Saturday, July 27, 2013

Ongoing:
"The biggest cyber crime case filed in U.S. history"

--

This story has been buried in the conventional press over the last two days. Therefore, I am doing my part to emphasize its importance. If you're interested in hacking and cyber-crime, be sure to give this article a read:

US Indicts Hackers In Biggest Cyber Fraud Case In History
DAVID JONES AND JIM FINKLE, REUTERS JUL. 26, 2013, 6:16 AM

http://www.businessinsider.com/us-indicts-hackers-in-biggest-cyber-fraud-case-in-history-2013-7

Here are a few highlights (emphasis mine):
NEWARK, N.J./BOSTON (Reuters) - Federal prosecutors said on Thursday they have charged five men responsible for a hacking and credit card fraud spree that cost companies more [than] $300 million and two of the suspects are in custody, in the biggest cyber crime case filed in U.S. history.

They also disclosed a new security breach against Nasdaq, though they provided few details about the attack.

Other companies targeted by the hackers include a Visa Inc licensee, J.C. Penney Co, JetBlue Airways Corp and French retailer Carrefour SA, according to an indictment unveiled in New Jersey. . . .

Authorities in New Jersey charged that each of the defendants had specialized tasks: Russians Vladimir Drinkman, 32, and Alexandr Kalinin, 26, hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine. . . .

The five hid their efforts by disabling anti-virus software of their victims and storing data on multiple hacking platforms, prosecutors said. They sold payment card numbers to resellers, who then sold them on online forums or to "cashers" who encode the numbers onto blank plastic cards. . . .

"There is an enormous shadow economy that exists in Eastern Europe. In some countries, sophisticated hackers are seen as national assets," he [Thomas Kellermann, VP of Trend Micro] said. . . .

Among the breaches cited in the New Jersey indictment, prosecutors charged that the group was responsible for the theft of more than 130 million credit card numbers from U.S. payment processor Heartland Payment Systems Inc beginning in December 2007, resulting in approximately $200 million of losses....

~ ~ ~

After reading through this article, I can't help but believe much of our Corporate Oligarchy is more than a little embarrassed with their poor comprehension of computer security; Thus the burying of this story in the press.

There's A LOT more news about this incredible hacking crime spree yet to come. Keep an eye out.

:-Derek




Wednesday, July 17, 2013

FileSteal.D Trojan Horse variant discovered:
aka Hackback.D
aka KitM.D,
aka Janicab.D

--

Via some file name spelling trickery, a nasty script and fraudulent use of an Apple developer security certificate, a new variant of the FileSteal malware has shown up on the net. This malware series has had four different names, depending upon what 'professional' anti-malware company 'discovered' it. IOW: It's a case of the usual deliberate lack of sharing and cooperation among the 'professionals'. Just shoot me. I'm simply going to call it Trojan.OSX.FileSteal, which was the source name. I listed the other names in this article's title. As far as I know, the current variant is the fourth in the series, therefore FileSteal.D. I am always pleased to be corrected when I am incorrect.

This series of malware is extremely easy to make inert by way of Apple revoking it's faked developer security certificate. The dangerous period is between a variant's release and  Apple's revocation its security certificate.


What it does:

A) FileSteal commonly shows up as an email attachment, pretending to be an innocent document file. But it could just as easily hide out somewhere on the web, looking just as innocent.


B) As a Trojan horse, no matter what you see as the file name and file icon, it is actually an application. The faked file name and icon trick is done via some file name spelling trickery of which I was not previously aware. A special "right-to-left override (RLO) character" in the name makes the characters that follow it read backwards from how it is actually spelled. Therefore 'FDP.app' at the end of the real file name can appear instead on screen as 'ppa.PDF', making you and OS X think you are looking at a PDF file, which it is NOT.  Creepy, eh?  I'm going to send you off to read the relevant article by my net bud Thomas Reed for further explanation. Don't worry about the malware being called 'Janicab'. It's still just FileSteal.D.


New Signed Malware called Janicab
http://www.thesafemac.com/new-signed-malware-called-janicab/


C) If you are fooled into opening the application, it installs itself somewhere into your system then tosses a launch script into one of the various login items folders inside one of your Library folders. These login item folders could include:

/Library/LaunchAgents/

/Library/LaunchDaemons/
~/Library/LaunchAgents/

OR theoretically it could list itself into your user account's Login Items list located here:


~/Library/Preferences/com.apple.loginitems.plist


OR the app can run as a system cron job process.

IOW: It gets booted every time you log into your computer.


D) When running, the malware opens a back door to your computer, grabbing and sending anything it likes off to a malware wrangler site on the net. It has been known to take screenshots, record audio and send off user files to the malware wrangler location. Some researches are calling this 'spyware' behavior. I personally would call it a bot.


Cures:

The cures for this malware depends upon the variant installed. The new variant FileSteal.D, aka 'Janicab', plugs itself into the system using a cron job process. Therefore, one easy way to eliminate it is to remove all your system's cron jobs. Thomas Reed's article provides a simple Terminal command you can use.


