FAKE "MAC Defender" Scamware Attack via infected Webpages

What is 'scamware'? (Also known as 'rogueware'). It is a form of malware that pretends to be something it is NOT in order to use social engineering / LUSER behavior to get you to install actual malware. The most numerous kind of scamware occurs on the Internet where you visit a web page and start getting bombarded with messages on your screen that you have been "INFECTED" with whatever, when in fact you have NOT. If you are, let's be blunt, foolish enough to allow your web browser to automatically download software, or even worse, if you allow your web browser to actually OPEN what you automatically download, you're a prime sucker for scamware. Don't do that!

This is the very first instance of actual working scamware for Mac OS X that I am aware of. The most excellent SANS NewsBites Volume 13 Number 35 newsletter issue provides an announcement of the situation as well as resource links. You can sign up for the free SANS newsletters HERE. (I occasionally have disagreements with SANS over their FUD publishing and spelling, but overall they're a terrific resource).

DETAILS

The Scamware: "MAC Defender" (Note the spelling difference from 'MacDefender', which is an actual program developed in Germany, sadly hurt by bad publicity created due to the 'MAC Defender'  scamware).

The Infection Vector: Web pages.

The Setup:

1) Through nefarious means, the scamware tosses messages on your screen that you Mac has been infected with something. It insists that you pay $money$ to install the scamware Trojan horse in order to remove the fake 'infection'. Here is an illustration kindly provided by PCWorld.com.

2) If you foolishly allow your web browser to download software, the infected web page will IMMEDIATELY auto-download the Trojan horse to your Mac. THIS IS BAD!

3) If you foolishly allow your web browser to open software it has automatically downloaded, the Trojan horse will automatically open. THIS IS VERY BAD!

4) If you happily never allow auto-anything, then you could still be coerced into clicking the download link for the scamware Trojan horse. Worse yet, you might even open the Trojan horse on your computer. DON'T DO THAT!

At the moment, this scamware attack is occurring at a variety of web pages related to the killing of terrorism scourge Osama Bin Laden. Be extra special watchful at such websites for this scamware.

The STING: You fork over $money$ and your CREDIT CARD information for what is worthless garbage software that does nothing at all. Your credit card has just been stolen.

Note how I still call this scamware a 'Trojan horse'. There are two reasons why. First, it's not what it pretends to be, despite it being an 'empty' Trojan horse. Second, the scamware could easily contain one of the current actual Mac OS X Trojan horses, three of which are capable of botting your Mac. And that's very very bad.

How to Protect Yourself:

A) The Second Rule of Computing! Verify the authenticity and legitimacy of absolutely every piece of software you are tempted to install. In this case, you'll save yourself spending $money$ on worthless garbage as well as your credit card information. Also, seeing as there are currently 28 different Trojan horses for Mac OS X, (26 actually, if you exclude the hacker tools), you'll be preventing yourself from getting infected for real.

Adding to SANS Editor Northcutt's comments in NewsBites, dangerous malware can be hidden in nearly any piece of software. This includes anything you are sent (via email or chat, etc.) or anything at any Internet location.

B) Don't auto anything! That means no auto-download or auto-open. Turn all such features OFF in your web browsers and other Internet related applications. (All such features should be removed from all programs as they are inherently dangerous).

C) Use a decent anti-malware application to protect you from infected web pages. As usual, I recommend Intego VirusBarrier X6, which I own and use and enjoy (usually) and want to marry. When you connect to an potentially dangerous web page, VirusBarrier stops it from loading and warns you of a detected threat. You are able to choose to ignore, block, or add the page to your 'Trusted Sites'.

Here are links with further details for your reading pleasure:

Fake AV Targets Mac OS X Through Poisoned Search Links

Fake "MAC Defender" antivirus app scams users for money, CC numbers

Fake security software takes aim at Mac users

Intego Security Memo – MAC Defender Fake Antivirus Program Targets Mac Users


Fake "MAC Defender" Brings Malware to Macs

Bogus MAC Defender malware campaign targets Mac users using Google Images

Apple Support Communities: Search for 'MACDefender'

(Please note that I corrected the name of this scamware in a few of the the titles above. I see no point in perpetuating misspelling. Thank you as ever to Intego and ars technica for correct spelling ;-).

Warning: New Adobe Flash Flaw

--
Another month, another Adobe Flash security flaw. The following is a full quote from the most excellent SANS NewsBites Vol. 13 Number 29:

--Adobe Warns of Zero-Day Flaw in Flash
(April 11, 2011)
Adobe has issued a warning of a zero-day vulnerability in Flash Player that is being actively exploited in targeted attacks. The vulnerability can be used to take control of computers or to cause them to crash.  The attack is spreading as a Flash (.swf) file embedded in a Microsoft Word (.doc) file that arrives as an attachment.  Adobe did not say when a patch will be available.
Internet Storm Center:
http://isc.sans.edu/diary/Yet+another+Adobe+Flash+Reader+Acrobat+0+day/10696
http://news.cnet.com/8301-27080_3-20052894-245.html?tag=mncol;title
http://www.zdnet.com/blog/security/adobe-warns-of-new-flash-player-zero-day-attack/8524
http://www.computerworld.com/s/article/921572/Adobe_confirms_critical_Flash_zero_day_bug
[Editor's Note (Ullrich): In the past, I have observed users using Flash games embedded in Excel and Word documents to bypass corporate controls to prevent users from running these games. It may be a good awareness item to note the particular danger of these embedded flash files.]

