Category: Malware

First OS X trojan spotted – no need to panic just yet!

There is a great deal of chatter on TechMeme this morning because a trojan has emerged which infects Apple’s OS X!

The trojan is found in pornographic sites masquerading as a video codec.

It isn’t a huge threat because to become infected you need to go through several steps:

When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file.
Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

The trojan takes over the Mac’s DNS settings and from time-to-time re-directs the Mac to phishing or pornographic websites.

According to Intego, the security company reporting this trojan:

The best way to protect against this exploit is to run Intego VirusBarrier X4 with its virus definitions dated October 31,2007. Intego VirusBarrier X4 eradicates the malicious code and prevents the Trojan horse from being installed

Right – I can see why they are talking it up then! Stlll, if you do find you Mac bringing you to websites you didn’t ask for and you (or someone using your Mac – ahem!) have recently installed a video codec, maybe you should look into this further.

This is the first major malware reported which is specifically targeted at OS X since the operating system was released in 2001. I guess it is a sign of OS X’s increasing popularity.

Users are 'stupid' – Microsoft

I wrote a post over a year ago about how I deal with PCs which have become infected with malware (viruses/trojans/worms/rootkits, etc.):

what I do, is to re-install the OS – more often recently it is XP, turn off System Restore, install XP SP2, Microsoft Anti Spyware, Spybot, Adaware, and AVG… or consider formatting the PC.

It seems that I was on the money with that advice – eWeek are reporting today that Mike Danseglio, program manager in the Security Solutions group at Microsoft said at an InfoSec conference in Florida yesterday:

When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit

Malware is becoming more difficult to detect because malware writing has become a big business. The people who write these malware programs now do so for profit. They write programs which allow them to use infected machines (to send spam, for instance) and they sell their services to companies who want use infected machines. The more machines they control, the more money they can make. It is therefore in the malware writer’s interest that the malware be as unobtrusive and difficult to detect as possible.

Danseglio said:

We’ve seen the self-healing malware that actually detects that you’re trying to get rid of it. You remove it, and the next time you look in that directory, it’s sitting there. It can simply reinstall itself,

This is similar to my observation that malware can hide in the System Restore volume and can re-install themselves after a scan is run.

The one place where Danseglio and I disagree fundamentally is in the apportioning of blame. Danseglio said:

Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity

Personally, I believe that if the software allows people to be fooled into clicking on a phishing link (and some of the phishing emails I have received have been extremely convincing), then it is the software which is stupid and not the user.

Riya frustrations

I received an Alpha invite to try out Riya the other day. I have posted about Riya previously and it does sound like it will be an exciting application – it is an online photo application (like Flickr) but it has facial recognition software built-in. This means that once you upload a photo and tell Riya who is in the photo, it will recognise them in any other photos you upload. This will help enormously when you want to search for pictures subsequently as currently there is no real way to search for images unless they have meta-information attached.

But when I went to Riya, I was unable to upload any pictures as the uploader is Windows XP only – this meant I was unable to test any of the applications features 😦

Riya Home page

However bad it is not having a Mac uploader, how difficult would it have been having a couple of test images in Alpha testers accounts so that if they couldn’t upload images they could, at least play with the test ones?

Microsoft to start selling anti-virus services

The BBC are running a story about Microsoft starting an anti-virus and security service for PC users.

According to the BBC’s site

The service is designed to automatically patch-up security holes, as well as beef up anti-virus and spyware protection. It will also help maintain the health of a user’s PC generally

Is it just me, or does anyone else see a conflict of interest here? Why would Microsoft want to create secure software incapable of being infected by viruses if they are selling anti-virus services. It would be bound to be in Microsoft’s interest for non-customers to become virus infected and thereby require Microsoft’s anti-virus services.

To anyone who is tired of viruses/malware and spyware infecting their PCs I say – buy a Mac (or a linux based PC). I don’t have any anti-virus or anti-spyware software on my Macs (I do on my PCs) because I don’t require it. There are simply no viruses or spyware for Mac.

Firefox is less secure than Internet Explorer?

Fred Langa has written one of the most misleading and ill-informed articles I have read on the web in quite some time.

In this misleading and ill-informed article, Fred posits that

changing to Firefox–or Mozilla, or any similar software–because “it’s more secure” is a dangerous misconception; and demonstrably false

Incredibly, Fred is trying to tell us that Firefox is not more secure than Internet Explorer!

To back up his claims, Fred very carefully chooses quotes from the US-CERT site

In most cases in the more recent issues, you’ll see the list of IE’s vulnerabilities are fewer than those for Firefox, Mozilla, and the other alternate browsers

and from the Symantec Internet Security Threat Report

Between July 1 and Dec. 31, 2004, Symantec documented 13 vulnerabilities affecting Microsoft Internet Explorer. This is notably lower than the 21 vulnerabilities affecting each of the Mozilla browsers that were documented during the same period

All sounds pretty damning, right? Yes, until you do a little bit of research.

Firstly, Fred conveniently neglects to mention what classification the vulnerabilities have (high/medium/low) i.e. how potentially risky they are for your computer.

