Archive for the ‘Mac’ Category

Half of all Macs will lack access to security updates by summer

Tuesday, May 8th, 2012

Unless Apple changes its security update practice, nearly half of all Mac users will be adrift without patches sometime this summer.

Apple will launch OS X 10.8, aka Mountain Lion, in the next few months, and then will — baring a change in a decade-old habit — stop serving patches to OS X 10.6, or Snow Leopard.

Although Apple has never spelled out its support policy for older operating systems, it has always dropped an edition around the time it has two newer versions in play. If the current OS X is dubbed “n,” then “n-2” support ends at the debut of “n.”

In other words, patches are provided only to the newest OS X and the one immediately preceding it.

Unless Apple changes its security update practice, nearly half of all Mac users will be adrift without patches sometime this summer.

Apple will launch OS X 10.8, aka Mountain Lion, in the next few months, and then will — baring a change in a decade-old habit — stop serving patches to OS X 10.6, or Snow Leopard.

Although Apple has never spelled out its support policy for older operating systems, it has always dropped an edition around the time it has two newer versions in play. If the current OS X is dubbed “n,” then “n-2” support ends at the debut of “n.”

In other words, patches are provided only to the newest OS X and the one immediately preceding it.

The company has practiced this since OS X’s birth: The second iteration, 10.1 — dubbed Puma — received its final security update in January 2004, three months after the appearance of OS X 10.4, or Panther.

More recently, Apple snuffed out support for OS X 10.5, aka Leopard, when 10.7, or Lion, shipped. The former got its last security update in June 2011, a month before the latter was released.

If Apple continues this policy, Snow Leopard users will stop seeing patches about the time Mountain Lion ships. Apple has not set a hard date for OS X 10.8’s debut, although it has pegged “late summer.”

But Snow Leopard currently accounts for 41.5% of all versions of OS X, according to Web metrics company Net Applications’ latest statistics. Assuming Snow Leopard’s share continues to drop at the average pace of the last six months, it will still power 34.4% of all Macs in August or 32.6% in September.

With earlier editions included, that means 48.4% of all Macs will be without security updates if Apple stops serving Snow Leopard in August. If it continues patching until September, the number sans fixes drops to 45.9%.

Some security professionals see those numbers as too high, and Apple’s support lifespan too short.

“[OS X] 10.6 released in August 2009, which means that any Mac purchased prior to that date and not subsequently upgraded will be running a version which receives no security support [Emphasis in origin],” Robin Stevens, part of the University of Oxford’s network security team, said in a blog post last month.

“[Apple has] been complacent in terms of their attitude to security and support, especially when compared to their chief competitor [Microsoft],” Stevens added. “By comparison, Apple appear to be making minimal effort, and are putting their customers at risk as a result.”

Stevens wanted Apple to commit to a support lifetime of at least five years.

Other experts don’t see Apple’s support practice as the biggest problem, but instead tagged the company’s notorious silence.“The average seems to be about three years,” said Andrew Storms, director of security operations for nCircle Security, talking about the length of time Apple provides security updates for a given edition of OS X. “That’s not bad if you compare it to hardware amortization. But really, the bigger issue is that no one really knows. Apple doesn’t communicate how long it will support a version or a roadmap for future releases.”

John Pescatore, a Gartner analyst, agreed, citing Apple’s lack of a roadmap as the biggest sticking point for companies that increasingly must manage Macs alongside Windows PCs. “That’s not enterprise friendly,” he said.

Apple’s opacity stands in contrast to Microsoft, which has long clearly laid out its support lifecycle, and regularly reminds users when an edition of Windows or Office is nearing its end.

“When they decide to release a new OS X, if you’re behind two [versions], you’re DOA or SOL, take your pick,” said Storms. “But we never see those blogs from Apple that we do from Microsoft reminding that you need to upgrade [to keep receiving security updates].”

Pescatore didn’t have a problem with Apple’s support lifecycle, calling it “in the middle” between Microsoft’s 10-year policy for Windows and the constantly-updating cloud services like Google Apps or Microsoft’s Office 365.

More to the point, Apple’s shorter support stretch is how things are quickly leaning, said Pescatore, ticking off the typical two-year turnover of smartphones and businesses taking to the cloud because of continuous updates.

Customers, including IT managers, better get used to it.

“In the real world, IT is going to have less and less control over the OS,” said Pescatore. “IT really doesn’t want to operate that way — they’ll try to fight it — but they’re going to have to learn how. Fighting the trend is going to be impossible.”

Even though the recent Flashback malware campaign has demonstrated that unsupported Leopard Macs were infected at a rate almost double its market share, Pescatore said the move to shorter support lifespans will continue. And customers will adopt. If they can’t, the market will provide solutions — as it has before for Windows — to keep Macs safer.

And most users can upgrade when Apple releases a new operating system, Pescatore and Stevens noted.

While Apple has yet to define the migration path for Snow Leopard users, it has dropped hints that they may be able to upgrade to Mountain Lion: Snow Leopard machines can be boosted to Mountain Lion’s developers preview.


Apple to release Flashback removal software, working to take down botnet

Wednesday, April 11th, 2012

Apple plans to release software that will detect and remove Flashback malware infections on the Mac, the company announced Tuesday. In a knowledge base link published late in the day, Apple explained that it’s aware of the infection—which takes advantage of a previously unpatched Java vulnerability—saying that the software was coming, but no specific release date was given.

In addition to the Flashback detection software, Apple said that it’s “working with ISPs worldwide” to disable the botnet’s command and control (C&C) servers. Kaspersky researcher Kurt Baumgartner told Forbes earlier on Tuesday that “Apple is taking appropriate action by working with the larger Internet security community to shut down the Flashfake [also known as Flashback] C2 domains,” and Apple’s latest efforts seem to coincide with Baumgartner’s statement.

“Apple is developing software that will detect and remove the Flashback malware,” Apple wrote. “In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.”

We have been covering the Mac Flashback trojan since 2011, but the malware recently picked up steam. Last week, Russian security firm Dr. Web reported that it had infected more than half a million Macs worldwide. (The aforelinked Forbes report claimed Apple tried to take down Dr. Web’s sinkhole server for Flashback, but it seems most likely that this was an accidental inclusion in Apple’s attempts to take down the botnet’s C&Cs.)

There are already a couple ways to detect and remove a Flashback infection, but they involve some Terminal kung-fu that less experienced users might not feel comfortable with. Apple’s solution will undoubtedly target mainstream users who have heard about Flashback and want to ensure their Macs remain malware-free.


HP firmware to ‘mitigate’ LaserJet vulnerability

Friday, December 23rd, 2011

Hewlett-Packard said today that it has taken steps to prevent a “certain type of unauthorized access” to LaserJet printers.

The company didn’t describe its new firmware as a fix for the potential printer problem. Rather, it rather delicately used the word “mitigate,” the dictionary definition of which is “to make less severe or painful.” Here’s HP’s full statement on the matter:

HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

Then again, HP has steadfastly declared that no customers have reported unauthorized access and that issue was overblown from the start, as in late November when it said “there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers.”

At that time, it described the nature of the problem and promised a firmware update to address the issues:

The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP also at that time decried “speculation” that the LaserJets in question could catch fire because of a firmware update or “this proposed vulnerability.”

Despite those assurances, HP became the target of a lawsuit in early December alleging that the company sold those printers even though it knew of those alleged vulnerabilities. The lawsuit charges that software on the printers that allows for updates over the Internet does not use digital signatures to verify the authenticity of any software upgrades or downloaded modifications.

Source:  CNET

Tsunami backdoor trojan ported from Linux to take control of Macs too

Thursday, October 27th, 2011

The Linux-based Tsunami backdoor trojan has made its way over to the Mac, according to security firm ESET. The company posted to its blog (hat tip to Macworld) that a Mac-specific variant, OSX/Tsunami.A has made an appearance on the trojan scene, though ESET made no mention of whether it was gaining any traction among users.

