First a little clarification about the trojan: this infection is caused by a security flaw in Oracle's Java and isn't a whole per se in OS X. That said, the biggest surprise about the trojan for most people is that
Flashback has been around in one form or another for more than six months now.
As most of us know by now more than 600,000 Macs running OSX have been infected, so this isn't a tiny one-off threat. It's a bona fide Mac botnet.
This is really the first time Apple finds themselves in a position Microsoft has long ago mastered: how to handle the three prongs of dealing with a virus outbreak,
- security researchers
- virus writers
Unfortunately, it's really nothing more than,
Apple is developing software that will detect and remove the Flashback malware.
They do, however, give a good link on how to disable Java in your Mac's browser preferences.
Personally, I don't have Java enabled--never have--and if I find there's some content that requires Java, I turn it on manually for that one site then disable it again.
We'll make this a quick update: go patch your Adobe Reader / Adobe Acrobat. Now.
In fact, don't even bother reading the rest of this 'til you've updated.
Here's where to get the latest versions:
OK, so if you're still reading, you must've patched your Acrobat / Reader.
If not, you're in, "big, big trouble," as Mom would say.
The Register gives the scoop on the Adobe critical update, saying,
We haven't yet seen the exploit ourselves yet, so we don't know if the latest antivirus software updates protect against it, but (again thanks to The Register) we do know,Version 9.4.6 of the programs fix two memory-corruption bugs that Adobe says are 'being actively exploited in limited, targeted attacks in the wild' against machines running Windows.
"The same bugs are present in Mac and Unix versions of the applications, but there are no reports of machines running them being exploited.
"The bugs are also present in Reader X for Windows, but a security sandbox, which Adobe added last year to minimize the damage that results from code flaws, prevents the attacks from working.
...researchers from antivirus provider Symantec [maker of Norton Antivirus]warned that email-born attacks exploiting the flaw to install the Backdoor.Sykipot were detected as early as November 1.
So, if Symantec has been aware of this for more than six weeks, chances are good their software--and that of the other top antivirus software makers--is already protecting against these exploits.
With that in mind anytime I hear that attacks are being exploited in the wild, it means two things: update the affected software and double check that my antivirus software is updated.
We get a lot of questions to our "Ask the Experts" link. We answer 'em all.
Most times they're good questions. Some times they're great.
One such question came in today from Rich who asks,
Here's my reply:Which antivirus program and firewall can I use on a laptop with Windows 2000 Pro installed.
"The laptop hardware meets most programs requirements but most programs say XP or newer.
"My laptop works great as is and I would just like to have good antivirus and firewall protection.
This is definitely a tough question.
The problem is this: Windows 2000 (which was my favorite version of Windows) is SO far out-of-patch from Microsoft (it is almost 2012), even if you were to find antivirus software for it, which I quite doubt, the OS itself isn't being updated and thus can't be secured anymore.
If the underlying OS is insecure, all bets are off.
I say this with a background as former CTO of a publicly traded credit card processing company. These types of issues weren't just what-if scenarios there, but things I had to make policy about for my company and shareholders.
The bottom line: even back then I wouldn't have allowed someone to connect to my network with an OS that old, now you're taking about one that's, literally, 12 years old.
It just cannot be secured. Plain and simple.
Here's the next rub: the way the antivirus software "hooks" into the OS has changed even since XP. One malware researcher found the hooking method in XP could in some cases be circumvented and most any antivirus software bypassed. And this was with XP. Who knows what the story is with W2K.
Since Windows 2000, Microsoft has released:
- Windows XP
- Windows 2003 (servers)
- Windows Vista
- Windows 2008 (servers)
- Windows 7
So, as much as I'd love to recommend a product, I'd be doing you a disservice.
Here's why: the reason no antivirus company is making software for 2000 anymore is because if Microsoft isn't updating the underlying OS anymore, they A/V companies certainly aren't willing to put their necks on the line trying to defend what is, practically speaking, indefensible.
Further, most web browsers--the most common attack vector of viruses these days--are no longer supporting Windows 2000.
No matter where you look, the propeller heads have long decided to turn their backs on Win2K
Believe me, I'm a fan of old computer hardware (and I loved Windows 2000) and want to keep things running 'til the end of time, but we're talking about technology not a classic car. (My wife made me recycle more old PCs last year than I'm comfortable even admitting were in my house. I had hardware made in 1991 that still ran.)
In your case, if you're serious about keeping the data on that PC secure, you need to put it to pasture. It just cannot be secured.
My take: a trip to your local Best Buy, to NewEgg.com, or to Buy.com and look for a new lappy. These days, great machines can be had for a song.
And one final note I forgot to mention to Rich: Yes, you can definitely remove the antivirus software that comes pre-installed on a new computer.
It's seldom the best antivirus software for your needs and is often there just because the antivirus company and the computer maker struck a deal to put it there to begin with.
Chances are, they just paid the manufacturer more than the next guy for the privilege. They know a large percentage of people will assume if it's there it must be the best, and they end up renewing the antivirus software when the subscription runs out.
- Some combination of the above?
There have been multiple reports of this in large online news outlets including CNet and ZDNet about the false positive, those people affected by it, and MS's reply.
Microsoft's response to the ZDNet inquiry was pretty quick (even though about 3,000 people were affected), with the MS spokesperson saying via email,
While no one is cheering for Microsoft for the goof, it's pretty clear this really was just a goof. It happens.On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs.
"We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 am PDT — but approximately 3,000 customers were impacted.
Sure, given the relationship between Microsoft and Google, it could easily be called intentional or perhaps even a Freudian slip, but let's remember: antivirus software is complex stuff. No question.
And, at least in this case it was remedied relatively quickly. If needed, here's where you can manually update the definitions to your Microsoft Security Essentials.
Lastly, regardless of what antivirus software you're running, if you haven't done it in a while, now's a good time to take a minute and make sure you're running the latest version with the most recent definitions.
Here are the highlights:
- Android is now the most highly targeted platform for mobile / smartphone malware.
- More successful legal actions are being taken against cybercriminals
- 22% increase in malware samples over 2010
- On pace for 75 million malware samples by the end of 2011
- Fake antivirus software continuing to grow
- 38% increase in rootkits (stealth malware) over 2010
- Adobe outpaced Microsoft for security exploits in their software (Acrobat, Acrobat Reader, etc.)
- After a brief up-tick, spam is again declining
- Over 7,000 new malicious websites per day
- Over 2,700 new phishing websites per day
- Smartphone viruses are here, they're real, and they're growing.
- It isn't just a matter of keeping your OS updated. You've got to update all the software on your system regularly. Adobe Acrobat/Reader is proving that.
- Antivirus software is a must.
Paul Roberts from Threat Post brings news in the battle against botnets: The Coreflood Trojan botnet takedown.
The U.S. Department of Justice stated Wednesday that they'd taken steps to disable an international botnet of over 2 million infected PCs. What's significant about this botnet is that it was stealing corporate data including user names and passwords and other financial data.
According to a statement from the U.S. Attorney's office for the District of Connecticut, thirteen defendants were charged in a civil complaint. A total of 29 domain names were seized in a raid connected to malware--code named "coreflood" --on machines attempting to communicate with the command and control servers.
The "coreflood" malware is believed to have been originated out of Russia and has been active for ten years, which is staggering and unbelievable in-and-of itself. The DOJ said it had received a temporary restraining order allowing it to disable the malware.
This crackdown is considered to be one of the largest actions taken by U.S. law enforcement against an international botnet Trojan virus. In the past year, a similar botnet takedown was driven by the private sector (Micrsoft and FireEye).
[Editor's Note: See our prior post: Microsoft Working to Take Down Win32/Rustock Botnet. This crackdown against the "coreflood" malware and command and control servers mirrored the efforts by Dutch authorities that disabled Bredolab botnet back in October.]
