CounterMeasures - A Security Blog � SEO

Mac malware: Same shizzle, different dizzle.

Rik Ferguson — Fri, 27 May 2011 12:18:14 +0000

You may have read in the press recently about the Mac Defender scareware that is affecting many OSX users, to the extent that Apple have even promised to deliver a removal tool and a fix to their customers. Trend Micro’s Smart Surfing for Mac has been protecting against this threat from the outset, both by detecting and blocking the malicious files, but also importantly by blocking access to the criminal websites being used to propagate this threat. You may be surprised to hear though that Mac Defender is not the first “scareware” application targeting Mac users and trying to trick them into parting with their cash and their credit card details.

Malware for Mac OSX is nothing new, and the increasing popularity of the platform is driving criminal interest. In addition to Mac Defender (May 2011), there are already several threats in the wild that affect Mac OS X, the Leap worm (Feb 2006) that propagates through iChat , the RSPlug Trojan (Oct 2007), that drops DNS changing malware, the MacSweeper & IMunizator (Jan & Mar 2008) scareware, Jahlav (Dec 2008) another DNS changing malware, Krowi (Jan 2009) responsible for the first Mac OS botnet and HellRTS (April 2010) another Trojanised installer, this time for iPhoto which gives attackers remote control over the infected computer.

MacSweeper, IMunizator and now Mac Defender are typical scareware Trojans. In 2008 they were delivered by malicious advertisements and in 2011 criminals have adopted the tried and tested tactics so successful in the world of Windows, Blackhat Search Engine Optimisation. Booby trapped web pages are created, designed to show up in the first page of search results for popular terms. Simply clicking the link to one of these pages is enough to start the infection process. The latest version has even worked out a method to bypass the requirement for the user to type an admin password in order to install. Affected users are presented with a professional look application and informed that multiple security issues have been discovered on their computer. Subsequently they are duped into buying a completely bogus piece of software to “fix” those issues, a tactic with which Windows users will be only too familiar. RSPlug and Jahlav have both been known to pose as video codec installers, another tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business that is now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign. Also important is the fact that these malware examples are not single discrete files, they represent entire families of malware, where new variants are continually being released to defeat signature based detection.

These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple themselves may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.

For many years now Mac users have believed themselves to be invulnerable to malware, and have been encouraged in this belief by Apple themselves on more than one occasion, or ”Safeguard your data by doing nothing“. This complacency leaves many Mac users with the mistaken belief that either Macs are not vulnerable to malware, or that none exists for their platform or both, impacting their ability to make informed decisions when downloading or installing new software, opening attachments or visiting questionable sites.

Cybercrime and malware in today’s world is big business, and one that ever more closely resembles the world of legitimate business, including outsourcing, R&D budgets, Malware as a Service platforms, SLAs and even EULAs. In this shady world of business it would defintely be fair to say that as the Mac market share expands and the user base grows, so does its perceived potential to the cybercriminal. It’s all about Return on Investment, and the fact that that user base is largely unprepared and the computers themselves largely unprotected only increases the attractiveness.

Twitter.Grader.com hacked?

Rik Ferguson — Thu, 11 Feb 2010 20:07:29 +0000

Twitter Grader home page

UPDATE: You will see in the comments on this post an update from HubSpot with a link to their blog explaining the incident, I know a lot of folks don’t read the comments, so here it is in full.

“We are very sorry for the mistake. It is completely our fault. As your article mentions, we have contained the situation and stopped the malicious tweets.

We do want to make clear that by design, the HubSpot software applications are on different servers and systems from our free Grader.com tools. This attack did NOT affect the HubSpot software used by our 2,100 customers. Again, there is no impact on our paid product or paying customers.

We have posted an article on our company blog with more information:

http://www.hubspot.com/blog/bid/5594/One-Lesson-From-The-Twitter-Grader-Screw-up-OAuth-Rocks

- Mike Volpe
HubSpot (makers of Twitter Grader)”

…and that, ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot.

__________________________________________________________________________________________

In what looks like another compromise related to Twitter services, a large number of Twitter users who have granted access to their accounts to the web service Twitter.Grader.com have all begun tweeting a bizarre and unauthorised message.

