Annoying ads coming from an iPad/iPhone app

I’ve recently encountered lots of annoying Ads in my iPhone and iPad. My initial impression is what an ‘Ad serving app’!  But, this is the result when you allow or agree to receive push notifications as shown below.

Here are some useful tips on how to deal with it. This instruction should stop the problem, otherwise the app causing your trouble is absolutely suspicious and you should report it for investigation.

How do I stop annoying Ads coming from an iPad/iPhone app?

1) Tap ‘Settings’ and look for ‘Notification’
2) It will display all application with Notification ‘turned on’, then tap the application that is bugging you with Ads.
3) Turn “OFF” Alerts, Badges and Sounds.

If the problem persist, you may want to consider to delete it.

How to delete application in iPad/iPhone?

1) Tap the target app, hold and wait until it starts to wiggle.
2) You’ll notice “X” button in the top right corner, which means you may tap it to delete.

Safari users still vulnerable to “carpet-bombing” attack

Apple Safari carpet-bombing is a vulnerability that allows remote attacker via malicious website to silently download arbitrary files in users’ default download directory (~/Download).

This issue became serious in Windows because the default download is in users’ Desktop. Attackers can craft any file to look like a link file (.LNK) and or image file (.JPEG) to entice users into clicking it. Apple immediately address this issue in Safari for Windows 3.1.2.

However, Safari Mac OS X  users remain exposed to this vulnerability. In May 2008, Nitesh Dhanjani disclosed details about this flaw and a year later, while I was writing my paper for VB2009, I revisited this issue and found that it is still unpatched. I have contacted him and verified whether my findings is true, and unfortunately he answered “yes”.

Ok, two years later, again I am writing  and reviewing same old tricks, and found that Nitesh Dhanjani recently revisited this issue in his blog post titled “2 Years Later: Droppin’ Malware on Your OSX, Carpet Bomb Style (and Then Some!)“.

I smiled when I saw the screenshot and bonus notes, it reminds me how tricky it can get when it’s combined with other known tricks/exploits – makes it easier to get users’ click.

Example,

What is this monkey doing in my download?  Opss, carpet-bomb! That monkey is a trick, it’s not an image file.

Recommended reading:

http://www.theregister.co.uk/2010/05/24/safari_carpet_bombing_bug/

“PremierOpinion” Spyware Now in Mac OS X

From Intego security advisory today:

——————————————————————————————————–

Malware: OSX/OpinionSpy

Risk: High

Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdateVersionTracker and Softpedia.
——————————————————————————————————–

Who’s PremierOpinion?

PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.

Website: http://www.premieropinion.com/Home.aspx

So, who’s the partner?

“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml

Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]

There are 48 screensaver Mac OS X apps in this source, and there are two different packages.

How to spot “PremierOpinion” Mac OS X Spyware?

1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different7art while the other izpack.icns.

2. IzPack generated installers are in Java Archive (.JAR) file.

3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.

4. Spyware installs software without user’s consent or notification.   It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).

“Package once. Deploy everywhere.”

This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.

Be cautious and stay safe!

——–> Threat Info FYI

File Name: poinstaller

File Type: Mach-O executable i386

File Size: 470,352 bytes

Threat Type: Backdoor, Downloader, Sniffer, Stealer,

Installation Requirement:  root

Remote Activity: Installation of other threats

Remote Download File: Rule14.xml

Remote Download: PermissionResearch.zip

Installation: RunPermissionResearch.sh

Package Name: PermissionResearch.app

File Name: PermissionResearch

File Type: Mach-O executable i386

File Size: 4.1 MB
Resource Package Name: InjectCode.app
File Name: InjectCode
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size: 34,088 bytes
Resource Package Name: macmeterhk.bundle
File Name: macmeterhk
File Type:
Mach-O executable i386
Mach-O 64-bit executable x86_64
File Size:  894,836 bytes

Window Shortcut – LNK File Format

LNK Format

Figure 01 – LNK Top Level File Structure

A computer shortcut (shortcut) is a small file containing a target URI or the name of a target program file that the shortcut represents. [wiki]

Microsoft Windows uses .lnk as the filename extension for shortcuts to local files, and .URL for shortcuts to remote files, like web pages.

Thanks to Jesse Hager for creating the specification document. Please refer this link http://www.wotsit.org/list.asp?al=L and search ‘LNK’ download good reference.

As observed, LNK trojan downloaders takes advantage of Command line string to perform malicious activity.

**Update**

0day on malformed Windows Shell Link (.LNK) Binary referred as CVE-2010-2568 and Microsoft Security Advisory (2286198)

LNK binary file format reference:

LNK_The_Windows_Shortcut_File_Format

MS-SHLLINK

CVE-2010-1120

DESCRIPTION:
A vulnerability has been reported in Apple Mac OS X, which can be
exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an indexing error in Apple Type
Services within the “TType1ParsingContext::SpecialEncoding()” method
in libFontParser.dylib when parsing embedded fonts. This can be
exploited to corrupt memory e.g. via a specially crafted PDF file
opened in Preview
.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in Mac OS X Server 10.5, Mac OS X 10.5,
Mac OS X 10.6, and Mac OS X Server 10.6.

SOLUTION:
Apply Security Update 2010-003.

Sourced: http://secunia.com/advisories/39426/

Reference: CVE-2010-1120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1120

Description:
Unspecified vulnerability in Safari 4 on Apple Mac OS X 10.6 allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Charlie Miller during a Pwn2Own competition at CanSecWest 2010.

Apple Safari Style Sheet Redirection vulnerability

There’s a 0-day vulnerability affecting Safari 4.x users, it’s not critical, but it is important to be aware of it.
<link rel="stylesheet" type="text/css" href="www.yahoo.com">
Hola
<script language="javascript">
setTimeout("alert(document.styleSheets[0].href)", 10000);
//setTimeout is used just to wait for page loading
</script>

Listing 01 – Apple Safari Stylesheet Redirection PoC

Cesar Cerrudo has discovered this vulnerability, and discussed that Safari wasn’t able to display the LINK specified in href value, instead it reads the stylesheets to redirect to a target URL.

Malicious user may take advantage of this vulnerability to steal sensitive information.

Be cautious when surfing the net!

Snow Leopard includes malware protection

An interesting news (it’s now all over the net) – Snow Leopard includes malware protection that detects two known threats, RSPlug and iServices. (Intego first spotted this anti-malware feature.)

Now curious thoughts buzzing around, many suspects that Apple is using ClamAV although Ryan Naraine @ zdnet blog had confirmed that Apple is not using it. Others suggest that it might be using Symantec’s engine, because of the naming convention used “OSX.RSPlug.A, OSX.iService.A”.

Anyway, in a perspective, it seems Apple is taking no chances with emerging and prevalent threats in Mac (as noted in recent changes). It is taking steps forward to deliver protection and exercise due care – which is good.

“Due care is care that a reasonable man would exercise under the circumstances”

At the end of the day, security is a process, which lives and deals with reality – our day to day computing activities.

Security researches, findings and awareness provides avenue for a better understanding of these (impending) attacks or threats.

RAT ‘BlackHole’

‘BlackHole’ is the latest remote administration tool (RAT) and is available both in Windows and Mac.

Hacktool such RAT employs client-server program that communicates to its victim’s machine through its trojan server. The server application is installed on the victim while the client application is on the managing side.

The version suggest that ‘BlackHole’ is currently in its early stage. However, the author seems to start showcasing the following functionalities:

  • Remote execution of shell commands.
  • Opens webpage using user’s default browser.
  • Sends a message which is displayed on the victims screen.
  • Creates a text file.
  • It is capable to perform shutdown, restart and sleep operation.
  • It is capable to request for admin privileges.

Also, it is also capable to block users screen with this message: please refer this image.

Be wary of possible backdoor infection. Report suspicious application, especially if it is communicating to unknown or unfamiliar remote server.

Note: While checking the client-server capability, I just thought that it would be useful to capture a video for reference. (recommended screen 720pHD)

Analysis of OSX Starfield

When you download an application or installer from legitimate website, you establish a level of trust expecting not to be tricked or deceived.

Distribution:

The installer is distributed by Starfield a technology and research branch of Go Daddy Group. If you are Go Daddy user, when you logged-in, this tool is available in the tool section as:

1)  Desktop Notified Installer

2) It is also offered as “Web-Based Email Tools plugin” promising that this tool will enable image paste.

It’s possible that this installer will be distributed elsewhere.

When you download the installer, you’ll notice two things:

1) It is telling you “Double-click to Install”

2) It is not the installer itself, instead it is a shortcut link.

Why?

It is a social engineering trick. It attempts to trigger user’s immediate impulse to respond based from a command or instruction.