From my reading, it appears that Intego, Sophos and F-Secure are staying on top of this malware series. Their anti-malware programs, if kept up-to-date, should be able to detect the infection and remove it. Apple also has been speedily revoking these malware apps' security certificates.


ClamXav will likely catch whether you have been infected. Or perhaps I should say that friends in my Mac security discussion group are attempting get the malware's signature into the ClamAV database.


~~~~~

Here are some related articles, in reverse chronological order, about the FileSteal series for your perusal:


2013-07-16

Signed Mac Malware Using Right-to-Left Override Trick

2013-07-15
New back-to-front Mac malware records audio and grabs screenshots on infected computers
http://grahamcluley.com/2013/07/mac-malware-janicab/

2013-05-21
Yet Another FileSteal Variant Found Today
http://www.intego.com/mac-security-blog/yet-another-filesteal-variant-found-today/

2013-05-17
Two New Variants of Backdoor Trojan Found Targeting Activists
http://www.intego.com/mac-security-blog/two-new-variants-of-backdoor-trojan-found-targeting-activists/

2013-05-17
Mac malware signed with Apple ID infects activist’s laptop
Backdoor took screenshots, sent them to attackers.
http://arstechnica.com/security/2013/05/mac-malware-signed-with-apple-id-infects-activists-laptop/

~~~~~

BTW: Thomas Reed maintains a reasonable current list of Mac malware HERE:

Thomas and I have not compared lists recently, and you're going to see some differences in what is named what and what is different from what. This is all thanks to the unprofessional naming chaos innate amidst today's competing anti-malware companies. Some time Thomas and I will bump heads again and coordinate our lists. In the meantime, I consider Thomas' Mac malware list to be the best.


--

Tuesday, July 16, 2013

Ransomware Fraud Targets Mac Users:
The FAKE 'FBI' Wants Your Dough

--
Source article:

FBI Ransomware Now Targeting Apple’s Mac OS X Users
http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/


Symptoms:

You visit a rat scam infested web page and...

Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.
The rat scam's web page URL is clearly NOT the FBI's.
If you choose to ignore the message (which you should), you cannot get rid of the page...

Repeated attempts to close the page will only lead to frustration as even the “Leave Page” browser trick does not work...

If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle....

The Cure:

If you encounter the rat scam using Safari:
There is a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”.... Make sure all items are marked and hit the Reset button....

This scam is unfortunately all too efficient and is not going away anytime soon.
Malwarebytes kindly provides a video describing the scam and how to kill it in Safari, HERE:

http://www.youtube.com/watch?v=Ip6tvti4UjU


Other web browsers have similar Reset options.


-->If you're using WOT (Web Of Trust), be sure to scarify & stigmatize the evil rat scam page. This will help protect potential future victims.


The FBI rat scam is very old on Windows. Apparently, the malware rats are getting a bit desperate about finding a way to attack Mac users. Therefore, they've taken this dusty old rat skeleton out of mothballs in hopes of abusing the most gullible of 'LUSERS'.


Don't be scammed!

'Tis mere fatuous frippery from foul foolish frauds. ;-)

* I'm getting to like the Malwarebytes blog! I'll consider tossing it into the 'Friends of Mac-Security' link list.




--

Sunday, July 14, 2013

Adobe Critical Security Updates:
Flash Player v11.8.800.94
Shockwave Player v12.0.3.133
ColdFusion 10 Hotfix v11

--

On 2013-07-09 Adobe released critical security patches for Flash Player, Shockwave Player and ColdFusion 10. The Adobe security bulletins are available here:

http://www.adobe.com/support/security/

Adobe Flash Player v11.8.800.94 patches three CVE security issues:
These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-3344).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-3345).

These updates resolve an integer overflow when resampling a user-supplied PCM buffer (CVE-2013-3347). 
All three security issues involve the usual bad memory management.

Shockwave Player v12.0.3.133 patches one CVE issue:
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-3348).
Again, the security issue involves bad memory management.

ColdFusion 10 Hotfix 11 patches one CVE issue:
The hotfix for ColdFusion 10 for Windows, Macintosh and Linux resolves a vulnerability that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets (CVE-2013-3350). 
Happily, no update is required for current versions of Adobe AIR, Acrobat or Reader. Hurray.

~~~~~~~

That's it for last week's security updates! It looks like the malware rats are taking a vacation from attacking OS X users. Instead, the rats are focusing on Android vulnerabilities:

99% of all mobile threats target Android devices

New Android Vulnerability Affects 99% of Devices

Google quickly patches the '99%' Android malware hole, ball is now in phone makers court

Five simple ways to avoid Android malware

I think I'll stick with iOS devices. I'm not keen on reliving my days as a Windows OS security victim by way of Android OS. Just saying! No flame comments required. (^_^)

--

Wednesday, July 3, 2013

Apple Security Update 2013-003

--

[Updated 2013-07-04 6:40 pm ET]

Warning: I'm in rant mode. Apple has seriously messed up this update and I'm not pleased.

Apple released Security Update 2013-003 on July 2nd. Sadly, Apple didn't get this update together until July 4th, and problems still remain! Annoying. Apple's documentation download / documentation team is crap. Expect me to pester Apple about this mess. Please join in!

WHAT went wrong?! 

1) On July 2nd, at the Downloads page, Apple provided dead end URLs for three of the update versions on their Downloads page. Idiots. Thankfully the URLs were repaired July 3rd.

2) July 2nd, Apple intermittently provided then pulled the Lion Server version. Idiots. Thankfully, Apple corrected this problem July 3rd.

3) ALL the updates have THE SAME NAME, except when they were for the server version of whatever. NOT ACCEPTABLE. For any professional downloading all the updates for various machines, this is DEADLY STUPID. - - 'Let's see here. The only way to tell these downloads apart is by comparing their sizes with the sizes listed on the Downloads page. Great. Thanks Apple.' Idiots. Apple has NOT fixed this blunder as of yet. If they do, I'll update this post.

4) For over 48 hours, Apple still had NOTHING listed on their 'Apple Security Updates' page regarding Security Update 2013-003. Not - A - Thing. Idiots. - Apple fixed this problem on July 4.

[I've never seen this level of idiocy at Apple, short of the minimum wage worthy tech support at the iTunes Store. And no, Apple's furious work to complete iOS 7 and OS X 10.9 Mavericks is NOT a valid excuse for this garbage. This is seriously messed up and unacceptable, especially from beloved Apple. Something is severely wrong over there. I hate it when anti-Apple FUD comes true. And so on.]

Now that Apple has, over two days late, provided their notes about the update at the Apple Security Updates page, it's redundant to post it here. But I'm going to keep it for those who may find it convenient. Here you go:
APPLE-SA-2013-07-02-1 Security Update 2013-003

Security Update 2013-003 is now available and addresses thefollowing:

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,OS X Lion v10.7.5, OS X Lion Server v10.7.5,OS X Mountain Lion v10.8.4
Impact:  Playing a maliciously crafted movie file may lead to anunexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of Sorensonencoded movie files. This issue was addressed through improved boundschecking.
CVE-ID
CVE-2013-1019 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)working with HP's Zero Day Initiative

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,OS X Lion v10.7.5, OS X Lion Server v10.7.5,OS X Mountain Lion v10.8.4
Impact:  Playing a maliciously crafted movie file may lead to anunexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of H.264encoded movie files. This issue was addressed through improved boundschecking.
CVE-ID
CVE-2013-1018 : G. Geshev working with HP's Zero Day Initiative

QuickTime
Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,OS X Lion v10.7.5, OS X Lion Server v10.7.5,OS X Mountain Lion v10.8.4
Impact:  Viewing a maliciously crafted movie file may lead to anunexpected application termination or arbitrary code execution
Description:  A buffer underflow existed in the handling of 'mvhd'atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-1022 : Andrea Micalizzi aka rgod working with HP's Zero DayInitiative

Security Update 2013-003 may be obtained from the Software Updatepane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that appliesto your system configuration.

For OS X Mountain Lion v10.8.4
The download file is named: SecUpd2013-003.dmg
Its SHA-1 digest is: 5452c463819106ec30e9f365031f65f1b6c538c0

For OS X Lion v10.7.5
The download file is named: SecUpd2013-003.dmg
Its SHA-1 digest is: c94eeaee2e329f75830140598c8973b6a8e1b22d

For OS X Lion Server v10.7.5
The download file is named: SecUpdSrvr2013-003.dmg
Its SHA-1 digest is: 849d5d4fd5c5a46f84d3607a84b6957fe4f10a00

For Mac OS X v10.6.8
The download file is named: SecUpd2013-003.dmg
Its SHA-1 digest is: 59f7be08ba2f3e343539c011793f7e31773f9caa

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2013-003.dmg
Its SHA-1 digest is: 7586022106c870e46139016ddc5e667def454430

Information will also be posted to the Apple Security Updatesweb site: http://support.apple.com/kb/HT1222

This security update is specifically for QuickTime. It is applicable to OS X 10.6.8 through 10.8.4. Historically, QuickTime is Apple's least secure software.

All three security flaws are due to buffer overflow coding errors, the most common cause of modern coding security holes. Malicious versions of the following file types were able to trigger the buffer overflows:

- Sorenson encoded movies.
- H.264 encoded movies.
- MooV files containing mvhd atoms

You can read about Movie Atoms here:
http://developer.apple.com/library/mac/#documentation/QuickTime/QTFF/QTFFChap2/qtff2.html

mvhd stands for 'movie header'. If you search for 'mvhd' on the linked page above, you can read about its uses.

Thank you for sharing and enjoying!

:-Derek

Hey Apple: WAKE UP!