Archive for virus

« Older Entries
Newer Entries »

Hacked Macs Create The First Mac Based Botnet…. Or Is That An iBotnet?

Posted in Commentary with tags , on April 16, 2009 by itnerd

ZDNet has a story about a discovery by Symantec of an all-Mac based botnet that is actively involved in a DOS attack:

Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants – OSX.Iservice and OSX.Iservice.B – using different techniques to obtain the user’s password and take control of the infected Mac machine.

The variants have been found inside bogus copies of iWork ’09 and Adobe Photoshop CS4 which were shared on the popular p2p torrent network. The author of the malware downloaded the original/trial versions of each program and introduced a copy of the malicious binary into the packages.  Users who then downloaded and installed the applications from the torrent download would have been infected. It is estimated that thousands of people have downloaded the infected torrent files.

While this proves that Macs are not immune to being hacked, there are some things to consider. This requires user intervention in the form of installing pirated software, rather than it sneaking on to the Mac which tends to happen with Windows machines. This is a great time to mention that downloading pirated software is a dumb thing to do on ANY platform. But I digress. The hackers can’t take control of the computer the virus is running on, rather it attacks other computers. So while this is a threat, it’s not as bad as some of the stuff that you see on the Windows platform.

At least not yet.

1 Comment »

I Got A Call From A Customer Of Mine Last Night…..

Posted in Commentary with tags , on April 14, 2009 by itnerd

Apparently he was getting a prompt for a anti-virus scanner called System Protector. The thing is that he never purchased it and it is telling him that he has to pay for it to get rid if all of viruses that it was finding. This is clearly a rogue application. Wikipedia defines a rogue application as:

Rogue security software is software that uses malware (malicious software) or malicious tools to advertise or install itself or to force computer users to pay for removal of nonexistent malware. Rogue software will often install a trojan horse to download a trial version, or it will execute other unwanted actions.

Pretty sneaky. I’ve dealt with a lot of this sort of thing over the years. Sadly, this is becoming more commonplace.

So I was pretty sure that my customer had somehow gotten a trojan horse (or more than one) onto his Windows XP computer, and it downloaded this rogue application. I made arrangements to look at it today as this isn’t the sort of thing that can wait.

Once I got my hands on the computer, it was worse than I thought. It disabled any security software that was on the computer, plus I couldn’t use basic Windows functions such as bringing up task manager. So this was very serious. I researched the rogue application that was on the computer (as in this situation Google is your best friend) and came up with a plan to deal with the situation:

  1. By using Google, I used instructions from a variety of sources to disable the rogue application. I always read a variety of sources to make sure that whatever method I use to kill stuff like this is the correct course of action.
  2. Once the rogue application was gone, I had to tackle the trojan horses that were on the system. I use at least three anti-virus scanners that are up to date to make sure that the system was clean. That’s no joke. I use three scanners because each will get stuff that the others will miss. By the time I was done, I had removed 30 trojan horses.
  3. I then had to fix Windows. The trojans had done some work to stop things like task manager from working. So I had to repair that damage.
  4. I then had to figure out how all this stuff got onto the system. Since the system was pretty much up to date in terms of security patches, I knew it came from an application that was installed on the system. From interviewing the customer, I was able to deduce that the likely source was a file sharing application that the customer’s son had installed as the issue started within 24 hours of the application being installed. I removed the offending application. I wouldn’t want to be that kid who installed that file sharing app tonight.

Total time: Four hours. I only charged the client 2 as most of my time was spent waiting for scanners to be finished. So in my opinion it isn’t fair to charge the client for that “waiting time.”

So as you can see, I had an interesting day. But far from atypical for me.

I wonder what the next phone call will bring?

Leave a comment »

Conficker May Actually Be Doing Something Very Evil As We Speak

Posted in Commentary with tags on April 9, 2009 by itnerd

If you thought you were out of the woods with Conficker because April 1st came and went, think again. According to a news.com article, it seems that Conficker has started doing something that may be potentially evil:

The Conficker worm is finally doing something–updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

An encrypted payload is being shoved onto infected computers? That doesn’t sound good. There’s more though:

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

“After May 3, it shuts down and won’t do any replication,” Perry said. However, infected computers could still be remotely controlled to do something else, he added.

So it sounds like this virus was merely a delivery system for the real threat. That’s scary. If you’re concerned (and you should be), take a look at this article that I wrote about this virus to see how you can protect yourself.

Leave a comment »

So It’s April 1st And The Planet Hasn’t Imploded Because Of Conficker…..

Posted in Security, Tips with tags on April 1, 2009 by itnerd

… Does that mean that we’re out of the woods? I say that we’re not. Viruses with triggers have consistently failed to do anything on the date they were supposed to. Just look at the Michelangelo virus (1992), CIH (1999), SoBig (2003), and MyDoom (2004) for examples of this. But you never know.

To that end, I spent yesterday running around making sure my clients comptuers were clean of the nortious virus and making sure they have all the latest Microsoft updates installed. So I can say that at least my clients are protected from whatever this is. Now I have to catch up on my blogging.

🙂

I’ve pointed out some good resources on this virus in the past. So if you haven’t looked at them, you may want to now. In the meantime, we’ll see if this is much ado about nothing. Or if a Skynet like botnet is about to come on line.

