04/23/2012

Incredible Analysis of Flashback/Fakeflash OSX Trojan

In one of the finest examples of research into the workings of malware most people are likely to ever see, Alexander Gostev of Kaspersky Antivirus begins a full analysis of Flashback/Flashfake.

According to Alexander's research, it looks like Flashfake began its infections via hacked Wordpress blogs.
From September 2011 to February 2012, Flashfake was distributed using social engineering only: visitors to various websites were asked to download a fake Adobe Flash Player update.
Good ol' social engineering is what duped the first wave of folks into getting infected. (N.B. Typically, these are the types of infections that are blocked by Internet security software.)

Next, it appears actual exploits began being used to spread the Trojan via the hacked Wordpress blogs. How many blogs were infected, but it's at least 30,000 according to a Websense report on the Wordpress infections.

Hats off to Kaspersky and Alexander both for the great research and for sharing it.

04/13/2012

Flashback Checker & Removal Tools (or Why Antivirus Software is a Good Thing)



People sometimes question why antivirus software that's not a part of the operating system is a must.

With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.

To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.

Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.

Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.

Now, let's bring Apple into the picture.

Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.

Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).

Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.

All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.

Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes the most common variants of the Flashback malware.

Here's what the update looks like in Software Update:

04/11/2012

Mac OS X Flashback Trojan Fix in the Works by Apple

Today Kaspersky's Dennis Fisher brings news that Apple is developing a Flashback Trojan Fix.

First a little clarification about the trojan: this infection is caused by a security flaw in Oracle's Java and isn't a whole per se in OS X. That said, the biggest surprise about the trojan for most people is that Flashback has been around in one form or another for more than six months now.

Yikes.

As most of us know by now more than 600,000 Macs running OSX have been infected, so this isn't a tiny one-off threat. It's a bona fide Mac botnet.

This is really the first time Apple finds themselves in a position Microsoft has long ago mastered: how to handle the three prongs of dealing with a virus outbreak,
  1. customers
  2. security researchers
  3. virus writers
As for the official word from Apple, there's now a document on Flashback malware at Apple's support site.

Unfortunately, it's really nothing more than, Apple is developing software that will detect and remove the Flashback malware.

They do, however, give a good link on how to disable Java in your Mac's browser preferences.

Personally, I don't have Java enabled--never have--and if I find there's some content that requires Java, I turn it on manually for that one site then disable it again.

After all, Java is not the same as Javascript, and since so few sites rely on Java, there's very, very little you'll be missing out on by disabling Java altogether, and heck, if you need it, turn it back on, and shut it off when you're done.

04/06/2012

Nearly 600,000 Macs Hit with Flashback Trojan Malware



Many a blog have I written about the necessity of Mac antivirus software, hoping to get at least a few people to drop their delusions about how the Mac and Apple's OS X are impervious to viruses.

Now, don't get me wrong, I'm not trying to start a PC vs Mac flame war/battle. Really. (They're useless.) Nor do I want this to be an, "I told you so."

What I am saying is this: If it has a CPU, chances are at or near 100% that a virus can be written to attack that computer. It's only a matter of time 'til it happens. And, yes, some computers, operating systems, and software are inherently more secure.

Even still, it's important to realize "more secure" doesn't mean "secure."

In a way, we should consider ourselves lucky, like the MacDefender fake antivirus malware, this one is also getting a lot of coverage in the press and elsewhere, so it's raising the specter of viruses being mainstream for the Mac like they are for the PC.

And with that knowledge comes greater understanding of what can be done to protect ourselves. In this case the understanding came because Russian antivirus firm Dr Web uncovered the 550,000 strong botnet that spread via Trojan Backdoor.Flashback.39.

F-Secure also has a good write-up / manual removal instructions on how to remove the Trojan-Downloader:OSX/Flashback.I.

And, if you're a Mac user and you haven't yet gotten it, Apple has an important Java security update. (A Java exploit being the channel through which trojan is infecting the Mac to begin with.)

My $.02, if you're looking for antivirus software for your Mac, our testing is incomplete, but so far we like BitDefender Antivirus for Mac, so if you're in the market, take a look.


UPDATE

Turns out this Mac Trojan isn't some little deal. The folks at F-Secure have found out Mac Trojan Flashback.B Checks for virtual machine!

What's so significant about that?

Nearly all antivirus researchers rely heavily on virtualization software like Virtual PC, VMWare, Parallels, VirtualBox and others to help their research.

Using virtualization software allows the researchers to investigate viruses with the added safety net of doing so in a contained environment. And, in doing so they're able to more easily explore the innards of many viruses.

The malware writers for Windows have figured this out, and many of the most advanced viruses check to see if their virus is running inside a virtual environment and, if so, they shut down, thus making research slower, more tedious, and a lot more difficult.

This is one of those things that's been going on in the Windows virus arena for a long, long time. What's really unexpected though is that it's already showing up in a Mac virus, which on a couple of levels means virus writing is a lot more advanced for the Mac than many virus researchers--and certainly the general public--ever imagined.

