Tag Archives: exploits

Jul 05

OSX continues to be exploited

Posted on by

Once again, Apple’s OS X is being confronted with a security risk. The latest backdoor has been discovered by Russian security firm Kaspersky Labs and is being used as part of a Advanced Persistent Threat campaign. This is just the latest in a series of security risks present in the Mac OS X operating system.

Kaspersky researchers found that Uyghur activists in China were being targeted by hackers. These hackers sent e-mails with a compromised attachment that was in the form of a JPEG. The code hidden inside the JPEG was a new form of the MaControl backdoor and is compatible with both the PowerPC and i386 Mac variants.

The researchers found that the Command and Control server that the malware was reporting back to was located in China. This suggests that it could be the government trying to keep tabs on these activists. For years, users believed that Mac OS X was safer than Windows. However, with all of these recent outbreaks, people are starting to realize this is not the case.

It had seemed safer because not many hackers targeted Macs due to their low market penetration. Apple has now realized the times and taken down a comment from its website that claimed they weren’t susceptible to the same malware that Windows PCs are. Clearly, they are no longer sure this is the case.

Most recently, Kaspersky Lab researchers found that cyberthreats targeting the Mac OS X platform have been used as part of a comprehensive campaign targeting Uyghur activists–apparently presumed to be using Macs–by sending customized e-mails with attached ZIP files exploiting a malicious Mac OS X backdoor.

Like untold threats targeting Windows, the infected ZIP file is delivered as a phishing attack leveraging social engineering techniques, enticing victims with a JPEG photo that masks the malware.
The Mac OS X attack appears to be a new threat– detected as the most recent variant of the MaControl backdoor Trojan, which supports both i386 and PowerPC Macs. Once it gains entry, the Trojan installs itself on the Mac and immediately connects to its command and control center—which appears to be located in China–for instruction. The backdoor then has the ability to list and transfer files, as well as run commands on the victim’s Mac at the discretion of the malware’s operators.

The new MaControl variant is the latest in a string of recent APT-driven attacks this year targeting the Mac OS X platform. In April, Kaspersky Lab researchers detected an active APT campaign, so called SabPub, which targeted Mac OS X by exploiting a MS Office vulnerability running on the platform. Once the Trojan was installed on a victim Mac OS X, it could then take screenshots of the user’s current session and execute commands on the infected computer.

Prior to that, the Flashflake Trojan ran rampant on users’ Macs, creating a botnet comprised of more than 700,000 infected computers.

While Mac threats hasn’t yet reached the same heights as their Windows counterparts, the numbers are on a steady incline and will continue to grow, thanks in large part to a rising Mac OS X market share.

That said, the barrage of new Mac threats could open up new opportunities for security partners with tried and true mechanisms long-deployed on Windows environments. For one, the rising tide of Mac threats could easily pave the way for channel partners to add Mac security products and mechanisms to their portfolio.

Also, unlike previous years, the highly publicized spate of Mac threats will allow partners to simply start conversations with their customers in regards to securing their Mac environments.

Historically, with market share in the single digits, the Mac OS X has not been a highly lucrative target for cyber criminals. As such, Macs became known as the “secure” platform, lulling users into a false sense of security and making them largely resistant to any external security product or best practice.

But that might be changing. As threats targeting the Mac platform continue to emerge, many users will have to play “catch-up,” with everything from security best practices and awareness, to products and management for Mac environments.

Those knowledge gaps leave potential windows of opportunity for the channel, enabling partners to essentially go back to square one with basic security consulting services, and standard security software dedicated to the Mac OS X platform once thought to be immune to threats.

 

May 14

Malware threats growing online and getting tougher to detect

Posted on by

New Malware Campaign

A new malware campaign is making the rounds of the Internet, taking advantage of curiosity and sympathy surrounding the passing of Beastie Boys’ Adam Yauch (a.k.a. MCA).