ESET’s Robert Lipovsky wrote on Wednesday that the code for OSX/Tsunami.A was ported from the Linux version of the trojan that the company has been tracking since 2002. Hard-coded is a list of IRC servers and channels, which the trojan tries to connect to in order to listen for malicious commands sent from those channels.

Lipovsky published a list of the commands pulled from the Linux variant of Tsunami, but the general gist is that the trojan can open a backdoor to perform DDoS attacks, download files, or execute shell commands. Tsunami has “the ability to essentially take control of the affected machine.”

Security firm Sophos also acknowledged the appearance of the Mac-targeted Tsunami backdoor, but reminded users that there is still “far less malware [in] existence for Mac OS X than for Windows.” Still, the company says the problem is real and that users should protect themselves with anti-malware software. “We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future,” Sophos’ Graham Cluley wrote. “If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying.”


File group permissions constantly displaying “Fetching…” in OS X

Tuesday, October 18th, 2011

Finder information windowIf you get information on files and folders in the OS X Finder you will see the access permissions for the items listed at the bottom of the information window.

The items in this list are generally the username of the file’s owner, the primary group associated with the owner, and then an “everyone” group; however, there may be situations where the system will not display a group, and instead will show a persistent “Fetching…” notification.

This situation may happen because the system cannot properly identify the group that is associated with the file. In OS X, permissions work by user and group identification numbers being associated with files in the filesystem index, and when you access the file the system looks up these identification numbers in the system directory (the user and group database). There also may be a situation where a user-specific group (i.e., one that is the same name as the current user account) is being used as the default group for a file.

If a username or group is missing, then the system should display something like “unknown” for the respective permissions, but may also continually search for a match and display “Fetching…” while this is under way.

This mismatching may happen after a system has been upgraded, or if you have restored one from backup or migrated it from another system, and generally lies in how the permissions in the filesystem are stored rather than there being a problem with the system’s directory setup.

If this is happening to you, then your best bet would be to ensure that your account is associated with the proper group, followed by resetting permissions on your home folder, which can be done with the OS X installation DVD or the OS X Lion recovery partition.

In OS X, local user accounts are members of the “staff” group, with system administrator accounts being members of the “admin” group. To make sure that your account is associated with the proper group, when logged in to your account run the following in the Terminal:

sudo dscl . -append /Groups/GROUPNAME GroupMembership `whoami`

Be sure to change the “GROUPNAME” text to the proper group of either “staff” or “admin,” and also note that the “whoami” is encompassed in grave accents (the symbol under the tilde key on U.S. English keyboards) instead of single quotes. When this is done, reset the home folder permissions on your system, the procedure for which will depend on what system you are using:

In OS X Prior to Lion:

  1. Insert the OS X Installation DVD and reboot with the “C” key held down.
  2. After selecting your language, choose “Reset Password” from the “Utilities” menu.
  3. Select your hard drive and then select your user account from the drop-down menu.
  4. Click the “Reset” button next to “Reset Home Directory Permissions and ACLs.”
  5. Select “Restart” from the Apple menu to reboot normally.

In OS X Lion:

  1. Reboot and hold “Command-R” to get to the recovery partition.
  2. Choose your language and select “Terminal” from the Utilities menu.
  3. Enter “resetpassword” in the Terminal to open the same password reset utility.
  4. Continue with step three in the instructions above.

Doing this should make sure that the permissions and user/group associations for files in your home directory are based on usernames and groups that are in the user account. Do keep in mind that this will only affect the files and folders in your home directory and not any of those that you have placed elsewhere, such as on external hard drives or within system directories.

Lastly, in addition to ensuring user accounts are set up properly, use Disk Utility to run a permissions fix routine on the boot drive, which should make certain that system folder permissions are also set up so files and folders can be properly accessed. When performing a permissions fix, do not worry about repeated errors in Disk Utility’s log window. Just run the fix routine once and then quit Disk Utility.

