Wednesday, June 29, 2011

China Laughs At US Federal Security

Way back in 2007, when I started this blog, I had a run in with the members of China's 'Red Hacker Alliance'. I reposted their history and reiterated hacker crimes they'd been pulling against the USA since 1998, the year China was given 'Most Favored Nation' status. 2007 was the year the US feds finally admitted the reality of the situation, after the Chinese government memo declaring 'Technology War' on the USA became public knowledge, after the US feds discovered that every one of their computers connected to the Internet had been botted by Chinese malware, sending to China ever piece of accessible data.
Now here we are 4 (FOUR) years later and THIS happens:

If left undiscovered the result could have rendered useless U.S. missiles and killed the signal from aircraft that tells everyone whether it's friend or foe.
Who can blame China for laughing?
How about the Obama administration offers me the CIO cabinet position? I couldn't possibly do any worse.

Friday, June 10, 2011

More Critical Adobe Security Updates

If you haven't gotten the hang of it yet, despite Adobe's scheduled quarterly updates to their software, they've been pushing out security updates at the rate of about once a month. March was no exception. April was no exception. May was no exception. I didn't bother to announce them all here because it has become all so predictable that I figure everyone knows to watch for them coming.

And now it's June. Here comes the quarterly update, like we care that it's quarterly. Why Adobe bother with his BS is beyond my comprehension. I personally think they're nuts over there.

So here we go, the quarterly update announcement is HERE. The quarterly update comes out Tuesday, June 14th. As per usual, it is a CRITICAL security update. It will be for both Adobe Reader and Adobe Acrobat.

If you'd like to keep track of when future 'out of band' (non-quarterly, once a month) security updates from Adobe are released, the two best web locations are:

Adobe Security Bulletins and Advisories

Adobe Product Security Incident Response Team (PSIRT) Blog

Predictable as these 'out-of-band' critical security updates have become over the last full year, keep in mind that if you use Adobe's stuff, it is important to keep up-to-date with their security patches if you want to keep your Mac as safe as possible.

Over and out.

Saturday, June 4, 2011

The CARO Malware Naming Scheme


In 2009, amidst my trying to sort out why malware naming is chaotic within the anti-malware community, I came across an elegant malware naming system from CARO (The Computer AntiVirus Researcher's Organization) that is considered the standard. It has no competing proposed system apart from the 'whatever' mess practiced by the various anti-malware researchers/companies.

Recently I have been volunteering time with a group of other Mac security geeks as we try to keep track of what is going on with the Trojan.OSX.MAC Defender scamware series and provide malware signatures to the ClamAV Open Source project. One of our members was musing about applying the biological taxonomy system to malware naming. I wrote back that malware naming doesn't successfully fit within that system. Instead I described the CARO Scheme while tossing in a few of my usual rants about chaos in the anti-malware community. For those interested, here is my description of the CARO Scheme:


There is an standard malware naming system called the 'CARO Malware Naming Scheme'. Despite its existence and age, it is generally ignored in favor of chaos. As the description article itself states:
No matter how good a naming standard, it is mostly worthless if nobody is using it. And, as experience has demonstrated, some anti–virus producers would fol- low their own malware naming scheme in royal disregard of any proposed standards.
You can read about the CAROS scheme here:

To quote:
The general format of a Full CARO Malware Name is
where the items in square brackets are optional. According to this format, only the family name and the variant name of a piece of malware are mandatory and, as we shall see later, even the variant name can be omitted when reporting it. The Full Name is white space–delimited. That is, it cannot contain white space (i.e., space, tab, car- riage return, line feed), and there is a white space before and after it.

Here is the general CARO approach:

1) The name starts with the type of malware. For Macs, all the malware are Trojan horses. Therefore, they all begin with 'Trojan' followed by a period. 

Due to the mixed types of malware being created these days, this can get messy. Some malware these days are Trojans that infect the target with a bot, which itself is a worm by way of spewing SPAM or DDOS attackes. This is the case with the iServices Trojan. But I believe the best approach here is to name the malware type as that which is initially presented to the target computer. Therefore, Trojan works in all the current Mac cases.

However, I still argue that hacker tools are NOT Trojans. They're just hacker tools. They are only infected onto computers by way of 'LUSER' behavior whereby a hacker inadvertently has physical access to the target computer.

