malware – The Crow's Groove

First Major Outbreak of Mac OS X Trojan: a Turning Point?

Last week the blogosphere nearly exploded (see here, here, here and here for only a few examples) with the news of the Flashback trojan, creating a botnet of nearly 600,000 Apple machines. Getting your machine infected is as easy as surfing to a bogus website containing the malware, which installs itself using an exploit in Java. This technique is called a drive-by download. There is no need for you to enter your admin credentials. It’s even worse: the malware will install itself without you noticing it at all. Pretty scary if I may say so.

If you want to know if your Mac is infected with the Flashback trojan, then check out this page on F-Secure’s website to find out and follow the removal instructions if you do find it on your machine.

To make your Mac less vulnerable for this kind of malware attack, I recommend checking out Khürt Williams’ post who explains how to turn off Java in Safari and on OS X level. This makes very much sense when you are not a software developer who has to deal with Java on a daily basis. If you use an other browser like Google Chrome or Firefox, then check out this page for instructions. Khürt also advises to uninstall Adobe’s Flash plugin. This is one bridge too far for me at the moment, but it certainly is a good idea.

A lot of people consider the outbreak of Flashback as a turning point for the Mac platform. Mac users should face it that they are not ‘forgotten’ anymore by malware writers and should install anti-virus protection, just as the majority of Windows users does nowadays. Check this post on AskDifferent.com for a list of anti-virus solutions for the OS X platform.

Update April 11th, 2012: Apple works on software to release the Flashback malware from infected Macs and is working with ISPs worldwide to bring down the botnet’s command & control servers. Read more about this on arstechnica.com.

Google Again Pulls Malicious Apps from the Official Android Market

A number of times I posted links to Android malware news, like this one.

An important lesson in these messages was: don’t download apps from untrusted sources because you risk downloading an app that contains malware.

Every now and then though, the official Android Market gets infected with malware apps. And it happened again recently, where Google had to pull 22 malicious apps from the Market. The post linked below talks about an estimate of 14,000 infected users.

In total, Google took down over a hundred malicious apps already. Since Android phones are very popular with over 500,000 activations a day, I am afraid these malware practices will get worse. I hope I won’t be right and Google invents a mechanism to find and block these apps as soon as they appear.

In the meantime, people should not only be careful when downloading apps from external sources. The Android Market can contain a nasty bug every now and then too.

Link : CIO.com – Google Pulls 22 More Malicious Android Apps From Market

Researcher Demonstrates Proof-of-Concept Botnet of Android Phones

Just what the world was waiting for… *sigh*

[Georgia Weidman’s] Android proof-of-concept botnet installs itself in a fashion similar to the DroidDream malware, a trojan that could record phone conversations. The proof-of-concept botnet payload could be spread in several ways—either as part of a malicious application on an app store, or through a Web link sent to the smartphone or clicked in the mobile browser. “It ‘roots’ the phone,” she said, “and it works as a proxy between the cellular modem and the application layer.”

iOS users aren’t safe either. Weidman said that a similar botnet could also be created on iOS devices, but the malware needs to be distributed via a “jailbreak” package.

Link : ars technica – Researcher demos threat of “transparent” smartphone botnets

Number of Android Malware Apps Is Growing Faster Every Month

The lesson to be learned here is in the last sentences of the article:

In a related blog post, Juniper said it discovered a “trove of malicious applications aimed at Android users hosted across different Russia-based third party app stores,” which serves as a reminder to only download Android apps from trusted locations, like Google’s Android Market, Amazon, etc.

Link : HotHardware – Android Malware Infestation a Fast Growing Problem, Report Says

Zeus Botnets’ Achilles’ Heel Makes Infiltration Easy

So what are we waiting for? Take ’em down!

A security researcher has discovered a potentially crippling vulnerability in one of the most widely used botnet toolkits, a finding that makes it easy for blackhats and whitehats alike to take control of huge networks of infected PCs.

The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.

That means the bug could make takedowns by law enforcement and rival crime gangs significantly easier, said Billy Rios, the researcher who discovered the defect and has written a simple program to exploit it.

Link : The Register – Zeus botnets’ Achilles’ Heel makes infiltration easy

Linkedin Falls to the Power of Zeus Malware

Linkedin users: beware!
Please read this article. Don’t get infected.

Users of the social notworking site LinkedIn started receiving shedloads of spam email messages in a bid to recruit them into the Zeus botnet.

From 10am yesterday users of the business-focused version of Facebook started getting mail with a fake contact request containing a malicious link.

Cisco Security Intelligence said that these messages accounted for as much as 24 percent of all spam sent within a 15-minute interval today.

If users were dumb enough to click on the links in the email they would be taken to a web page that says “PLEASE WAITING…. 4 SECONDS..” and then redirects them to Google.

While it looks like nothing has happened, during the four second the victim’s PC will be attempted to be infected with the ZeuS Malware.

Link : TechEye – Linkedin falls to the power of Zeus

Russia Becomes Malware Botnets Host

Considering that most spam and malware is coming from Russia and China, wouldn’t it be possible to turn off access to Russian and Chinese hosts, domains, servers, by default and only open connections by requesting your own ISP? I guess that only a small percentage of Internet users are visiting Russian and Chinese sites and servers, so this should not be a big problem.

Botnet operators have found a home in Russia after server access became too difficult in China says insecurity company M86 Security.

Chinese cyber sleuths have been driving malware operators from the country’s telecommunications infrastructrue and Russia – always somewhat lax in policing online criminals – has become the refuge for botnet spam campaigns from dodgy porn websites, online casinos and pharmacies.

M86 Security said that 5,000 new spam domains have been traced back to two Russian registrars in the past month. Among those who have moved to Russian providers are the operators of the Zeus malware botnet.

“It used to be Chinese registrars and now it has been a pretty dramatic shift. Back in Russia it is kind of the same old names. These registrars have been around for a while.,” said Bradley Anstis, VP of technology strategy at M86 Security.

The shift to the former Soviet Union follows a clampdown on cyber crime operations in central Europe and Asia. Authorities in Europe have sought to drive cyber criminals out of the region, but it seems like they and other parallel efforts elsewhere have just driven them somewhat to the east, into Russia.

Link : The Inquirer – Russia becomes malware botnets host