Archive for Trojan

Today’s Mac Trojan Uses MS Word To Do It’s Evil Deeds….. Fanbois Now Hysterical

Posted in Commentary with tags , , on April 17, 2012 by itnerd

It just gets worse for Mac users. ZDNet is reporting that a new Mac Trojan is making the rounds and it uses a MS Word exploit to get onto your system and run amok:

The new version of the Trojan uses malformed Word documents to open a backdoor for remote hackers to steal information or install further code. Just like many recent variants of Mac-specific Trojans, OS X users may be caught off guard as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac.

One key point. It doesn’t require any user interaction other than opening the infected Word document. Now how do you protect yourself? Make sure that your copy of Office for Mac is up to date. The exploit that this Trojan uses dates back to 2009. So if you’re up to date, you’re safe. Of course this shouldn’t stop you from running an Anti-Virus application. I’ll be posting a list of such applications later today. Watch for it.

In the meantime, Mac fanbois will continue to weep openly now that their myth of Mac superiority in the security realm is proven to be false.

Leave a comment »

Another Day, Another Mac Trojan….. Mac Fanbois Weep

Posted in Commentary with tags , , on April 16, 2012 by itnerd

So, hot off the heels of the Flashback Trojan comes news of another Trojan. Called SabPub, this one is interesting according to a blog post:

This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.

So far it appears that not many Mas are affected by this (yet), but those that do not have the latest Java updates from Apple are potential targets for this. So the message is clear. Update your Mac with the latest version of Java and you should run an Anti-Virus product as well. I will be compiling a list of such products in the next day or so so that you know what options are available to you.

So Mac fanbois, are you feeling smug these days about the security of your operating system?

Leave a comment »

Antivirus Firms Come To The Rescue Of Flashback Infected Mac Users… Where’s Apple? [UPDATED x2]

Posted in Commentary with tags , , on April 12, 2012 by itnerd

When I last talked about the Flashback Trojan that has infected as many as a half a million Macs, tools to detect were few and removal was difficult. Now it appears that antivirus makers are starting to come to the rescue. Here’s a list of the ones that I am aware of:

  • F-Secure has a tool called the Flashback Removal Tool. Simply download and run it and follow the instructions. Simple and effective.
  • Kaspersky has announced a online tool to detect and a another tool remove the Trojan.
  • The latest version of Sophos will detect Flashback according to their blog.

So the question is, where is Apple in all of this? I did mention in my previous post that they are working on something to detect and kill the Trojan. But surely they have to put a rush on this as this will be hard to stop if this continues to spread. Not to mention the fact that the negative press isn’t helping them to sell computers.

So Apple, when are you going to step up?

UPDATE: Apple steps up today with this Java update that removes the most common variants of Flashback.

UPDATE #2: The above link is for Lion users with Java installed only. If that’s not you, then you need to click this link to get a removal tool that works for them.

Leave a comment »

Flashback: The First Widespread Trojan On The Mac Platform [UPDATED x2]

Posted in Commentary with tags , , on April 10, 2012 by itnerd

So Mac users, still think you’re safe? Think again. The Flashback Trojan may already be on your system. So far it’s said to have infected 500,000 Macs and the number is likely growing. To see if you’re one of those 500,000 who are infected, here are some instructions on how to detect and remove the Trojan. I’ll warn you that it requires you to use terminal commands, so it’s not something that’s for novice users.

So let’s say you’re not infected, how do you protect yourself? Here’s a list of things you can do:

  1. Install the latest Java update for Macs. You can get it via Software Update or you can download it here.
  2. Run an anti-virus app. I’ve got an article about a free one from Sophos here.
  3. If you’re really paranoid, consider disabling Java as very few Mac applications need it. The Java Preferences utility is in /Applications/Utilities; uncheck the boxes next to the versions listed in the General tab.

Clearly this is a legitimate threat to the Mac platform, which means the days of making fun of PC users are over…. Although I’ve argued for a while that the party was over years ago.

UPDATE: ARS Technica is noting that a new utility called Flashback Checker that will help novice users check to see if they have this trojan. It won’t help you to get rid of it, but it is a start.

UPDATE #2: Better late than never I suppose. Apple has posted a document on Flashback and they are apparently developing software to detect and remove Flashback.

1 Comment »

I Got A Call From A Customer Of Mine Last Night…..

Posted in Commentary with tags , on April 14, 2009 by itnerd

Apparently he was getting a prompt for a anti-virus scanner called System Protector. The thing is that he never purchased it and it is telling him that he has to pay for it to get rid if all of viruses that it was finding. This is clearly a rogue application. Wikipedia defines a rogue application as:

Rogue security software is software that uses malware (malicious software) or malicious tools to advertise or install itself or to force computer users to pay for removal of nonexistent malware. Rogue software will often install a trojan horse to download a trial version, or it will execute other unwanted actions.

Pretty sneaky. I’ve dealt with a lot of this sort of thing over the years. Sadly, this is becoming more commonplace.

