Tuesday, December 16, 2008

Apple Security Update 008

10.5.6 was released Monday afternoon in combination with Apple Security Update 008. The security update is also available separately for Tiger, 10.4. You grab them via Software Update within Mac OS X or download them from Apple's website.

Here are some highlights:

- ATS (Apple Type Services) bug/security update. 10.5 only.

- BOM (Bill of Materials) security update.

- CoreGraphics security update.

- CoreServices security update to prevent web hijacking of a user's credentials.

- CoreTypes security update. Adds further file types to its Internet download warning list. 10.5 only.

- FlashPlayer Plug-in security update.

- Kernel security update. 10.5 only.

- LibSystem:
  • - Security update to the inet_net_pton API.
  • - Security update to the strptime API.
  • - Security update to the strfmon API.
- Managed Client bug/security update. 10.5 only.

- network_cmds bug/security update.

- Podcast Producer security update. 10.5 Server only.

- UDF (Universal Disk Format) ISO (International Standards Organization disk image) handling bug/security update.

Details regarding 10.5.6 can be found over at my MacSmarticles blog.

Thursday, December 11, 2008

Trojan OSX.RSPlug DNS Confusion Solution

Earlier in the year I posted an article questioning whether Apple had patched Mac OS X Server versions 4 and 5 to prevent the actions of Trojan OSX.RSPlug.A, which hijacks a Mac's DNS server settings in order to divert users to Phishing sites. Misinformation galore was available on the Internet, and of course there was no one in the Mac community I could find with any kind of clear discussion of the issue. If there were such folks around I would send you to them for better information than I can provide.

Thankfully this past week, during my investigation of Clamav's effectiveness against Mac malware, Adam Engst was kind enough to get me in touch with Rich Mogull. Rich provided me with a very helpful answer, quoted below:
Hi Derek,

Yes- that family of trojans makes DNS changes on your system, but not because of any vulnerability or problems with the OS X implementation of DNS. The trojan only works if you manually install it and enter you administrative password. It then changes settings just as you can do yourself under normal circumstances. On occasion, these trojans (and others) may be able to take advantage of other vulnerabilities on the Mac to make changes without an administrative password, or install itself automatically due to a browser weakness, but there are currently no known open vulnerabilities like these being used by bad guys. Right now, you still need to install it and manually enter your admin password- there's not much Apple can do to prevent that.
As a result, I chopped out my early Trojan OSX.RSPlug.A article and corrected a related sentence in my recent article "Update: The State Of Trojan OSX.RSPlug..." in order to remove my own confusion.

The confusion on the Internet regarding Apple Security Update 005 came from the fact that it repaired a very old DNS technology vulnerability. The fact that DNS was involved in both this vulnerability and the RSPlug Trojan was coincidental. I have never covered the DNS technology vulnerability here, called DNS cache poisoning, as it has not been of serious consequence to Mac users. If you are interested, coverage of the problem at the SANS Institute is adequate and provides references.

Wednesday, December 10, 2008

Off Topic: How to meet trolls and play S&M games

The Internet of course reflects humanity at large. The difference is, on the Internet cowards can come out of their hiding holes and swat you with their widdle hands. You say 'ouch' and they get all orgasmic. These lost little souls are referred to as trolls.

In the process of researching an upcoming article about Clamav, the cross platform Open Source anti-malware program, I ran over the biggest concentration of trolls of 2008. It's the Clamav Users email list. If you'd like to meet trolls and play S&M games, here is where to sign up:

Clamav Abusers

Tell them Derek sent you. Enjoy a laugh at my expense. ;-D
I guarantee you'll learn utter nonsense about malware while you're there. And who doesn't find nonsense amusing.

Thursday, December 4, 2008

Update: The State Of Trojan OSX.RSPlug, aka the 'Porno Trojan'

The net-cracker effort to bring the 'RSPlug' Trojan horse from Windows over to Mac OS X continues apace. As of this week we are now up to version E, aka Trojan OSX.RSPlug.E. Again, this Trojan is showing up at scam pornography websites.

The difference with variants D and E, however, are particularly nefarious. Instead of the Trojan itself being the full payload of malware, it downloads the actual payload from the Internet. This means the Trojan can install literally anything into your system. It's not just for DNS forwarding phishing scams any more.

Of course, it will be possible to kill off the payload Internet sites one by one as sub-variants of D & E pop up. But once infected, a Mac could theoretically become zombied, which these days is the prime goal of net-crackers. Botnets can make big money. As was popularly reported last week, the taking down of one particular bot wrangler killed off as much as 70% of SPAM distribution for a few days. That's a massive botnet. Imagine the profit the bot wrangler was pulling in. Sadly, the botnet involved remained intact and another bot-wrangler stepped in to take advantage of it, restoring SPAM to its usual blasting volume.

You can read the details about Trojan OSX.RSPlug.E over at Intego's website.

One hilarious flagging giveaway of this Trojan is the continued laziness of the developers' social engineering method. Instead of altering their tease line to potential wetware victims, they left it exactly the same as the Windows version. This means that anyone who is both Mac and Windows savvy will realize immediately that something screwy is going on. The blunder is the tease line "Video ActiveX Object Error". For those who don't know, ActiveX is a scripting monstrosity perpetrated by Microsoft several years back. Yeah, it was another of their attempts to make the Internet proprietary. ActiveX is entirely irrelevant on Mac OS X, thank goodness, as it is a gigantic, wide open door for malware infection on Windows. The only web browser on Mac capable of running ActiveX rubbish is FireFox, and you have to specifically install an ActiveX extension. Therefore, for the moment, if you run into a "Video ActiveX Object Error" on a website, you have just run into an attempt to infect you with the Trojan OSX.RSPlug.

Tuesday, December 2, 2008

Trojan OSX.Lamzev.A

As of last week, Mac OS X has a second piece of malware. It is a Trojan horse officially called OSX.Lamzev.A. (It is also erroneously known as OSX.TrojanKit.Malez).

Detection and removal of this malware is built into the latest versions of the FREEWARE anti-malware programs ClamXav and iAnti-Virus.

So what is the strategy this time? To quote ZDNet:
OSX.Lamzev.A is a hacker tool designed primarily to allow attackers to install backdoors in a user's system, according to Intego. However, the company dismissed the tool as a serious threat because a potential hacker has to have physical access to a system to install the backdoor.
. . .
Other antivirus vendors noted that Lamzev could be disguised as a piece of legitimate software and used to trick users into creating the backdoor themselves.
Theoretically, this will become another piece of social engineering / wetware error malware where the user is tricked into installing it. Therefore, as usual, always verify that anything you install is legitimate software. Check it out at any of the well known shareware distribution sites like VersionTracker.com, MacUpdate.com, TuCows.com or MajorGeeks.com. All of these sites have human users and reviewers who can tell you what's legitimate. If you can't verify an application, don't install it! Also, if you want to be extra safe, work only inside a 'Standard' Mac OS X account, not an Administrator account.

I'm going to keep an eye on this Trojan to see what damage it can do. If it is a true 'backdoor' to Mac OS X, a cracker can do anything they like with your Mac. We'll see with time if this becomes a problem. For now, the anti-malware distributors consider it only a minor threat. Just run your usual FREEWARE anti-malware apps once a week, at least, to clean it out if somehow you've installed it.