Wednesday, April 28, 2010

HellRTS,
The Not Quite In-The-Wild
Hacker Tool "Trojan"


"Take a deep breath and count to ten. One, two, three..."

This past couple weeks the incoherent, or should I say incompetent, nature of the anti-malware community has become evident yet-again through the discovery and discussion about a new variation of a hacker tool called 'OSX.HellRTS.D'. I am going to use that name because my best estimation is that it was first described by Intego, and that is their chosen name. It also follows the published malware naming protocol.

As per usual, other anti-malware companies could not bother to stick to the source name and have proliferated the usual WHATEVER of their own names, those being 'Hellraiser' and 'Pinhead'. Further confusion includes the addition of '.D' at the end of Intego's name. I have no idea why it is there. It indicates that this is supposed to be the FOURTH variant of this 'malware', and yet no one, including Intego of course, provides any reference to variants ".A", ".B" or ".C". I am going to toss out a wild guess that ".D" only means that this hacker tool has three previous versions known well only within the hacker community.

UPDATE: I have verified that 'Hellraiser' is the actual name of the source hacker tool of which HellRTS.D is the fourth variation.

Why I'm counting to ten: Because there are no signs of improvement in the chaotic nature of the anti-malware community. Anti-malware is supposed to be a 'professional' endeavor. The only reliably professional thing I have found so far in the community is that people make money in it. Otherwise, as a trained and experienced scientist, I find the community to be nothing more than 'A Pack Of Cards', as Lewis Carroll put it. That is to say it is a bunch of playing card characters disagreeing with one another over nonsense.


Which is to say quite bluntly:

The anti-malware community is not entirely scientific in nature.

(I am so itching to have someone disagree with my statement above. I dare you.)

Of course, enough of my own injection of subjective emotion into what should be an objective, scientific subject. Here's the lowdown on this new 'Trojan':

So far OSX.HellRTS is entirely ignorable. It is being distributed as a hacker tool out on the Internet, but has NOT been utilized as malware 'in-the-wild'. Instead it is being described as capable of being used as malware in-the-wild. When or if OSX.HellRTS becomes anything more than a hacker tool, I'll provide more detailed information.

In the meantime, here are some links for those who would like to dig around in the details:

David Harley has written a series of articles about HellRTS at his poorly named "Mac Virus" blog. David provides some very useful information through his professional work for the Mac community, which I very much appreciate. However, David also often makes his own contributions to the chaotic nature of the anti-malware community, fitting my fittingly harsh appraisal. Therefore, when you read his articles, "Take a deep breath and count to ten...."

Hellish Mac Malware

More on that hellish Mac malware...

OSX/HellRTS - more info

Here are Intego's source articles about OSX.HellRTS:

INTEGO SECURITY MEMO – April 16, 2010
HellRTS Backdoor Can Allow Malicious Remote Users to Control Macs


Intego Security Memo: HellRTS Backdoor Can Allow Malicious Remote Users to Control Macs

Now for the firing squad:

These are reports from other anti-malware companies that chose to use their own WHATEVER name for OSX.HellRTS. They should be lined up against a wall. As you click each of the links below, think to yourself:

"BOOM! HEADSHOT!"

Sophos: "OSX/Pinhead-B"

CA: "OSX/HellRTS"

iAntiVirus (PC Tools): "Backdoor.OSX.Hellraiser" <- Search on this page for 'Hellraiser' to read its description.

As usual I'm not going to bother with references to Symantec or MacScan articles. Why? Why bother.

If there are hackers who'd like to share the history of the Hellraiser hacking tool, please let us know via the comments! I'd be most interested.

Thursday, April 22, 2010

VLC Media Player Multiple Vulnerabilities
UPDATE!

UPDATE!

Hey kids. I found that in April some terrific folks on the Mac side of the VLC project have gotten things going again and have provided an update past VLC v1.0.5. You can download the lastest version of VLC at the source page for VLC media player Mac OS X Intel nightly builds. (Sorry PPC users, you are SOL).

Be sure to read the notes at the top of page very carefully! What you probably want is the latest version of the 1.0-branch-intel stable series. Ignore the gibberish numbers in the file names. When you see '107' in the name it does NOT mean 'version 1.0.7'. ATM the latest version is v1.0.6.
~~~~~~~~~~~~
Original Article:
~~~~~~~~~~~~


This is potentially a big problem:

VLC Media Player v1.0.5 (and earlier) has been found to have multiple vulnerabilities. And there is almost NO chance on a Mac OS X version 1.0.6 update at this time. Therefore, to be ultra-super-mondo-über-safe, you can't use VLC any more. And that's bad.