Trend Micro said the attack appeared to target specific recipients, using a news item about Yauch’s death as a social engineering lure.

“We have found an email sample that leverages Yauch’s death to entice users to download and open the malicious attachment. The message appears as a news item from a non-profit organization that features the late musician’s recent passing,” it said.

It said the email contains a .DOC file attachment, which is supposed to contain the complete story.

But users who download and open the .DOC attachment are actually executing a malware detected by Trend Micro as TROJ_DROPPR.JET.

“This Trojan file drops another malicious file, detected as particular TROJ_SWYSYN.SME, that connects to possibly malicious URLs,” Trend Micro said.
Online ads serving malware

One of the sneakiest scams among cybercrooks these days involves malicious advertisements that can infect a computer with nasty software even if a person merely happens onto a website where the ads appear and doesn’t click on them.
The sinister ad software, called “malvertisements,” which can steal bank account passwords, disable computers or cause other mischief, have claimed millions of victims. And some experts fear worse problems may be ahead.

“What we are seeing today is the canary in the mine,” said Craig Spiezle, executive director of the nonprofit Online Trust Alliance, which seeks to bolster consumer confidence in cyberspace. “It’s an early warning and if we don’t do more to secure the ad infrastructure, we run the risk of having much broader distribution of malware than we have today.”

Phony Flash Player

Adobe Flash Player users beware: A website that promises visitors a free copy of the download for all versions of Android is reportedly planting malware on smartphones running Google’s mobile operating system.

The infected web page used to distribute the malware was discovered in a number of Russian domains, wrote Karla Agregado, a fraud analyst with Trend Micro, in a recent company blog. A similar tactic emerged last month to infect Android phones with bogus copies of Angry Birds and Instagram.

When a visitor clicks the download button at the infected site, Agregado explained, a connection is made to another site that, without the guest’s knowledge, sends a malicious APK file to the mobile web surfer’s smartphone.

Once on the phone, the malware starts to secretly send text messages to premium numbers. This scam is a popular one among cyber criminals targeting Android phones.

Amnesty International targeted by malware

People visiting Amnesty.org.uk on Wednesday and Thursday were exposed to malicious code that exploited a now-patched vulnerability in Oracle’s Java software framework, according to a blog post published Friday by Websense. End users who hadn’t yet applied the patch were infected with Gh0stRat, a family of malware that siphons sensitive data from victims’ machines and can also operate Web cams and microphones in real time. The trojan came to light in 2009 when researchers reported that it infiltrated government and private offices in 103 countries. That included computers belonging to the Dalai Lama.

The Java vulnerability targeted on the Amnesty International site has been used in the past to install malware on computers running both Microsoft Windows and Apple’s OS X. Recently, similar espionage attacks have migrated to OS X, and the Flashback malware attack believed to have infected more than 500,000 Macs targeted the same bug. Based on the Websense post, however, it appears this week’s attacks infected only Windows users.

Mar 28

Exploits are their business and business is good!

Posted on by

Software vulnerabilities can earn big money, and we are not talking about $1000 or even a $10,000 bonus Google pays out to its bug reporters.

Finding the right vulnerability and selling it as a zero-day exploit to the right person could be just as lucrative as a lucky draw in the lottery. Forbes is running an article in which a middle-man is hooking up hackers with “government agencies” that are willing to pay $250,000 for a vulnerability – and possibly more. Apparently, a dozen of such deals were struck in 2011 and if this author’s math is right, about five dozen deals may go down through this one individual this year.

According to the article and security middleman “the Grugq”, an Adobe Reader issue can bring up to $30,000, a MacOS X vulnerability up to $50,000, and an Android exploit up to $60,000. Flash or java will take you to $100,000, Word to $100,000, Windows to $120,000, Firefox or safari to $150,000, Chrome or IE to $200,000 and iOS to $250,000. iOS jailbreaks can also get quite a bit of money – apparently, agencies are ready to pay a quarter million dollars for the exclusive rights to a stack.