used by permission from flattop341 Flickr photostream

Trend Micro and the FBI are very pleased to announce today the dismantling of a criminal botnet, in what is the biggest cybercriminal takedown in history.
 
This concerted action against an entrenched criminal gang is highly significant and represents the biggest cybercriminal takedown in history. Six people have been arrested through multinational law enforcement cooperation based on solid intelligence supplied by Trend Micro and other industry partners. more than 4 million victims in over 100 countries have been rescued from the malign influence of this botnet and an infrastructure of over 100 criminal servers has been dismantled with minimal disruption to the innocent victims.
 
If you are worried that you might have been a victim of this criminal activity, the FBI have made an online tool available which will allow you to check if your DNS server settings have been tampered with.
 
First you will need to discover what your current DNS server settings are:
 
On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the  Search box type “cmd” and hit return (for Windows 95 users, select “Start“, then “Run“).This should open a black window with white text. In this window type “ipconfig /all” and hit return. Look for the entry that reads “DNS Servers” and note down the numeric addresses that are listed there.
 
On a Mac (yes they can be victims too), click on the Apple icon in the top left of your screen and select “System Preferences“, from the Preferences panel select the “Network” icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.
 
You can check to see if these addresses correspond to servers used by the criminals behind Operation Ghost Click by using this online tool provided by the FBI, simply enter the IP addreses, one by one and click the “check ip” button.
 
If you feel that you computer may have been infected, you can visit Trend Micro’s HouseCall for a free scan and clean-up and notify the FBI by submitting this form. You should also contact your Internet Service Provider for advice on restoring your legitimate DNS settings.
 
Ongoing updates on this threat can be found on our Operation Ghost Click landing page.
 

Picture courtesy of Intego

In the new version of MacOS, when a user downloads a file that is detected as containing malicious code, the user is notified that the file “could damage your computer” and prompted to delete the offending file.

This recognition of the threat of malware is a new, important and very encouraging step made by the folks over at Infinity Loop.

Although I welcome any attempt by Apple to keep their growing user community safe and secure, the malware detection released with Snow Leopard can only be described as rudimentary at best, files are only scanned at time of download, and even then, only when downloaded by certain applications (such as Safari, iChat or Mail). Malware is detected by way of a static pattern matching file, the file that ships with Snow Leopard contains definitions for only two pieces of malware, OSX_RSPLUG and OSX_KROWI. The update mechanism that is being proposed for these virus patterns is the standard Apple Software Update technology so updates may well be irregular. Rather than the real-time updates necessary to combat today’s sophisticated threats. There appears to be no real-time scan (files are not scanned as they are executed), no central management or reporting.

The RSPlug Trojan (Oct 2007), drops the DNSChanger malware, and Krowi is the piece of malware responsible for the creation of the first OSX botnet and was found hidden in various illegally shared copies of popular Mac applications. No mention then of the Jahlav family of malware so prevalent at the moment. In fact the most recent discovery of a new variant of this was made just this week by Trend Micro’s own Feike Hacquebord and was hiding in supposed pirated copies of Snow Leopard itself.

RSPlug and Jahlav have both been known to pose as video codec installers, a tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign.

These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.

That is certainly the case if you believe Apple’s latest advertisement, available here and titled Elimination.

“I just need something that works without crashing, or viruses or a ton of headaches.”

 Apple’s ads have always been amusing, but this won’t be the first time that someone calls them out for also being misleading.

To say that there is no malware (or viruses) for the Apple platform is demonstrably untrue. In January of this year a pirated copy of iWork was made available as a Torrent, that copy of iWork was found to contain a trojan. Those affected systems were later found to have been recruited into a botnet that has already been used for DDoS and Spam runs.

By the same token, Mac OS and many applications on the Mac OS platform have recently been found vulnerable to some high profile exploits. This was most publicly evidenced by the Pwn2Own at CanSecWest both this year and last, but also includes such well used applications as Adobe Flash and Acrobat and Microsoft Office.

For many years now Mac users have believed themselves to be invulnerable to malware, and this is not the first time they have been encouraged by Apple in this belief. This complacency leaves many Mac users with the mistaken belief that either Macs are not vulnerable to malware, or that none exists for their platform or both, impacting their ability to make informed decisions when downloading or installing new software, opening attachments or visiting questionable sites.

Given the fact that today’s cybercrime motivation has shifted from a misplaced sense of “l33t h4x0r” pride to a sole focus on the business of generating cash, the threat to Mac users is definitely growing. Cybercrime and malware in today’s world is big business, and one that ever more closely resembles the world of legitimate business, including outsourcing, R&D budgets, Malware as a Service platforms, SLAs and even EULAs. In this shady world of business it would defintely be fair to say that as the Mac market share expands and the user base grows, so does its perceived “investment potential” to the cybercriminal.

It’s all about Return on Investment, and the fact that that user base is largely unprepared and the computers themselves largely unprotected can only increase the attractiveness. Apple should talk honestly and openly with their customers about the threat, giving them fair and balanced advice when it comes to protecting their investment, their identites and their cash.

As regards the other one, a Google search for “Mac OS crash” yields over 3 million results…

For the record, I’m a Mac user.