Some people may find that after fixing account and system permissions that their battery lives might also significantly increase and the system becomes more responsive, as it spends less time resolving group conflicts and more freely looks up group associations.

Source:  CNET

The future of malware

Tuesday, October 4th, 2011

Watch out for whaling, smartphone worms, social media scams, not to mention attacks targeting your car and house

Personal information belonging to a full third of Massachusetts residents has been compromised in one way or another, according to the state’s attorney general, citing statistics gleaned from a tough new data breach reporting law.

RSA recently announced that security of its two-factor SecurID tokens could be at risk following a sophisticated cyber-attack on the company. And Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts. The cost to Sony and credit card issuers could hit $2 billion.

Of course, that’s just a sampling of recent breaches, and if you think it’s bad now, just wait. It’s only going to get worse as more information gets dumped online by mischievous hacker groups like Anonymous, and as for-profit hackers widen their horizons to include smartphones and social media.

For example, in August AntiSec (a collaboration between Anonymous and the disbanded LulzSec group) released more than 10GB of information from 70 U.S. law enforcement agencies.

According to Todd Feinman, CEO of DLP vendor Identity Finder, AntiSec wasn’t motivated by money.

“Apparently, they don’t like how various law enforcement agencies operate and they’re trying to embarrass and discredit them,” he said.

But, he adds, what they don’t realize is that when they publish sensitive personal information, they are helping low-skilled cyber-criminals commit identity theft. Every week, another university, government agency or business has records breached. Feinman estimates that 250,000 to 500,000 records are breached each year. Few details from those breaches are published on the Internet for everyone to see, however.

While certain high-profile attacks, like the one on Sony, may be intended to embarrass and spark change, the U.S. law enforcement breach could represent a shift in hacker thinking. AntiSec’s motivations appear to have a key difference, with the attackers consciously considering collateral damage a strategic weapon.

“In one online post, AntiSec came right out and said ‘we don’t care about collateral damage. It will happen and so be it,'” Feinman says.

Social networking

Experts say the future of malware isn’t so much about how malware itself will be engineered so much as how potential victims will be targeted. And collateral damage won’t be limited to innocents compromised through no fault of their own.

Have you ever accepted a friend invite on Facebook or connected to someone on LinkedIn you didn’t know? Maybe, you thought this was someone from high school you had forgotten about or a former business partner whose name had slipped your mind. Not wanting to seem like an arrogant jerk, you accept this friend and quickly forget about it.

“When people make trust decisions with social networks, they don’t always understand the ramifications. Today, you are far more knowable by someone who doesn’t know you than ever before in the past,” says Dr. Hugh Thompson, program chair of RSA Conferences.

We all know people who discuss every single thing they do on social networks and blogs – from their breakfast choices to their ingrown toenails. While most of us simply consider these people nuisances, cyber-criminals love them.

“Password reset questions are so easy to guess now, and tools like, while not created for this purpose, provide hackers with a war chest of useful information,” Thompson says.

Thompson believes there are two areas the IT security industry desperately needs to innovate around: 1) security for social media, along with ways to manage the information shared about you on social networks and 2) better methods for measuring evolving risks in a more concrete way.

Thar she blows

Chris Larsen, head of Blue Coat Systems’ research lab, says the most common social engineering attack their lab catches is for fake security products. He also explained that social networks aren’t just being used to target individuals.

Larsen outlined a recent attack attempt where the bad guys targeted executives of a major corporation through their spouses. The logic was that at least one executive would have a poorly secured PC at home shared with a non-tech savvy spouse, which would then provide the backdoor needed to compromise the executive and gain access into the target company.

“Whaling is definitely on the rise,” says Paul Wood, senior intelligence analyst for “Just a couple years ago, we saw one or two of these sorts of attacks per day. Today, we catch as many as 80 daily.”

According to Wood, social engineering is by far the most potent weapon in the cyber-criminal’s toolbox (automated, widely available malware and hacking toolkits are No.2). Combine that with the fact that many senior executives circumvent IT security because they want the latest and trendiest devices, and cyber-crooks have many valuable, easy-to-hit targets in their sights.

Fortune 500 companies aren’t the only ripe targets. “Attacks on SMBs are increasing dramatically because they are usually the weakest link in a larger supply chain,” Wood says.

Today, there’s no sure way to defend against this. Until Fortune 500 companies start scrutinizing the cyber-security of their partners and suppliers, they can’t say with any certainty whether or not they themselves are secure. While it’s common for, say, General Electric to run parts suppliers through the ringer with factory visits that result in the implementation of an array of best practices, companies aren’t doing this when it comes to cyber-security.

Watch your e-wallet

While smartphone threats are clearly on the rise, we’ve yet to see a major incident. Part of the reason is platform fragmentation. Malware creators still get more bang for their buck by targeting Windows PCs or websites.

Larsen of Blue Coat believes that platform-agnostic, web-based worms represent the new frontier of malware. Platform-agnostic malware lets legitimate developers do some of the heavy lifting for malware writers. As developers re-engineer websites and apps to work on a variety of devices, hackers can then target the commonalities, such as HTML, XML, JPEGs, etc., that render on any device, anywhere.

Smartphones are also poised to become e-wallets, and if there’s one trait you can count on in cyber-criminals, it’s that they’re eager to follow the money.

“The forthcoming ubiquity of near-field communication payment technology in smartphones is especially worrisome,” says Marc Maiffret, CTO of eEye Digital Security. Europe and Asia are already deep into the shift to m-commerce, but the U.S. isn’t far behind. “Once the U.S. adopts mobile payments in significant numbers, more hackers will focus on these targets,” he adds.

Over time, smartphones might replace other forms of identification. Your driver’s license and passport could be on your phone instead of in your pocket. In the business world, this shift is already occurring.

Mobile phones are serving as a second identity factor for all sorts of corporate authentication schemes. Businesses that used to rely on hard tokens, such as RSA SecureID, are moving to soft tokens, which can reside on mobile phones roaming beyond the corporation as easily as on PCs ensconced within corporate walls.

“Two-factor authentication originally emerged because people couldn’t trust computers. Using mobile phones as an identity factor defeats two-factor authentication,” Maiffret says.

For consumers, mobile payments aren’t necessarily all that troubling, especially if m-commerce is tied to credit card accounts and surrounded with the same consumer protections. Banks have been aggressively pushing consumers towards e-banking for years. Obviously, even with the risks involved, e-banking generates better ROI than traditional banking. Otherwise, they wouldn’t do it.

Moreover, m-commerce should have all of the behind-the-scenes security benefits wrapped around it, such as advanced fraud detection. You can’t say that for cash.

Today, Android is the big smartphone target, but don’t be surprised if attackers turn their attention to the iPhone, especially if third-party antivirus programs become more or less standard on Androids. IPhone demographics are appealing to attackers, and when you talk to security pros, they’ll tell you that Apple products are notoriously insecure.

Apple is extremely reluctant to provide third-party security entities with the kind of platform access they need to improve the security of iPhones, iPads, MacBook Airs, etc. “Apple is very much on its own with security,” Maiffret says. “It almost mirrors late-90’s Microsoft, and it’ll probably take a major incident or two to incite change.”

If we’ve learned anything about digital security in the last 20 years, it’s that another major incident is always looming just over the horizon. And then there are the new threats to cars and homes.

During the Black Hat and Defcon conferences in early August, researchers demonstrated a number of disturbing attack scenarios. One particularly scary hack showcased the possibility of hijacking a car. Hackers could disable the alarm, unlock its doors and remotely start it through text messages sent over cell phone links to wireless devices in the vehicle.

Other at-risk embedded devices include airbags, radios, power seats, anti-lock braking systems, electronic stability controls, autonomous cruise controls and communication systems. Another type of attack could compromise a driver’s privacy by tracking RFID tags used to monitor tire pressure via powerful long-distance readers.

“As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases,” says Stuart McClure, senior vice president and general manager, McAfee. “Many examples of research-based hacks show the potential threats and depth of compromise that expose the consumer. It’s one thing to have your email or laptop compromised but having your car hacked could translate to dire risks to your personal safety.”

Of course, cars represent just one example of hackable embedded systems. With the number of IP-connected devices climbing to anywhere from 50 billion to a trillion in the next five to 10 years, according to the likes of IBM, Ericsson and Cisco, tomorrow’s hackers could target anything from home alarm systems to air traffic control systems to flood control in dams.


Browsers tackle the ‘BEAST’ Web security problem

Friday, September 30th, 2011

Browser makers are devising ways to protect people from a security protocol weakness that could let an attacker eavesdrop on or hijack protected Internet sessions. Potential solutions include a Mozilla option to disable Java in Firefox.

The problem–considered theoretical until a demonstration by researchers Juliano Rizzo and Thai Duong at a security conference in Argentina last week–is a vulnerability in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) 1.0, encryption protocols used to secure Web sites that are accessed using HTTPS (Secure Hypertext Transfer Protocol).

The researchers created software called BEAST (Browser Exploit Against SSL/TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a “man-in-the-middle” (MITM) type of attack. BEAST uses JavaScript running in the browser and can let an attacker snoop on traffic, as well as impersonate a Web surfer by compromising session cookie data used to authenticate a Web surfer with a site. More details and a video of the demo are on Duong’s blog.

Here are responses from representatives of the major browsers:

“We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so,” a Mozilla Security blog post says. “Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser, which Firefox does not allow. The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java from the Firefox Add-ons Manager as a precaution.”

Internet Explorer
“We consider this to be a low risk issue for customers, but we released Security Advisory (2588513) to provide guidance and protection for customers with concerns,” Jerry Bryant, group manager of Response Communications at Microsoft Trustworthy Computing, said in an e-mail. To be clear, Internet Explorer depends on the Windows implementation of these protocols, so our mitigations and workarounds apply to the operating system and not the browser. We are looking at other ways to address the issue both in our products and within the industry and will update our guidance as it becomes available.”

A Google representative referred CNET to a blog post from late last week written by Adam Langley, a member of the Chrome team, that said the company was preparing and testing a workaround. “The attack is still a difficult one; the attacker has to have high-bandwidth MITM access to the victim. This is typically achieved by being on the same wireless network as the victim,” the post says. “Nonetheless, it’s a much less serious issue than a problem which can be exploited by having the victim merely visit a Web page. (Incidentally, we pushed out a fix to all Chrome users for such a Flash bug only a few days ago.)”

Opera developed a fix and tried shipping it in Opera 11.51 but found that changes made to how the browser connects to servers were “incomprehensible to thousands of servers around the world,” Opera’s Sigbjorn Vik wrote in a blog post. “This issue will have to be solved in close cooperation between browser vendors and Webmasters. Since this cannot be directly exploited in Opera, we decided to wait until we have an industry agreement on how to move forward. We have test systems in place which can connect to millions of secure sites around the world and detect how these sites will react to changes to the protocol. We will be sharing our results from these test runs with other browser vendors and affected parties, to give us a good basis for finding the best solution to the issue.”

Apple representatives did not respond to e-mail or telephone requests for comment about the Safari browser.

Just upgrading to TLS 1.1, which is not vulnerable to the threat, won’t work because nearly all SSL connections use TLS 1.0, according to a Qualys study reported on by Dan Goodin at The Register, which broke the BEAST story. In addition, “upgrading TLS is proving surprisingly difficult, mostly because almost every fix breaks widely used applications or technologies,” he wrote.

Source:  CNET

Mac trojan pretends to be Flash Player Installer to get in the door

Tuesday, September 27th, 2011

Hot on the heels of last week’s Mac malware posing as a PDF is a new piece of malware posing as something even more insidious: a Flash player installer. Security firm Intego was the first to post about the new malware on its blog, noting that although the company has only received one report so far from a user who downloaded it, the malware does exist in the wild and may trick Mac users who don’t yet have Flash installed.

The malware in question is a trojan horse called Flashback (OSX/flashback.A); users may end up acquiring it by clicking a link on a malicious website to download or install Flash player. If those users also have their Safari settings to automatically open safe files (which .pkg and .mkpg files are considered to be), an installer will show up on their desktops as if they are legitimately installing Flash.

Continuing through the installation process will result in the trojan deactivating certain types of security software (Intego specifically noted that the popular Little Snitch would be affected) and installing a dynamic loader library (dyld) with that can auto-launch, “allowing it to inject code into applications the user launched.” The trojan then reports back to a remote server about the user’s MAC address and allows the server to detect whether the Mac in question has been infected or not.

The threat is currently marked as “low,” but Mac users are advised to follow safe security practices—don’t open files or attachments that you don’t remember downloading, and turn off Safari’s setting for opening safe files automatically. It’s also worth noting that Apple now updates its malware definition file on a daily basis, and has already updated it to address the PDF trojan discussed last week. If you haven’t already scoured the Internet for a malicious version of the Flash installer, then it’s likely Apple will have added the new malware to the file by the time you run into it.


Mac trojan poses as PDF to open botnet backdoor

Saturday, September 24th, 2011

Malware continues to be a minimal threat to most Mac users, but that doesn’t mean attackers aren’t constantly trying to come up with new ways to steal information or turn users’ machines into botnet drones. The latter appears to be the case with a new Mac trojan posing as a PDF file, discovered by security researchers at F-Secure.

The malware in question has been identified as Trojan-Dropper:OSX/Revir.A, which installs a backdoor, Backdoor:OSX/Imuler.A, onto the user’s Mac. Currently, however, the backdoor doesn’t communicate with anything. The command-and-control center for this particular malware is apparently a bare Apache installation, which has been sitting at its current domain since May of this year. Because of this, users who might fall victim to this attack aren’t likely to see many ill effects for the time being, but that could change if the files end up spreading to a wider audience.

As mentioned earlier, this trojan spreads by masking itself as a PDF, which displays a Chinese-language document on the screen in an attempt to hide its background activity. This isn’t a new strategy on the surface, as F-Secure notes, but some deeper digging indicates that it might be stealthier than its Windows counterparts.

“This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a ‘.pdf.exe’ extension and an accompanying PDF icon,” reads the post on F-Secure’s blog. “The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.”

As for how this trojan is spreading, that’s a bit of a mystery. The researchers noted that they’re not yet sure of the methods it uses to propagate, but they believe the most likely explanation is that it’s circulating via e-mail attachment.


New MACDefender malware discovered for OS X

Monday, May 2nd, 2011

Mac antivirus and security developer Intego has issued a blog report on a new malware threat for OS X systems called “MACDefender” that has surfaced. The threat is a trojan horse that is being targeted to Mac systems through “Search Engine Optimization (SEO) poisoning” efforts, and uses Safari’s “Open Safe Files” feature to run the installer for the malware.

SEO Poisoning takes advantage of common search terms that Google, Yahoo, Bing, and other search engines use to present results, and forces a malicious web page to the top of the search provider’s results page. If you then click the link to the malicious Web page, harmful scripts and routines are then attempted on your system.

In this case, the malware sites are taking advantage of Safari’s “Open Safe Files” feature to download a zip file containing the MACDefender malware installer, which is then launched automatically by Safari.

It is unknown what the MACDefender malware does, but in this case it appears the attackers are attempting to further trick users by disguising the malware as a legitimate anti-malware scanner.