You can sign up for the SANS Institute newsletters HERE.

I've also been reading about computers being PWNed via infected PDFs and Flash embedded in Excel spreadsheets.

My advice continues to be adherence to the Rules of Computing #1 and #2:

1) Make A Backup. Every day. Two of them. One on site. One off site.

2) Verify every file and application you receive or gather off the Internet as LEGITIMATE before you open it. That means doing homework. It's worth it.

Then add to that:

A) Avoidance of automatically running anything embedded in PDFs or Excel or Word or PowerPoint presentations you receive. Make sure YOU are in control of what runs when and where. No automatic anything. Make yourself the boss of your computer. The LUSER Factor remains a large problem for all of us. But we humans have a lot better scrutiny than a brainless computer program.

B) Don't Use Flash! Or at the very least use one of the many great utilities to stop Flash from running until YOU decide you want to run it. Also use utilities that KILL Flash cookies. These utilities include: The Safari Cookies extension. ClickToFlash.The Flashblock add-on for Firefox. The NoScript add-on for Firefox. The FlashFrozen application.

OF INTEREST: I read this week about a new Adobe initiative that will allow combining Flash with PHP in order to create non-Adobe Air apps for smart phones and all iOS devices. My initial response, knowing the poor security of both technologies, is OMFG. But rather than get all FUDed out, let's simply see what happens.

Stay safe. Stay secure. Laugh at the FUD. Enjoy the facts.

:-Derek
--

Firesheep Wi-Fi Warz

--
The Sheeple Are Burning

October 25 a hackertool was released for Firefox in the form of an add-on called Firesheep. It is extremely easy to install and use on Mac, Linux and Windows versions of Firefox. (I will not provide the link. Sorry.) It provides casual Firefox web browser users to spy on and doppelganger anyone who is connected to the Internet via a shared, open Wi-Fi connection. Simply connect your computer to the same open Wi-Fi connection and commence surveillance and identity theft.

It performs its dirty deeds by way of coopting the cookies being sent in the clear from any victim's computer. It is not a thorough form of identity theft, but it adequate while the hacker's computer remains within that open WiFi connection. IDs and passwords are typically not sent in the clear. However, the Firesheep add-on is able copy out of the air the cookies any user is sending to any website. The contents of the cookies may remain completely incomprehensible to the hacker. All that is required is the contents of that cookie to literally "BE" the intercepted victim. This means the hacker can access any active website connections and fake being that person through the use of their intercepted cookies. The hacker can do ANYTHING on those websites AS the victim. If at any point the website asks for password verification, such as when buying items from Amazon.com, the hacker is thwarted. Their identity theft stops dead at that point. However, anything else goes. This can create incredible havoc on the Internet.

At the point in time of this article being posted, well over HALF A MILLION PEOPLE have downloaded Firesheep. That essentially says it is becoming universal, endangering ALL unencrypted Wi-Fi connections to the Internet. And that was the purpose of creating and providing this add-on to the entire computer community.

The creator of this hacker tool is a Black Hat, which is to say that he bulldozes improvements in computer security by providing the means of exploiting a security hole to the world at large without any prior warning to anyone. To use a very mild metaphor, it is the equivalent of 'Tough Love' for computer users and software developers. In this case the desired effect is to lock up ALL Wi-Fi connections via encryption, ending forever open Wi-Fi connections.

There are two cures for this dilemma:

1) All websites must provide SSL encrypted connections at all times, not simply when a user logs in. This means that all websites would stop using merely HTTP connections and instead use only HTTPS connections between themselves and their users. This adds some minor overhead burdens but is entirely feasible. How long it will take the entire World Wide Web to catch up is the big question. The hope is that it will be immediate. But we're dealing with humanity here, therefore...

2) All Wi-Fi connections must require WPA account encryption. This means that all users of an 'open' Wi-Fi connection site must have and use a password in order to access the Wi-Fi hub. Surprisingly, this is an incredibly simple thing to do with nearly all modern routers. (Older routers that only use WEP encryption are SOL). Everyone making a connection to the router can use the exact same password! Routers know the MAC address of every device that connects to them. This allows them to keep each and every connection entirely separate. The fact that each connection uses the same password provides almost perfect separation of users while providing unbreakable (at this time anyway) encryption.

Here's how #2 cure would work at Starbucks: A simple sign is provided at the counter that says something to the effect of "To access Starbucks' Wi-Fi connection, please use the password 'starbucks'." That's it! Simple.

Since Firesheep was let loose for the average computer user, there have been plenty of happy stories of users speaking to the manager of shops that provide free Wi-Fi and asking them to turn on WPA account encryption. For anyone familiar with setting up Wi-Fi routers, turning on WPA is trivial. The shop managers have been happily changing their router setup and killing off the Firesheep threat. I strongly suggest that you do the same EVERYWHERE you go with your Wi-Fi device.