The bottom line: if you're running a Mac and you don't have Mac antivirus software, it's time to consider it.

04/04/2012

New Site Announcement: parental control software reviews



One of the most common questions we get is:
Which antivirus software should I buy to protect my kids online?
Really though, when we probe a little deeper with the visitor who's asking the question, there are two intents behind the original question.
  1. What's the best at keeping a virus off my kid's PC?
  2. What's the best at keeping my kids away from sites with objectionable content?
When it comes to the second one, many of the top Internet security suites do come with parental controls. The problem is: they're just not as good as dedicated parental control software. After all, they really are meant to be antivirus software first and foremost.

So, as happened with this site when we looked at the antivirus software review landscape back in 2006, we found found a need. From that came pcAntivirusReviews.com.

Here we are now in 2012, and again we saw a problem. Most importantly, the other review sites all try to pigeonhole kids of all ages into one "best" product. That's just not reality though. The software needed for monitoring a seven year old is usually quite different from the software for monitoring a 17 year old.

And, seeing no sites that were testing the software as thoroughly as we'd like it tested, we're proud to announce the launch of our own parental control software review site.

The reviews are done, and while the site is in its infancy now, it's online and ready to go. Once you've checked it out, if you have questions, we're extremely familiar with each of the programs, having just finished our first complete round of testing, so please ask. We're glad to help.

The main thing you'll see (aside from our usual candor about the software) is that unlike other sites, we're not claiming there's one so-called "best parental control program". Instead, you can look at things as you need to: according to what properly fits your family's needs.

Most importantly among these things is the age of the child being monitored or if they're an "at risk" youth of any age.

So, the three broad categories for consideration are:
  1. Children under 9
  2. Children 10 and up
  3. At-risk kids of any age
Looking at things this way will help you narrow things down more quickly and make it easier for you to choose the right software.

So, if you're in the need for something to help you monitor what your kids are doing online (or to help you block sites with objectionable content), your job just got easier.

Let us know if we can help. (Full contact information at the new site.)

04/02/2012

New Phishing Tricks by the Bad Guys



UPDATE: Looks like I'm not the only one getting these emails!

Dancho Danchev with Webroot also has a great blog post on these email. His is called, Spamvertised 'US Airways' themed emails serving client side exploits and malware

One bit of good news/bad news on them: we can be even more certain that the domain owner shown in my post is an innocent victim, too, as Dancho's blog shows many other URLs being used for serving the malware. In fact, his blog post doesn't even mention the domain name that was in the email I received.


Sometimes, you really just have to laugh.

I got a phishing spam today. Really, you might even call it a spear-phishing spam, given that it had my name and email address correct.

It was an email that looked every bit like a legitimate Check-in Confirmation email from US Airways. The problem: I'm not traveling anytime soon, so I know it's a fake.

Here's what it looked like:



Examining the link shows it was destined to go to an Indian website (.in) that's registered with the following info:

Domain ID:D5073610-AFIN
Domain Name:RUPEERUPAYA.IN
Created On:27-May-2011 21:14:29 UTC
Last Updated On:27-Jul-2011 19:20:22 UTC
Expiration Date:27-May-2012 21:14:29 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R101-AFIN)
Registrant ID:CR84151356
Registrant Name:ian jamieson
Registrant Organization:perdita & pongo llc
Registrant Street1:po box 2225
Registrant City:manchester ctr.
Registrant State/Province:Vermont
Registrant Postal Code:05255
Registrant Country:US
Registrant Phone:+1.8022360304
Registrant Email:ianpjamieson@gmail.com

Whether or not the registrant name is legit is anyone's guess, but it's hosted at this IP 184.168.172.1 by GoDaddy.

It's exceedingly rare that anyone uses their real info to host a phishing site--much less one hosted with a legitimate company like GoDaddy, so the domain has probably been compromised. Either that or the registrant name is completely falsified.

The bottom line: don't click on links in emails, even if you think they're legit and from someone you know.

Instead, by doing a "Right Click," you can copy the link out of the email and paste it into Notepad. From there, it doesn't take a rocket scientist to see this link is going to an Indian website (.in) and not to US Airways.

For a quick-and-dirty email, one has to wonder what kind of success rate they're having with this particular email. After all, it is a relatively clever bit of social engineering, some people will, no doubt, fall for.

Even still, if you do get sucked into clicking a link like the one in this phishing email (or click it accidentally), this is where good antivirus software can make all the difference.

Here's what happens when you click this particular link, if you're running the 2012 VIPRE Internet Security Suite:



As you can see, VIPRE 2012 blocked it as a trojan, so there should be little doubt in your mind now that between
  1. the "US Airways" link mysteriously going to a .in website...
  2. it being registered to an "ian jamieson..."
  3. and VIPRE ISS blocking the first thing on the site as a trojan
This is a malicious website and a phising/spear-phishing attack.

Now, it's time to contact GoDaddy to get the site yanked before more people get infected.

Oh, and in case you're wondering here are the threat details from VIPRE: