it's time to learn how to be safe while you enjoy Internet.

I wrote the Mac security article posted above specifically for the use of Macintosh user groups. You are entirely welcome to grab it and post it wherever you like, as long as you do not change it. That means you must include the headers with my name and my copyright. If you don't follow the rules, I will come and get you. So please be respectful of my work. You are welcome. :-Derek