Compare the two graphs below (from Secunia) to see that for Internet Explorer 6.x – 42% of its bugs are highly dangerous or above whereas only 7% of Firefox bugs are highly dangerous.

Microsoft IE 6 criticalities from 2003 - 2005

Mozilla Firefox 1.x criticalities from 2003 - 2005

Secondly, US-CERT – the site Mr. Langa choses to take some of his information from, explicitly advise people not to use Internet Explorer

IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system. It is possible to reduce exposure to these vulnerabilities by using a different web browser

For an unbiased review of vulnerabilities in both browsers, see the Vulnerability Reports on the Secunia website for IE 6.x and Firefox 1.x. Scroll down on these pages to see that Internet Explorer currently has 19 unpatched (some of which are highly critical and have been unpatched for more than a year) and 10 partially fixed vulnerabilities whereas Firefox has 4 unpatched (none of which are even moderately critical).

Finally and from a purely personal perspective – I frequently get support calls from clients infected by spyware and malware of all sorts. I have never had one of these calls from a client I have migrated to Firefox – it is always the IE users who get infected.

With this level of inaccuracy in his piece, you have to wonder about the motivation behind writing such a dangerous and misleading article…

Blogs used to infect PCs with spyware and malware

I note a story on the BBC Technology site which says Spyware and Malware authors have copped on to the popularity of blogs and are now using them as vectors to host spyware and malware to infect people lured to the blog.

I’m surprised it took so long for them to come up with this.

Of course I can be smug – I use a Mac so I don’t have to worry about Spyware and Malware!

How to rid a PC of viruses and malware

My parents have asked me to look at their neighbours PC – it has started ‘acting funny’ and “they think it might have a virus”, I was told.

“Uh oh”, I thought. Here we go again. If you are the local IT guru you know this feeling well. And, is it just me or is it becoming more frequent?

I have developed a routine for dealing with these PC’s now – inevitably the “it may have a virus” turns out to be 10’s if not 100’s of viruses, trojans, worms and spyware all combining together to grind the PC to a halt. So, what I do, is to re-install the OS – more often recently it is XP, turn off System Restore, install XP SP2, Microsoft Anti Spyware, Spybot, Adaware, and AVG.

The reason for disabling System Restore is that many of the more recent Viruses, etc. hide in the System Restore volume so that they are restored after a scan is run and are impossible to delete while System Restore is running.

Once all the above software is installed and has scanned and cleaned the PC, then, and only then, connect the PC to the Internet and do a Windows Update updating the PC with all available updates. Finally, connect to and install Trend Micro’s Housecall online Anti Virus scanner . Run this scan on the PC, disconnect from the Internet and scan once more with all the previous tools ensuring all scans come up clean again. If they don’t keep repeating until they do or consider formatting the PC.

Be sure to set the Windows Updates to update automatically through the Security Center (sic).

Install Firefox and Thunderbird and set them to be the default browser and default mail client respectively. removing desktop shortcuts for Internet Explorer.

Finally, on returning the PC, you need to inform the owner of all the changes that have been made to the PC and be sure to let him/her know that these measures will only keep the PC secure for 6-9 months maximum.

It is at this point that you need to tell them that if they want to stay uninfected going forward, they’d be far better off getting a Mac!

Internet Explorer use falling further still

I note that eWeek are reporting that usage of Microsoft’s internet Explorer has fallen another 1.5% to 90.3%.

Of course, what is amazing, to me, is that over 90% of people are still using internet Explorer!

Still, I shouldn’t complain, a lot of my business these days is coming from people whose PC’s have been decimated by Viruses/worms/spyware/etc. because they are using Internet Explorer!

Cracker Targets Ad Servers with IE Exploit

Falk eSolutions is an Ad Serving company who according to their website “is now the third-largest ad management solution worldwide, serving over 12 billion ad impressions per month”.

On 20/11/04 some clever cracker broke into one of their load balancing servers that handles ad deliveries and successfully loaded exploit code on servers serving ads on hundreds of clients’ Web sites. Users visiting Web sites that carried banner advertising delivered by Falk’s affected servers were periodically delivered a file which tried to execute an IE-Exploit function on the users’ computer.

Falk AdSolution clients include AtomShockwave, IDG, A&E Television Networks, MediaCom and Universal McCann.

European tech publisher The Register was the first to notice that banner ads served by Falk were launching exploit code to non-SP2 IE users. The Register advised readers ” If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue.”

irc/backdoor.sdbot in Win XP Home

A friend’s pc was infected with the irc/backdoor.sdbot trojan recently and I cleaned it out – eventually.

This is a tricky little trojan which hides in the System Volume folder (where the System Restore info is held) as well as the Windows/Winnt folder.

Killing the trojan using anti-virus software only gets rid of it until the next re-start. The way to get rid of this one is to turn off the System Restore service by opening the Services MMC in the Administrative Tools folder, right-clicking the System Restore service and selecting stop.

Having stopped the System Restore service, it is now possible to kill this virus permanently using your favourite anti-virus software or preferably a combination of av software. In this case, I used AVG and Stinger to be sure all infections were gone.

Don’t forget to re-start this service once you are done!