Archive for August 30, 2008

Clipboard Hijacking

Couple of weeks ago, Ryan Naraine posted this blog article “Adobe Flash ads launching clipboard hijack attack” which mentions that this threat is cross platform, affecting Windows, Linux and Mac OS X users.

The latest post in Apple Discussion relating to this threat describes:

“my keyboard appears to be taken over and things are typed either in the chat box or in Safari, or basically in any app that is open.”

So, what’s happening here? I curiously investigated the proof-of-concept published by Security researcher Aviv Raff. **The link will automatically execute the code and automatically hijacks your clipboard**

The file responsible for clipboard hijacking is in a Shockwave flash file (.SWF) format. Since most of websites are implementing flash, you can’t imagine how nasty it can go if this threat will get in-the-wild.

Base from the proof-of-concept, the malicious activity was implemented using ActionScript contained in DoABC tag. As far as I understand, the malicious code does not exploit any vulnerability instead it uses a legitimate class linkages, which imports a SymbolClass “test_fla.mainTimeline”.

It’s 1:33am, I’ll update further my analysis tomorrow. Btw, there’s another report but this time, it’s Browser Hijacking, I suppose that this was implemented in SWF as well.

For the meantime, if you’re going to browse and surf the net, please make sure to disable Java, Java Script in Safari Preferences under Security Tab to avoid this threat.

Stay safe online!

Unusual Pop-up Ads

If you thought Trojan DNSChanger is dead, think twice ‘coz lately there has been series of reports from Mac OS X users experiencing unusual pop-up ads in their machines. Most of the infected users noticed that the unusual ads is coming from IP Address or as shown in the screen shot above.

This IP Address points to Intercage [AS27595] which is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more. [Further Reading]

Unusual pop-up ads and internet browser results were amongst visible symptoms of this threat. Infected user should immediately change their DNS Settings and remove the following files in this folders:

~/Library/Internet Plug-Ins/plugins.settings
~/Library/Internet Plug-Ins/sendreq (usually the malware deletes this, but just double check)
~/Library/Internet Plug-Ins/QuickTime.xpt
~/Library/Internet Plug-Ins/Mozillaplug.plugin
Related Post:

Analysis of Trojan DNSChanger
Malware Retailer Includes Trojan for Mac
Fake YouTube Installs OS X Trojan DNSChange