2) The malware type is followed by the target OS name. In our case it is 'OSX'. Previous to Mac OS X, the term 'MacOS' was used. But since Mac OS X is certified UNIX, the term 'Mac' is being dropped and only 'OSX remains. The OS name is followed by another period.

3) The third part of the name is supposed to be left to whomever first discovers the malware in the wild and chooses a name for it

For example, Andrew Welch (of Ambrosia Software) was the first person to fully describe and name the proof-of-concept Trojan which he named "Oompa-Loompa" or simply "Oomp". Using his variation on the Caro scheme, the resulting name was:


But Symantec has more clout than Andrew and after his work pushed out the name 'leap' instead, resulting in their name of it:


4) The fourth part of the name specifies the variant, starting with A through Z, proceeding to AA through ZZ, etc. Therefore, at this point we have (I think):

Trojan.OSX.MAC Defender.A
Trojan.OSX.MAC Defender.B
Trojan.OSX.MAC Defender.C
Trojan.OSX.MAC Defender.D

Unfortunately, it is left up to interpretation as to what constitutes a new variant. As I noted over the weekend, I've seen MAC Defender.E listed, for reasons I cannot explain. With the two new proven varients, apparently that naming source would be up to MAC Defender.G at least, at this point.

I like Shawn's idea about digging into the actual Trojan app's Contents directory to check out the guts of each potentially new 'variant'. The web page GUI variations are clearly of little importance compared to the actual Trojan app variations.

5) If there are further details about a specific malware, they are typically put in parentheses after the variant identifying letter. For the MAC Defender variants this would include all the names for the installer files and the various names the Trojan application gives itself. Therefore, we could have:

Trojan.OSX.MAC Defender.B (aka Apple Security Center, aka Apple Web Security...)


I have never seen the Caro scheme used exactly in the original proposed format. But the general approach of focusing from abstract to specific has remained in most of the offshoots of the scheme. Typically, the separators between the naming items are simply periods, as in: 

Trojan.OSX.MAC Defender.A

Intego stick to this specific pattern.

Microsoft use a colon instead of the first period, resulting in:

Trojan:OSX.MAC Defender.A


Some companies choose to use forward slashes and dashes in their malware naming, resulting for example in:

Trojan/OSX/MAC Defender-A

Overall, because this is what I call 'The Wild West Era' of the anti-malware community, malware naming chaos reigns. There are commonly three publicly published names from various anti-malware researchers/companies for exactly the same malware. In the case of MAC Defender I've counted over 15 names at VirusTotal for what may only be MAC Defender.A.

I hope my lecture was helpful. ;-)


Thursday, June 2, 2011

XProtect from Apple,
New MAC Defender variant:
Excellent Summary from Sophos!

Early this AM Sophos published an EXCELLENT article about Apple's XProtect software. XProtect is part of Mac OS X 10.6 Snow Leopard (not 10.5 Leopard, sorry). It was updated as part of Apple Security Update 2011-003 this past week. It now automatically checks every 24 hours for new malware signatures from Apple. It's terrific! Except the malware rats immediately responded with a new work around version of the MAC Defender (the correct spelling) Trojan horse series. And that sucks.

Read all about it!

Apple to malware authors: Tag, you're It!

. . . Apple's XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.
If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions. . .
Keep in mind folks that this is a series of Trojan horses. Our computer's worst security flaw isn't Mac OS X! It's you and me. WE install Trojan horses, not our computer. Trojan horses are the bane of EVERY computer. Every Windows box, every Mac, every Linux box, etc., is vulnerable to Trojan horses.

Therefore, the 'Security Through Obscurity' ignorant FUD trolls can take a nap. Trojan horses do not apply. (And why is that? Read the paragraph above over and over until it sinks into your empty troll heads).

What IS new is that social engineering malware rats have hit the Mac in a persistent wave. If Mac LUSERS weren't falling for their fake anti-malware, they wouldn't bother. It's time for we the Mac users to grow up and pay attention to EVERYTHING we click and EVERYTHING we install.

There are psychopaths (aka malware rats, Neo-Con-Jobs, TardPartiers, The Red Hacker Alliance, etc.) out there in the world. They want EVERYTHING they can lay their self-destructive claws and fangs on. Nothing is sacred. We are the target, as well as themselves. That munching sound is them eating your computer, while their own insecurities eat them.