: Example of affected accounts (search by Twitscoop)

Fortunately the link that has been endlessly tweeted by grader users does not appear to host any malicious content. It points to a blog with an embedded YouTube video of Biz Stone back in 2006 promoting Twitter.

The domain name of the destination site however might give us a clue to the motivation behind the attack. Seonix presumably refers to Search Engine Optimisation and perhaps that is the real purpose of this attack. Forcing large numbers of Twitter users to tweet a link to the site may well be an effective method of pushing it up the search engine rankings. The domain seonix.org was created on the 11th February 2010 and the details of the owner have been anonymised.

Embarassingly the victims of this attack also include Dharmesh Shah, the founder of Grader

: Dharmesh Shah on Twitter

UPDATE: Hubspot, the parent company have tweeted that they are aware of the hack and working on a solution. In the meantime, if you are a Grader user, you may want to consider temporarily revoking Access to Grader in your Twitter profile via Settings -> Connections.

Facebook “Un Named App” scare leads to malware

Rik Ferguson — Wed, 27 Jan 2010 14:12:18 +0000

A few minutes ago I noticed that a friend of mine had posted the following status to her Facebook profile:

: Facebook status

Of course this got my bat senses tingling and I smelled a panic-inducing spiral of insanity brewing, so I thought I’d have a bit of a look around.

Nothing to worry about here as far as your Facebook is concerned, this does not appear to be a genuine malicious app. In fact a thread on Yahoo answers appears to demonstrate in a reproducible fashion that “Un named App” is nothing more than your “Boxes” tab on your Facebook profile page.

Beware though, there is still real risk attached to this Chinese whisper. Criminals have picked up on the concern among Facebook users (or possibly they were responsible for starting the rumour?) and they have already started to poison Google search results.

Google search result

I queried Google for “facebook unnamed app” and the third result on the first page pointed to a malicious website set up for the purposes of distributing fake anti-virus software, this time called “Security Tool”. If you are unwary enough to click the link you will be presented with a dialogue box informing you that you have a huge number of infected files on your machine and prompting you to use Security Tool to clean them up. The software of course is no real security solution and is designed to fool the victim into parting with hard-earned cash.

Security Tool Rogue AV

Always search with caution, especially when searching for terms of high current popularity. Using search trends and conversation trends to target malicious software is now a firmly established criminal modus operandi.

If you are worried about computer security and not sure where to click, you can always contact me directly. If you feel you may have been affected by this or any other scam, then I would advise you to go and scan your PC with a real security solution, our own free HouseCall service.

Malware on Demand

Rik Ferguson — Thu, 23 Apr 2009 12:44:16 +0000

I came across a very well designed and presented SEO pay-per-click “affiliate program” a couple of days ago.

This scheme offers the affiliate a customised “file” (detected by Trend Micro as TROJ_DROPPER.JLA) which you can then distribute to your victims using whichever means are the most convenient for you.

Maybe you want to push it out through your own botnet, spamvertise it, or perhaps rent some time on someone else’s botnet to get your file out there. Once installed, the malicious file will silently redirect browser traffic driving users to sites of dubious pedigree. You’ll need to be selective though, the scheme only pays out for victims in Australia, Canada, Germany, Great Britain and the US.

With its fully hosted management and tracking interface, automated malware generation, and the free sign-up process this scheme once again demonstrates how low-skill, low-effort and low-cost entry into this shady underworld has become.

Poisoned Downad/Conficker Removal Searches…

Rik Ferguson — Mon, 30 Mar 2009 21:12:04 +0000

Reminder: For a FREE tool to remove Conficker (and every other malware in the current pattern file) use Trend Micro’s SysClean available here.

As soon as the good news breaks that it is possible to use tools such as the network scanning tool nmap to search for machines infected by Downad/Conficker, then the malicious SEO work starts.

If you need malware removal tools type the URL of your vendor of choice directly into the browser bar and use links on their website. Do not rely on Google search results at this time, as they may have been “optimised”.

Careful what you click on, these Google results are loaded!