Figure 01 – LNK Top Level File Structure
Microsoft Windows uses .lnk as the filename extension for shortcuts to local files, and .URL for shortcuts to remote files, like web pages.
Thanks to Jesse Hager for creating the specification document. Please refer this link http://www.wotsit.org/list.asp?al=L and search ‘LNK’ download good reference.
As observed, LNK trojan downloaders takes advantage of Command line string to perform malicious activity.
LNK binary file format reference:
If you haven’t patch yet, then please do.
How do I know if I’m patched?
Click “About This Mac” and it should display Mac OS X version 10.5.7. You can do the same if you are using Safari by clicking “About Safari”, this should display Safari 4 (beta).
Why it is important to patch?
There are critical vulnerabilities that could allow malicious user (hacker, malware) to snoop and steal your information in background. Let me sight examples from vulnerabilities that has captured media attention (so, it means many attackers are aware of this).
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution.
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Solution: The critical issue has been addressed in Security Update 2009-002
Impact: Mounting a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution.
This is very critical the fact that browser like Safari has enabled “Open safe files after downloading” by default. You can turn off this option in Safari by following the instructions below:
1. Open Safari
2. Open “Preferences” under the “Safari” menu
3. Click on the “General” tab
4. Un-check the “Open ‘safe’ files after downloading” box
5. Close Safari’s preferences
A slightly modified variant of MacCinema was spotted in “MacPlay.dmg”. Once you execute it, it will still display MacCinema installer. However, few modification was found in preinstall & preupgrade scripts as shown in Figure 01.
Obviously, attackers are trying to maximize these threats. The obfuscated data will extract another script, which we already seen it from previous variant.
This Trojan has been in-the-wild for months now and as it continuously proliferates in the internet, new Macintosh users are often found falling into its tricks.
Stay away from this threat!
Apple profiles series of companies that uses Mac and one of them is Twitter – profile title “Twitter. Triumph of humanity“.
It’s nice story although when you think of the recent series of successful attacks (Mikeyy worm and exposure of Twitter Admin Panel), you’ll probably react this way …
PSIRT blogged an update saying that this vulnerability is still under investigation and updates will be available by 12th May:
We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009.
Release date: May 1, 2009
Vulnerability identifier: APSA09-02
CVE number: CVE-2009-1492, CVE-2009-1493
Platform: All Platforms
Two months later, “iMunizator” appeared which is a repackage version of MacSweeper. This version has few improvement for example, the nagging pop-ups was removed as the authors tries to prove that their product has been modified for safe use.
Around January this year, “iMunizator” was spotted again online and serving rogue software. Obviously, they can’t sell it as researchers raised awareness about it. What do you expect?
February when MacPaw twit “CleanMyMac is Out”
How did I came across to this site? Oh, I was looking for the PoC Worm “Tored” -> Obviously, it’s not in-the-wild but definitely something to investigate.
Anyway, MacPaw website offers two software – “CleanMyMac” and “MacHider”. “CleanMyMac” has exactly similar functionality and features as “MacSweeper” although this time it’s clean.
What’s interesting here is this (below screenshot) … Sounds familiar with “iMunizator” lifetime offer. The question now is, what do you pay for lifetime?
On the other hand, what is meant by lifetime offer/warranty? Here’s good explanation from wiki.
A lifetime warranty is usually a guarantee on the lifetime of the product on the market rather than the lifetime of the consumer (the exact meaning should be defined in the actual warranty documentation). If a product has been discontinued and is no longer available, the warranty may last a limited period longer. For example, the Cisco Limited Lifetime Warranty currently lasts for five years after the product has been discontinued.
Take note, “Lifetime is guarantee on the lifetime of the product on the market” which means if these guys disappear tomorrow then you are tricked to buy it.
There are good tools and application out there, please make sure that you buy from reliable and trusted source.