According to the U.S. Attorney's office, five command and control servers were halted, plus the 29 domain name sites that communicated to these C&C servers.
The government replaced the C&C servers with
substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. While the infected machines were not disinfected of the malware, of course, the hope is that security software providers will develop tools to remove the coreflood malware and that victims will update their antivirus definitions.
Mozilla reported on March 22, that they were informed about the issuance of several fraudulent SSL certificates intended for public websites.
These were removed by the issuers which should protect most users. Mozilla has patched their Firefox versions 3.5, 3.6, and 4.0 to recognize and block these certificates, even though it is not a Firefox specific issue.
The effect to users would be that if on a compromised network, they could be directed to sites using the fraudulent certificates and mistake them for legitimate sites. This in turn, could be used to deceive users into revealing personal information like usernames and passwords or downloading malware if thought to be coming from a trusted site.
Although current versions of Firefox are protected from this attack, Mozilla is still evaluating further actions to mitigate this issue.
The Comodo Group, Inc. (the certificate authority) first reported the issue.
A follow up by Mozilla indicated that on March 15 an RA partner of Comodo Group, Inc.--which is a Certificate Authority--suffered an internal security breach, where the attacker used the RA's account with Comodo to get 9 fraudulent certificates to be issued.
The domain names of the certificates were identified as:
- login.yahoo.com (x3)
- global trustee
The attack was discovered immediately by an internal Comodo check, and the certificates were revoked and the RA account suspended.
To date, Comodo reports the only OCSP activity noted relating to these certificates has been two hits, one from the attacker's IP and another from very close by. Additionally, hits incurred from testing by Comodo and the notified companies. This hints that they have not been deployed in an attack, but it is possible the attackers would block OCSP requests as well.
Comodo has identified the IP address as an ADSL connection and originating from Iran. From the OCSP traffic mentioned, Mozilla thinks the attacker is aware the certificates have been revoked.
Mozilla does not believe there has been a root key compromise. However, an attacker armed with fraudulent certificates and an ability to control their victim's network could easily impersonate sites in a very inconspicuous way.
Risk mitigation actions implemented:
- Revocation of the certificates
- A hard coded blacklist of the certificate serial numbers in Firefox deployed as RC2 of Firefox 4 with two additional code patch releases, released on March 22.
- Mozilla released an announcement with some details of the problem.
Mozilla released the patch prior to publishing any announcements out of concern the attackers would be tipped off to blocking the updates.
Mozilla's security blog reported:
Mozilla recognizes that the obvious mitigation advice we might offer (to change Firefox’s security preferences to require a valid OCSP response in all cases, or to remove trust from Comodo’s certificates, or both) risked causing a significant portion of the legitimate web to break as well.
Additionally, neither we nor Comodo have found any evidence of access to their OCSP responder being blocked, either in Iran or anywhere else. We have also found no evidence of any other sort of attack.
In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.
Mozilla has requested that Comodo do the following:
- Publish a full account of exactly what happened. (So far: they have published an incident report and a blog post.)
- Monitor their OCSP logs for evidence of use of these certificates, or evidence that access to their OCSP responders is being blocked from any geographical locations. (So far: no sign of use or blocking.)
- Cancel all relationship with the RA concerned. (So far: the RA is suspended.)
- Change their practices to use intermediate certs rather than issuing directly off the root, and use a different one for each RA.
With Internet attackers always on the move, consumers of the Internet should always ensure their PCs are getting the latest updates, including updating Firefox, to protect against security intrusions and malware. Aside from that having solid, trusted, Internet security software can also give peace of mind in holding off these threats.
Among the most important parts of keeping any computer secure is to update the OS when fixes become available. Microsoft Windows 7 SP1 Beta has been available for test release since July of 2010 while the formal release began late last month (Feb 2011).