1 Comment »

Conficker: Everything You Need To Know

Posted in Security, Tips with tags on March 27, 2009 by itnerd

On April 1, a malicious piece of code called Conficker (A.K.A. Kido or Downup) is expected to try to connect to a control center and do “something.” Nobody knows what yet, but whatever it is, it can’t be good. Estimates say that as many as 10 million PCs are infected with this piece of code.

How do you protect yourself? I’d do the following:

  1. UPDATE YOUR COMPUTER! This is vital as the code gets in via unpatched computers. So run Windows Update ASAP.
  2. Scan you computer with an online virus scanner such as Trend Micro’s Housecall to make sure you’re clean.

What happens if you are infected? I would recommend calling a computer professional or checking these links from Symantec for removal instructions:

W32.Downadup.A writeup
W32.Downadup.B writeup
W32.Downadup.C writeup

There’s also this removal tool that I have mentioned previously.

If anybody has any other advice that can be helpful to users, please leave a comment and share your wisdom.

1 Comment »

Infected By Downadup/Conficker? Finally There’s A Cure For You!

Posted in Security with tags on March 13, 2009 by itnerd

BitDefender has released a cure for the Downadup/Conficker virus that has the title of the most dangerous virus on the Internet. What the virus does is it exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting.

According to BitDefender:

BitDefender is the first to offer a free tool which disinfects all versions of Downadup and is available for all infected users at: http://bdtools.net This domain is the first to serve a removal tool without being blocked by the e-threat.

So if you’re in deep with this virus, you now have a way out.

Leave a comment »

iWork ’09 Trojan Makes The Rounds Via BitTorrent [UPDATED]

Posted in Commentary with tags , , on January 23, 2009 by itnerd

If you’re trying to acquire a pirated copy of iWork ’09 via BitTorrent for your Mac, I’d think twice about doing that. There’s a trojan that seems to be hitching a ride along with your “less than legal” copy of iWork ’09 that that appears to connect to a remote system and apparently sends commands to the infected machine to scan for sensitive information, track where the user goes on the Internet, record what the user types in, etc.

Two companies have stepped up to the plate to protect users. SecureMac has released a free iWorkServices Trojan Removal Tool called iWorkServicesTrojanRemovalTool.dmg. Symantec has also released a free removal application that you can use if you’ve installed a pirated copy of iWork ’09. I’d be downloading one of these applications and using it now if you got your copy of iWork ’09 via BitTorrent ASAP.

Oh yeah, don’t download pirated software. The risk isn’t worth it to save a few bucks.

UPDATE: A variant of this trojan has now appeared in pirated copies of Photoshop on BitTorrent.

Leave a comment »

The iPhone Trojan That Isn’t A iPhone Trojan…Confused? Read On…

Posted in Security with tags , , on September 18, 2008 by itnerd

Now that the iPhone has become so widely popular, it was only a matter of time before somebody tried writing some sort of marware targeted towards iPhone users. According to Sophos, there’s now iPhone trojan in the wild. Here’s the catch, it doesn’t actually run on the iPhone. Instead it promises to be a free iPhone game for the iPhone that you download to a Windows PC. From there it does nefarious things to your PC like take control of it. Mac users are (currently) unaffected by this trojan.

Removal instructions can be found here.

Leave a comment »

Yet Another Apple Trojan In The Wild!

Posted in Security with tags , , on June 23, 2008 by itnerd

It seems that everyone and their dog is writing a Trojan to take advantage of the Apple Remote Desktop vulnerability that I posted about last week. This one is called OSX/Howdy and does the following:

“When run the Trojan will attempt to install itself to the /Library/Caches folder and perform the following tasks:

– disable system logging and delete system log files
– start PHPShell and web server
– start ARD, VNC and SSH services
– disable system updates
– open ports in the firewall
– disable third party security software
– steal various password hashes and keys which may be used to compromise other systems

OSX/Hovdy-A will also attempt to use the ARDAgent vulnerability to obtain root access.”

Since it is a Trojan, it needs you to run it so it can do its evil work. So I will say it again… Never download and install software from untrusted sources or questionable web sites. Also, if something suddenly appears on your Mac asking you for your password, and you are NOT installing software or changing system settings, don’t type your password in.

Leave a comment »

Nasty MacOS X Trojans In The Wild….. Oh Noes!

Posted in Security with tags , , on June 20, 2008 by itnerd

The word on the street is that a trojan now exists for MacOS X that exploits a “root” vulnerability in Apple Remote Desktop Agent in Mac OS X 10.4 and 10.5:

“The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.”

The Apple Remote Desktop Agent that this article speaks of is the piece of software that is built into MacOS X that allows you to control your computer from another computer. The details of the vulnerability in question has been discussed at length at Slashdot. If you’re a home user, you’d likely never have to use this aspect of Mac OS X, so I would follow these directions to protect yourself.

A second trojan disguises itself as a poker game to get onto your system. Once there, it does the following:

“The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.”

This sounds nasty, but it requires your interaction to do any sort of damage. Therefore you need to practice safe computing and never download and install software from untrusted sources or questionable web sites. Also, if something suddenly appears on your Mac asking you for your password, and you are NOT installing software or changing system settings, don’t type your password in.

Now that Apple has raised the profile of the Mac, you can fully expect to see more of this as hackers and script kiddies target the Mac. Hopefully Apple steps up its game to keep its user base safe. Given that it has been criticized in the past for not doing that, I hope this forces them to improve their repsonse to issues like these.

Leave a comment »

« Older Entries
Newer Entries »