MACDefender malware installer

The installer for MACDefender will automatically open if you visit a malicious site containing
the software and you have Safari’s “Open Safe Files” feature enabled.  (Credit: Intego)


Be sure to never install software that automatically downloads from the Internet. If you see the installer screen for MACDefender show up, or any other installer window without your prior intent to install the software, be sure to quit the installer. Force-quit it if you have to by pressing Option-Command-Escape to bring up the force-quit window. This will ensure you do not interact with the installer’s interface, which in itself may be suspect.

If you have installed the MACDefender software, you should be able to uninstall the software by searching for and removing any references to “MACDefender” on your system. You may want to check the following locations for files that MACDefender may have installed:

  1. Applications Folder — Go to the Applicaitons folder (and subfolders like “Utilities”) and remove any folder or application that is associated with MACDefender. List folder contents by date modified or created, to see if any files have been put there recently, and remove them.

  2. Login Items — Go to the “Login Items” section of the Accounts system preferences and remove any reference to MACDefender in there. Do this for all accounts on the system.

  3. Activity Monitor — Open Activity Monitor and sort the list of running processes by name. Then locate any that you suspect are associated with MACDefender and force-quit them. Unfortunately this may be more difficult to do if the name of the running process is different than MACDefender, but it is worth a shot.

  4. Launch Agents and Daemons — Go to the following folders and see if any launch daemon or agent property list files reference MACDefender (open them and search through them if necessary). Do this for all files located in the following directories, but be sure you only remove the files that clearly are associated with MACDefender. If you remove others you will disable OS X features that may destabilize your system:

    /Macintosh HD/System/Library/LaunchDaemons/
    /Macintosh HD/System/Library/LaunchAgents/
    /Macintosh HD/Library/LaunchDaemons/
    /Macintosh HD/Library/LaunchAgents/

Currently antivirus definitions for Intego’s VirusBarrier X6 software are being updated to address this threat, and it is likely other legitimate antivirus software companies are doing the same for their programs. Therefore, if you run VirusBarrier or other antivirus utilities then be sure to check for an update soon, and run a full scan on your system to remove the MACDefender malware.

Safari Preferences

Disable Safari’s “Open Safe Files” feature to help avoid these type of threats (click for larger view).


While this threat is a new attack attempt on OS X users, its threat level is relatively low because it does require a fair amount of user interaction to install the malware. You have to first provide the correct search terms to the search engine, and then proceed with the installation by manually clicking the buttons in the installer window. As long as you avoid doing this for software you have not purposefully downloaded, then you should be good to go.

An additional security point is that threats like this will have a more difficult time affecting your system if you run your system in a Standard or Managed account instead of an administrator account. This will ensure that even if threats are installed they will have a more difficult time accessing vital or private components of your system.

Finally, if you are concerned about this and similar threats, be sure to uncheck Safari’s “Open safe files after downloading” option that is available in the “General” section of the Safari preferences. Doing this will prevent Safari from automatically launching malware files that have been disguised as legtimate documents, disk images, or archives.


Microsoft releases Office for Mac 2011

Tuesday, October 26th, 2010

Mac users have a new productivity suite available to them today, as Microsoft released MS Office for Mac 2011.  The new version boasts Outlook, advanced Office Web Apps (OWA) integration, offline coauthoring options, the Office ribbon UI, document template gallery, Excel formula builder, Visual Basic support for task automation, and more.

For those looking for an excuse to migrate back to their beloved Mac from a Windows OS, the Office for Mac 2011 Outlook features a handy .pst import tool so you can import your mailbox right from Windows.

Microsoft is positioning Office for Mac 2011 as the “compatible … familiar … professional” choice, to be preferred over alternative office productivity suites.   It goes without saying OpenOffice is in their sights here, as it garners an increasingly greater share of Microsoft’s market by the day.

Some purchases of Office for Mac 2008 include a free upgrade to 2011.  Home and Student versions are available in single and 3-license family packs, and excludes Outlook.  Business versions are available in single and 2-license packs.  Both versions include limited technical support from Microsoft.