To update, users can select the Windows 7 SP1 update in Windows Update (which is the easiest way for one PC), or do it manually by downloading and installing as a separate file (which is the easiest way if you have several machines to update).
The x86 version is about 527 MB while the x64 tips the scales around 903 MB.
Besides fixes and improvements for stability, there are about 80 other fixes generally classified into hotfixes and security updates by our friends in Redmond.
The majority of these can be grouped as follows:
- 25 fixes to help prevent Remote Code Execution
- 8 Internet Explorer Updates
- 7 Kernel fixes to prevent Elevation of Service
- 6 .NET framework 3.5, 3.51, and 4.0 fixes
- 5 Elevation of Service fixes related to various vulnerabilities
- 5 Vulnerability fixes that could allow Denial of Service
- 3 Application Compatibility Updates
- 3 Updates including Rollup/Security updates for Active X, and
- 2 Updates for XML Core Services
While we here are all very much proponents and strong advocates of antivirus firewall software to help keep a PC secure, it's an understatement to say it's important to take advantage of security fixes like these, too.
Put another way: if you haven't applied SP1 to your PCs yet, now's a good time to hop to it.
September is proving to be a busy month for the bad guys. Aside from the latest email worm, dubbed W32/VBMania@MM by McAfee, Adobe is also being exploited by the cyber criminals.
This latest bug (CVE-2010-2883), being called, "Critical," Adobe's highest rating, affects Adobe Reader / Acrobat versions 9.3.4 and earlier on the following platforms:
- Microsoft Windows
- Apple Macintosh
According to Adobe, there are mitigation techniques available for Windows users, though an upgrade is definitely a better choice. Their official announcement warns,
Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited.
"For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited.
"Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.
Possible effects of the exploit?
This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system, so, unless you have some very good reason not to upgrade your Adobe Acrobat/Reader immediately, you should.
For more details, here's a post from Sophos on Adobe Acrobat/Reader exploit and the official Adobe Reader/Acrobat security announcement.
Adobe issued a couple of critical patches this month to its Flash, Acrobat, and Adobe Reader products including one today for its Acrobat and Adobe Reader programs.
Adobe Acrobat & Adobe Reader Flaws and Upgrade/Patch
As for Adobe Reader as of the writing of this piece, the latest version of Adobe Reader is:
Here's how you can check your version and what you should see:
These security flaws in Acrobat and Reader--and Adobe's handling of it--has had fairly widespread discussion including coverage at Kaspersky's 'threatpost' security blog.
Kaspersky's Ryan Naraine in his piece about the Adobe security patches says,
The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.
What's so important about this particular set of updates is the number of different types of systems that are affected, and while some antivirus software may be able to offset some of the threats posed by these security flaws in these programs, it's not worth the risk.
What's already clear is that there are security exploits in the wild that are taking advantage of these security holes, and if you're running Flash, Reader, or Acrobat (about 95% of the world is), your computer may be susceptible, regardless of what type of system you run--even a Mac.
Adobe Flash Player Flaws and Upgrade/Patch
The Flash Player (and the upgrade, of course) and Adobe Reader are free and only take a minute to install. (Adobe Acrobat isn't free but the security patch is.)
Here's the official Version Test for Adobe Flash Player.
On that page, you'll see what version of Flash Player you're running. As of the writing of this piece, the latest version for all systems is:
Don't take our word for it though, here's the official version information page for the Adobe Flash Player
Here's what the page looks like when it tests for your version of Flash Player (click the image below for a larger version plus our notes):
It's worth mentioning in our tests of the newest version of Flash Player, a reboot was sometimes recommended and other times not; regardless of whether or not you're prompted to reboot, it certainly won't hurt.
It's getting more commonplace for a bug to be a security issue on different computers--not just PCs--these days, but in these particular cases, just about every system was affected. Here's a breakdown of what the affected programs and systems looks like:
|Program||Affected Versions||Affected Systems|
|Adobe Flash Player||