Archive for August, 2009

About XProtect

A very good information about Snow Leopard malware protection, its capability and limitation: 

Snow Leopard malware protection system: What does XProtect do?

Categories: Daily Thoughts Tags:

Snow Leopard includes malware protection

An interesting news (it’s now all over the net) – Snow Leopard includes malware protection that detects two known threats, RSPlug and iServices. (Intego first spotted this anti-malware feature.)

Now curious thoughts buzzing around, many suspects that Apple is using ClamAV although Ryan Naraine @ zdnet blog had confirmed that Apple is not using it. Others suggest that it might be using Symantec’s engine, because of the naming convention used “OSX.RSPlug.A, OSX.iService.A”.

Anyway, in a perspective, it seems Apple is taking no chances with emerging and prevalent threats in Mac (as noted in recent changes). It is taking steps forward to deliver protection and exercise due care – which is good.

“Due care is care that a reasonable man would exercise under the circumstances”

At the end of the day, security is a process, which lives and deals with reality – our day to day computing activities.

Security researches, findings and awareness provides avenue for a better understanding of these (impending) attacks or threats.

Avoid Phish Bombing, Update your Safari version to 4.0.3

Avoid phish bombing, Update your Safari version to 4.0.3!

This latest version also includes multiple fixes to critical vulnerabilities, that can be exploited by malicious people or evil websites to manipulate data, disclose sensitive information, perform spoofing attacks and/or compromise your system.  Further information About the security content of Safari 4.0.3

What is Phish Bomb and how does it works?

Phishing is a fraudulent attempt that falsely claims to be from a legitimate known website or organization thus tricking the target victim into voluntarily provide sensitive information such as user name, password, credit card, social security and etc…

However, phish bombs is a just like an explosive of phishing attack, which in Safari 4 allows attacker to manipulate your Top Sites (keyboard shortcut press command+shift+1) . This vulnerability was discovered by Inferno of

Inferno published his PoC and explains:

“The two input parameters in this attack are the number of times the fake website should be visited (n)(default=28) and timeout(t)(default=2 sec) that triggers a switch between two fake websites. It is very simple and adds two fake websites for and to your top sites.”


Update and stay safe!

Mac Trojan is just typo away!

The distribution technique of known prevalent Mac trojan – known as “MacCinema” is starting to adopt typo-squatting to increase its chances of infection.

More Mac users reporting this threats where they’ve usually spotted when searching for videos, although pirated or cracked copies of known installer is also on the top its social engineering bait.

However, typo-squatting is an emerging trend used by this trojan.

typosquatting is an act of registering domain names that resembles to legitimate ones through closely and similarly sounding words and spelling.

Definition: Typosquatting is an act of registering domain names that resembles to legitimate ones through closely and similarly sounding words and spelling.

By deploying typosquatting attack, Internet user could get into attackers trap by just mis-typing the word although a combination of social engineering reaches more users and increases attackers chances for infection.

Here are the list of examples:

Picture 1

For some people wondering how and why Mac users are getting tricked, then this is one of them!   (although, most affected users don’t remember and notice it)

I’ll include and discuss this next month in VB2009 conference @ Geneva, Switzerland.

Recent related updates:

Mac OS X DNS-Changing Trojan in the wild

More reports of Apple Mac Trojan horse seen in the wild

PC and Mac malware in the same boat

Hakin9 article “Attacks On Music and Video Files”

It was almost a year now when a malicious executable was spotted capable of “Trojanizing” clean music and video media files(WMA, WMV, ASF, MP3). This threat became prevalent and in-the-wild; more and more affected user reports it from Q4 of 2008 until early of 2009. 

When I first handled the infected media file  (ASF) , I’ve reference  Microsoft  ASF specification  and created a summary which I’ve decided to publish here. Soon after, I investigated and reversed the malicious executable and constructed my analysis and I thought, this is interesting to share. 

Thanks to Monika for accommodating my proposed article, as well as to Ewa for the succeeding editorial efforts. The article was included in the latest Hakin9 (4/2009) release – you could find the list of topics here.

Hakin9’s circulation is mostly in USA, and I think, less in some countries like UK, Australia, Netherlands and Singapore. So, if you’ll find one in your local book store or magazine stands, I recommend that you grab a copy. 



The legitimate feature that attackers’ misused  is designed for DRM, and guess what? An interesting infected media file progressed its social engineering technique by displaying this (as shown below), but unfortunately in background it connects to remote server that serves malicious executable. Because of it’s clever technique and not-so-popular infection vector, this threat may still proliferate.