Here is Secunia's announcement.

You can subscribe to Secunia's Weekly Summary email newsletter HERE.

You can access the ongoing 'Vulnerability Report: Apple Macintosh OS X' HERE.

Now for the naughty bits:
Description
Some vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system.

1) An error in the A/52 audio decoder can be exploited to cause a heap-based buffer overflow.

2) An error in the DTS audio decoder can be exploited to cause a heap-based buffer overflow.

3) An error in the MPEG audio decoder can be exploited to cause a heap-based buffer overflow.

4) An error in the AVI demuxer can be exploited to trigger an access to invalid memory.

5) An error in the ASF demuxer can be exploited to trigger an access to invalid memory.

6) An error in the Matroska demuxer can be exploited to trigger an access to invalid memory.

7) An error when processing XSPF playlists can be exploited to trigger an access to invalid memory.

8) An error in the ZIP implementation can be exploited to trigger an access to invalid memory.

9) An error in the RTMP implementation can be exploited to cause a heap-based buffer overflow.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted file.

The vulnerabilities are reported in versions prior to 1.0.6.

Solution
Update to version 1.0.6.
Quick summary: Trojan horse files that are compatible with VLC can be used to access your computer's RAM and do bad things. Therefore, don't be a LUSER. Verify that any file you play in VLC is from a legitimate, reliable source.

For example, stuff from questionable BitTorrent sites does not qualify as safe. BitTorrent rips are a great way to get infected. That's where the one (and only) verified Mac BotNet came from: Three cracked Mac apps offered at BitTorrent sites turned out to be Trojan bots that zombied well over 10,000 Macs, employing them in a documented DDOS attack. The Trojans are formally known as Trojan.OSX.iServices.A-C. (You can read about this Trojan in previous posts).

So why no VLC v1.0.6 update for Mac?! Because there has been a long term derth of Mac OS X developers participating in the open source VLC project. You can read more about this dilemma HERE. You can sign up for the VLC RSS feed using this LINK. Of interest: There will be no v1.0.6 for Windows either, for different reasons.

Thankfully, there is an ongoing 'next generation' project of VLC for Mac called 'Lunettes' that you can follow HERE and HERE. This project is also asking for Mac developers. There is no public release version at this time.

What's so great about VLC? It allows Mac users to play a variety of media that Apple does not support via QuickTime or iTunes. Example: FLAC. This free, Open Source lossless compression audio format is ubiquitous on the Internet, and Apple provides no support, which is of course insane. There are many other examples of great functionalities provided by VLC. I consider VLC to be required software on my Macs. There are alternatives to VLC for some purposes, but no other application provides its feature set in one package. Let's hope the Lunettes project is a success.



For those concerned:

Please note that I post Mac-specific vulnerability information because just about no one else does. These posts help fend off the troll hate-abuse-lie rants and FUD mongering that claim that Mac users are computer security illiterate.

Wednesday, April 14, 2010

PDF Security Hole:
Hacking Into Copy & Print 'Locked' PDFs
-revised-

I was hoping I was wrong, but this is what I learned today:

Anyone can hack around a password required to copy from or print a PDF. Anyone.

Thankfully, the full locking of a PDF remains unhacked. The 'Open' password is still required.

A hacking tool that allows you to hack copy and print permissions is today's Mac Update Promo deal of the day. It is called PDFKey Pro. (48% off the regular price of $24.99). This program is a hacking tool that clearly points out a fundamental security hole in the PDF format. Therefore, I see no point in using PDF password for copy and print protection. It's worthless.

Please note that I am not knocking hacking tools. I am not knocking PDFKey Pro. The way it is being sold sounds entirely legitimate. The fact that copy and print PDF protections can be entirely defeated has nothing to do with the developer of this application. It has 100% to do with Adobe. Yeah, I know some people are tired of the onslaught of knocking against Adobe these days. Tough. This is a big fat and ugly nasty problem. Adobe are responsible.

In the past I've talked with both David Pogue and Adam Engst about selling electronic books. David Pogue and I talked about selling protected PDFs as one option. He decided at the time to try Adam Engst's method of simply trusting the customer. As an opponent of DRM (digital rights manglement), I agree with Adam. However, authors and publishers are entirely within their rights to prevent anyone from being able to copy from or print their documents and books.

Therefore, if you want to lock up the copy and print permissions of your docs, look elsewhere. There are plenty of great locking and encryption tools for Mac, but I'm not aware of anything that only prevents copying and printing.

I'd very much enjoy reading an analysis of how PDF protection is hacked. Something tells me it's already out there on the net for any hacker to read and use. What a shame.
--