So I was pretty sure that my customer had somehow gotten a trojan horse (or more than one) onto his Windows XP computer, and it downloaded this rogue application. I made arrangements to look at it today as this isn’t the sort of thing that can wait.

Once I got my hands on the computer, it was worse than I thought. It disabled any security software that was on the computer, plus I couldn’t use basic Windows functions such as bringing up task manager. So this was very serious. I researched the rogue application that was on the computer (as in this situation Google is your best friend) and came up with a plan to deal with the situation:

  1. By using Google, I used instructions from a variety of sources to disable the rogue application. I always read a variety of sources to make sure that whatever method I use to kill stuff like this is the correct course of action.
  2. Once the rogue application was gone, I had to tackle the trojan horses that were on the system. I use at least three anti-virus scanners that are up to date to make sure that the system was clean. That’s no joke. I use three scanners because each will get stuff that the others will miss. By the time I was done, I had removed 30 trojan horses.
  3. I then had to fix Windows. The trojans had done some work to stop things like task manager from working. So I had to repair that damage.
  4. I then had to figure out how all this stuff got onto the system. Since the system was pretty much up to date in terms of security patches, I knew it came from an application that was installed on the system. From interviewing the customer, I was able to deduce that the likely source was a file sharing application that the customer’s son had installed as the issue started within 24 hours of the application being installed. I removed the offending application. I wouldn’t want to be that kid who installed that file sharing app tonight.

Total time: Four hours. I only charged the client 2 as most of my time was spent waiting for scanners to be finished. So in my opinion it isn’t fair to charge the client for that “waiting time.”

So as you can see, I had an interesting day. But far from atypical for me.

I wonder what the next phone call will bring?

Leave a comment »

iWork ’09 Trojan Makes The Rounds Via BitTorrent [UPDATED]

Posted in Commentary with tags , , on January 23, 2009 by itnerd

If you’re trying to acquire a pirated copy of iWork ’09 via BitTorrent for your Mac, I’d think twice about doing that. There’s a trojan that seems to be hitching a ride along with your “less than legal” copy of iWork ’09 that that appears to connect to a remote system and apparently sends commands to the infected machine to scan for sensitive information, track where the user goes on the Internet, record what the user types in, etc.

Two companies have stepped up to the plate to protect users. SecureMac has released a free iWorkServices Trojan Removal Tool called iWorkServicesTrojanRemovalTool.dmg. Symantec has also released a free removal application that you can use if you’ve installed a pirated copy of iWork ’09. I’d be downloading one of these applications and using it now if you got your copy of iWork ’09 via BitTorrent ASAP.

Oh yeah, don’t download pirated software. The risk isn’t worth it to save a few bucks.

UPDATE: A variant of this trojan has now appeared in pirated copies of Photoshop on BitTorrent.

Leave a comment »

Yet Another Apple Trojan In The Wild!

Posted in Security with tags , , on June 23, 2008 by itnerd

It seems that everyone and their dog is writing a Trojan to take advantage of the Apple Remote Desktop vulnerability that I posted about last week. This one is called OSX/Howdy and does the following:

“When run the Trojan will attempt to install itself to the /Library/Caches folder and perform the following tasks:

– disable system logging and delete system log files
– start PHPShell and web server
– start ARD, VNC and SSH services
– disable system updates
– open ports in the firewall
– disable third party security software
– steal various password hashes and keys which may be used to compromise other systems

OSX/Hovdy-A will also attempt to use the ARDAgent vulnerability to obtain root access.”

Since it is a Trojan, it needs you to run it so it can do its evil work. So I will say it again… Never download and install software from untrusted sources or questionable web sites. Also, if something suddenly appears on your Mac asking you for your password, and you are NOT installing software or changing system settings, don’t type your password in.

Leave a comment »

Nasty MacOS X Trojans In The Wild….. Oh Noes!

Posted in Security with tags , , on June 20, 2008 by itnerd

The word on the street is that a trojan now exists for MacOS X that exploits a “root” vulnerability in Apple Remote Desktop Agent in Mac OS X 10.4 and 10.5:

“The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.”

The Apple Remote Desktop Agent that this article speaks of is the piece of software that is built into MacOS X that allows you to control your computer from another computer. The details of the vulnerability in question has been discussed at length at Slashdot. If you’re a home user, you’d likely never have to use this aspect of Mac OS X, so I would follow these directions to protect yourself.

A second trojan disguises itself as a poker game to get onto your system. Once there, it does the following:

“The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.”

This sounds nasty, but it requires your interaction to do any sort of damage. Therefore you need to practice safe computing and never download and install software from untrusted sources or questionable web sites. Also, if something suddenly appears on your Mac asking you for your password, and you are NOT installing software or changing system settings, don’t type your password in.

Now that Apple has raised the profile of the Mac, you can fully expect to see more of this as hackers and script kiddies target the Mac. Hopefully Apple steps up its game to keep its user base safe. Given that it has been criticized in the past for not doing that, I hope this forces them to improve their repsonse to issues like these.

Leave a comment »