Let’s check ACL using terminal:
$ ls -al /Volumes/install

total 8

drwxr-xr-x  7 test  staff  306 23 Dec 03:50 .
drwxrwxrwt@ 6 root  admin  204 12 Jan 23:42 ..
drwxr-xr-x  2 test  staff   68 23 Dec 03:50 .Trashes
lrwxr-xr-x  1 test  staff   20 23 Dec 03:49 Double-click to Install -> StarfieldInstall.app
drwxr-xr-x@ 3 test  staff  102 23 Dec 03:49 StarfieldInstall.app
The application is basically hidden. Obviously, It discourages user to inspect the package. Back in the terminal, let’s run this command to unhide:
defaults write com.apple.finder AppleShowAllFiles TRUE

$ killall FinderInstallation: What happens when you ‘double click’ it?  You’ll notice that it requires root privilege.

In this stage, it is already too late because even if you decide to discard or cancel the authorization, the tricky ‘StarfieldInstall.app’ has already installed itself as follows:

1)  It creates a ‘Starfield’ folder in the Application directory.  In this folder, you’ll find a copy of itself and an update component.

/Application/Starfield/StarfieldInstall.app

/Application/Starfield/starfieldupdate.app

2) It is set to run at login by adding ‘starfieldupdate’ in the Login Items.

3) It is always running in the background.

$ lsof -c Starfield

COMMAND   PID USER   FD     TYPE     DEVICE  SIZE/OFF    NODE NAME

Starfield 221 test  cwd      DIR       14,2      1394       2 /

Starfield 221 test  txt      REG       14,2     93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate

Starfield 221 test  txt      REG       14,2   1064960 2655251 /private/var/folders/ur/urE9xwfCE+a922ltbYjezk+++TU/-Caches-/com.apple.LaunchServices-025504.csstore
Starfield 221 test  txt      REG       14,2   1054960   25052 /usr/lib/dyld
Starfield 221 test  txt      REG       14,2 206983168 2609511 /private/var/db/dyld/dyld_shared_cache_i386
Starfield 221 test    0r     CHR        3,2       0t0     297 /dev/null
Starfield 221 test    1     PIPE 0x079a7640     16384         ->0x079a76a4
Starfield 221 test    2     PIPE 0x079a7640     16384         ->0x079a76a4
Starfield 221 test    3r     REG       14,2       163   42178 /private/etc/security/audit_control
Starfield 221 test    4u  KQUEUE                              count=1, state=0x2
Starfield 221 test    5r     REG       14,2     93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate
Starfield 221 test   66r     REG       14,2       611   42177 /private/etc/security/audit_class
So, when you thought it’s gone, it’s not because ‘StarfieldInstall’ sleeps and activates again to request your password. It will continue to annoy you with repeated request until it gets authorized.
On a sidenote, ‘StarfieldUpdate.app’ gets the following information:
  • OS version and CPU Type
  • Local user
  • Previous installation
  • Starfield installation component versions

And performs the following:

  • Checks user privilege on the system by checking if user is admin or if the user can be elevated to admin.
  • StarfieldInstall launches ‘starfieldupdate.app’ which is kept in the background.
  • ‘starfieldupdate.app’ is responsible for initial installation (first run) and updates.
  • The initial installation path of Starfield would be:
/Applications/Starfield
/Library/Application Support/Starfield
/Library/Internet Plug-ins/
/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
  • Dumps data log of its activity especially the installation. Notice the name ‘starfield’ in the ~/Library/Logs/ folder.
Launch.cpp(18): Launching /Applications/Starfield/StarfieldUpdate.app runme
StarfieldInstall.cpp(862): Starting v1.0.4.9 with command: -psn_0_1011959
StarfieldInstall.cpp(879): OS Version 10.6 x86
StarfieldInstall.cpp(880): Local user test (test)
StarfieldInstall.cpp(881): User can become administrator.
StarfieldUpdate.cpp(90): Starting v1.0.3.3 with command: -psn_0_1007862
StarfieldUpdate.cpp(119): launchargs runme
StarfieldUpdate.cpp(144): Local user test
StarfieldUpdate.cpp(145): User can become administrator.
StarfieldUpdate.cpp(162): Launching /Applications/Starfield/StarfieldInstall.app
Launch.cpp(18): Launching /Applications/Starfield/StarfieldInstall.app
Payload:

The payload is mainly handled by ‘StarfieldInstall.app’. When the user inputs the password, the installation continues by sending a HTTP request to the server as follows:

GET /moduleinfo HTTP/1.1
User-Agent: StarfieldInstall/1.0
Host: na.secureserver.net
Accept: *.*

‘Moduleinfo’ is a JSON text which ‘StarfieldInstall.app’ parses and evaluating the content of a JSON string. For example, it reads and evaluate which package appropriate to the user: Windows or Mac.
{ "win" :

, "mac" :

It also evaluates the installation requirement, example:

, “mac” :
[ { “file” : “StarfieldInstall.App”
, “version” : 4
, “source” : “starfieldinstall.zip”
, “app” : “*”
, “type” : “util”
, “adminRequired” : false
, “osMin” : [10,4]
}

StarfieldInstall’ compares this requirement defined by JSON file ‘moduleinfo’ before it downloads, extracts and run the latest package resulting to installation of the following:

starfieldinstall.zip

starfieldupdate.zip

fileedittool64.plugin.zip

fileedittool.zip

WBETools14.plugin

wbetools64.zip

copypaste.xpi

zoomext.xpi

offdavhelper_mac4.zip

offdavhelper_mac.zip

offsettings.bundle.zip

wbesettings.bundle.zip

drivemapreconnect.zip

backupstatus.zip

offsync_mac.zip

desktoptools.zip

wbedesktopnotifier.zip

So far we have 17 files here and 4 of these files do not require root password. It is important to take note that  ‘StarfieldUpdate.app’ is always running in the background and launch ‘StarfieldInstall.app’ to perform the following:

– Evaluating JSON text ‘moduleinfo’ for update

– Download and installation of latest versions

– Discovery of products installed

– Running privileged shell command

It installs two Firefox extensions and plugins, which is persistent. It means that you can’t just click ‘uninstall’ to remove it . In Firefox, click Tools and Addons to view the installed Extensions and Plugins as shown below:

Another notable process created is ‘OffSyncService’ which is always running in the background .

In conclusion, this is a nasty and abusive application that performs remote activities and installation of unwanted plugins and application without user consent. It is a bloatware and a backdoor.

About Mac OS X v10.6.4 ‘XProtect’ Update

Pob of SophosLabs found this interesting update, please read this blog post Updated XProtect protects against OSX.HellRTS

Apple Mac OS X Snow Leopard Anti-Malware signature file ‘XProtect.plist’ has new definition detecting “OSX.HellRTS” in the latest Security Update 2010-004 / Mac OS X v10.6.4.

XProtect.plist is stored inside the Resources folder of a bundle called, CoreTypes.bundle.

CoreTypes.bundle contains specifications that allow Mac OS X uniquely identify data types, file format, associated icons and UTIs (Uniform Type Identifiers) as defined in the Info.plist file.

In this update (Mac OS X v10.6.4), there are two major update for Mac OS X detection feature (Quarantine and Anti-Malware):

1) Risk assessment for Safari extensions(.safariextz) is unsafe, which triggers Mac OS X quarantine feature and displays a warning “..Are you sure you want to open it?”.

This assessment is reflected to an XML file called System which contains risk definitions for certain file types and extensions. The risk assessment has 3 categories:

<key>LSRiskCategorySafe</key>

<key>LSRiskCategoryMayContainUnsafeExecutable</key>
<key>LSRiskCategoryUnsafeExecutable</key>

As shown below, Safari extensions (.safariextz) was added under LSRiskCategoryUnsafeExecutable key.

Apple recently released Safari  5 with support for browser extensions, and this security update make sure that nothing gets executed without a warning.

System file location:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System

2) Mac OS X Anti-Malware signature file “XProtect.plist” now includes detection for  HellRaiser version 4.2 server application.

There are 3 definitions for OSX.HellRaiser. As highlighted in the screenshot above, it’s detecting 2 components namely: rbframework.dylib and RBShell.rbx_0.129.dylib, and searches defined hex strings for a pattern matching the Hellraiser server auto launch entry (adding login items) command.

The latest XProtect.plist time stamp suggest that it was updated on 24th of April, just couple days after the discovery HellRaiser 4.2 server (in-the-wild). Unfortunately, it seems that it has to wait for the combo update as released on 15th of June.

XProtect.plist location:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Btw, it is important to take note, this security feature is not capable to detect when the server is already running in background.
Have a nice weekend!