WEP encryption, unfortunately, was created in haste and provides NO SECURITY. It is trivial for hackers to obtain tools that can break into WEP encryption within less than a minute. It is expected, in fact, that future versions of Firesheep or similar hacker tools will include a WEP cracking tool.


The Next Best Thing To A Cure

I knew further shoes were going to drop regarding this subject. I just found out this evening that a helper tool has been provided by Zscaler that can warn you when there are Firesheep prowling around in an open Wi-Fi connection. Once again it is a Firefox add-on. Its name is Blacksheep. (Why black? Read back in the article about Black Hat hackers.)

Below is a quote from our pals at the SANS Institute from SANS NewsBites Vol. 12 Num. 89:

--Firefox Extension Warns users When Others are Using FireSheep (November 8, 2010)
Researchers have released an extension for Firefox that detects when computers on a local area network are using FireSheep, a tool that steals unencrypted cookies from websites. Called BlackSheep, the extension alerts users by displaying a message telling them that someone is using FireSheep and providing the LAN IP address of the FireSheep user. FireSheep was created and released to draw attention to the lack of encryption for session cookies on many popular websites.
http://www.theregister.co.uk/2010/11/08/firesheep_detection_tool/
[Editor's Note (Northcutt): Interesting, dueling plug-ins. For the moment this is quite limited as you can install FireSheep and BlackSheep on the same computer only if you use different Firefox profiles. The duel would be over unencrypted LANs:
http://www.zscaler.com/blacksheep.html ]

The Blacksheep add-on page provides instructions and a video showing it in action.

Also of interest: Microsoft, Intego and other anti-malware providers have added Firesheep to their list of detected 'malware'. This is IMHO a weak move as Firesheep is NOT malware. It is a hacker tool that requires deliberate installation by the hacker and has no user-based malware behavior whatsoever. However, parents or employers would be interested to know about the hacker behavior of their children or employees.

Do NOT consider Blacksheep to be any kind of cure! It is merely a defensive tool when you're STUCK at an unencrypted Wi-Fi spot, such as the Airport or wherever they are too clueless to turn on WPA encryption, or they don't know how, or they're stuck with worthless WEP encryption on their router. Do NOT consider Blacksheep to be thorough defense! It is not. I personally would only use it out of desperation.

The single best defenses against having your cookies stolen and your ID doppelgangered when you're STUCK in an open Wi-Fi spot are to:

1) Never log into anywhere that does not provide end-to-end HTTPS/SSL encryption. An example would be Google's GMail. You can't turn off HTTPS at the GMail site if you try! That's the way it should be everywhere.

2) Remember that eMail provides NO SECURITY apart from possibly an SSL connection to and from your eMail server. Otherwise, everything you email is in the clear for anyone to read. These days I think of some dorky, bored CIA/NEA/FBI human intercepting everything I email and reading it. I even write them little notes from time to time to set off their keyword alarms just to wake them up. Unconstitutional as it is to invade any US citizen's privacy, the Bush League set the precedence for breaking the law anyway, and sadly the Obama administration is goose stepping right along to the same deranged tune. I have further rants on such subjects at my zunipus blog.

The safest thing to do when you're STUCK at an open Wi-Fi spot is to merely browse happy, smiley, shiny websites for fun, not for work, not for financial interactions, not anywhere a hacker could steal your identity. With Firesheep they are you anywhere you go on the web.

Stay safe kids! And watch out for sheep.

;-Derek
--

Smartphone Bank App Security Problems

--
The benefit of Apple having a closed App Store is their scrutiny of all applications submitted. This has helped maintain a superior security record for the iPhone versus any Android phone. However, a big hole in Apple's vetting system has become evident whereby all smartphone users have been put in danger by poorly designed and coded banking applications. Thank you to the SANS Institute for bringing this issue to my attention on in SANS NewsBites Vol. 12 Num. 89:

--Security Flaws in Smartphone Banking Apps (November 5, 2010)
Researchers have found that several banking applications for Android and iPhone contain security flaws that store account information in plaintext. Attackers could potentially steal sensitive data by luring users to maliciously crafted websites designed to find the information. Of the seven applications inspected in the study, just one, from the Vanguard Group, did not store information in plaintext. The institutions were notified of the problems and reportedly have taken steps to fix the flaws.
http://www.wired.com/threatlevel/2010/11/bank-apps-for-phones/
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200291
[Editor's Note (Pescatore): The Android phone world seems to be trying to compete with the iPhone by saying "Droid does anything - no restrictive App Store." The reality is that the Apple iPhone could actually compete by making the bar a bit higher for iPhone apps, to make sure that the apps don't do silly things like storing account info or passwords in the clear on the phone. I think users are very comfortable with "only" having 20 Tetris games to choose from if they know that none of the 20 are going to send their information to identity thieves.]

Dear Apple,

Please vet submitted Apps more thoroughly for security flaws. Much appreciated!

Dear Google,

'Anything goes' does not trump application security.
--