English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
0.7
 

Last week, Apple released two urgent updates to Mac OS X to:


1. Remove the Flashback malware about which we have already written

2. Automatically deactivate the Java browser plugin and Java Web Start, effectively disabling java applets in browsers


Particularly, the second step shows the severity of the CVE-2012-0507 vulnerability exploited by Flashback to infect almost 700,000 users via drive-by malware downloads.

Actually, it was the right decision because we can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits.

This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.

Incidents|Flashfake Removal Tool and online-checking site

Aleks
Kaspersky Lab Expert
Posted April 09, 22:08  GMT
Tags: Botnets, Apple, Flashfake
0.8
 

After intercepting one of the domain names used by the Flashback/Flashfake Mac Trojan and setting up a special sinkhole server last Friday, we managed to gather stats on the scale and geographic distribution of the related botnet. We published information on this in our previous blog entry.

We continued to intercept domain names after setting up the sinkhole server and we are currently still monitoring how big the botnet is. We have now recorded a total of 670,000 unique bots. Over the weekend (7-8 April) we saw a significant fall in the number of connected bots:

This doesn’t mean, however, that the botnet is shrinking rapidly – these are merely the numbers for the weekend.

Over the last few days our server has registered all the data sent by bots from the infected computers and recorded their UUIDs in a dedicated database. Based on this information we have set up an online resource where all users of Mac OS X can check if their computer has been infected by Flashback.

To find out if your computer is infected and what to do if it is, visit: flashbackcheck.com

Also users can check if they’re infected with Flashfake by using Kaspersky Lab’s free removal tool.

comments      Link

Opinions|10 Simple Tips for Boosting The Security Of Your Mac

Costin Raiu
Kaspersky Lab Expert
Posted April 09, 16:33  GMT
Tags: Apple, Oracle, Flashfake
0.6
 

Follow me on Twitter At the moment, there are more than 100 million Mac OS X users around the world. The number has grown switfly during the past years we expect this growth to continue. Until recently, Mac OS X malware was a somehow limited category and included trojans such as the Mac OS X version of DNSChanger and more recently, fake anti-virus/scareware attacks for Mac OS X which boomed in 2011. In September 2011, the first versions of the Mac OS X trojan Flashback have appeared, however, they didn’t really become widespread until March 2012. According to data collected by Kaspersky Lab, almost 700,000 infected users have been counted at the beginning of April and the number could be higher. Although Mac OS X can be a very secure operating systems, there are certain steps which you can take to avoid becoming a victim to this growing number of attacks.

Here’s our recommendation on 10 simple tips to boost the security of your Mac:

Incidents|Flashfake Mac OS X botnet confirmed

Igor Soumenkov
Kaspersky Lab Expert
Posted April 06, 16:54  GMT
Tags: Apple MacOS, Botnets, Apple, Flashfake
0.9
 

Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.

We followed up with an analysis of the latest variant of this bot, Trojan-Downloader.OSX.Flashfake.ab.

It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.

The bot locates its C&C servers by domain names, and these names are generated using two algorithms. The first algorithm depends on the current date, and the second algorithm uses several variables that are stored in the Trojan’s body and encrypted with the computer’s hardware UUID using RC4 cipher.

We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.

Geographical distribution of active Flashfake bots

We cannot confirm nor deny that all of the bots that connected to our server were running Mac OS X. The bots can be only identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"

We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.

Approximate distribution of OSes used to connect to our server
comments      Link
0.5
 

The internet is full of infected hosts. Let's just make a conservative guesstimate that there are more than 40 million infected victim hosts and malware serving "hosts" connected to the internet at any one time, including both traditional computing devices, network devices and smartphones. That's a lot of resources churning out cybercrime, viruses, worms, exploits, spyware. There have been many suggestions about how to go about cleaning up the mess, the challenges are complex, and current cleanups taking longer than expected.

Mass exploitation continues to be an ongoing effort for cybercriminals and a major problem - it's partly a numbers game for them. Although exploiting and infecting millions of machines may attract LE attention at some point, it's a risk some are willing to take in pursuit of millions of dollars that could probably be better made elsewhere with the same effort. So take, for example, the current DNSChanger cleanup. Here is a traditional profit motivated 4 million PC and Mac node malware case worked by the Fbi, finishing with a successful set of arrests and server takedown.

Research|Are Mobile Advertisers Getting Too Aggressive?

Tim
Kaspersky Lab Expert
Posted February 08, 15:12  GMT
Tags: Google, Google Android, Apple
0.1
 

Many of the apps we enjoy are free. Well, to call them free is a bit misleading. You pay for the apps by looking at advertisements. This is a platform we should all recognize from the sidebar of Facebook, or Google, or almost any service that doesn’t charge a premium to use it. Advertising has paved the way for many services to gather a huge audience audience and still profit.

On Android and in many cases iOS, the advertisers have gotten very aggressive. They now collect all kinds of data through multiple forms of advertising. I’d like to take a look now at what you can expect.

Publications|The Top 10 Security Stories of 2011

Costin Raiu
Kaspersky Lab Expert
Posted January 04, 09:08  GMT
Tags: Google, Adobe, Microsoft, Apple, RedHat, Comodo, Sony
0.2
 

As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011.
Follow me on Twitter
What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.

Opinions|What to Do About Carrier IQ

Tim
Kaspersky Lab Expert
Posted December 07, 16:41  GMT
Tags: Google, Apple, HTC
0.4
 

There’s been a lot of talk about a piece of software installed on many mobile devices called Carrier IQ. The intended purpose of the software according to the manufacturer is to collect metrics to improve many functions of the device on which it’s installed. The uproar has been that this software has access to so much private user data.

0.3
 

In April, the .co.cc and .cz.cc sub-domains were absolutely littered with malware distributing web sites, and the unusually telling DNS registration setup on .co.cc and .cz.cc had forecast the previously upcoming Apple FakeAv. That DNS setup later led to FakeAv downloads for the Mac as forecast. But FakeAv distribution has been steadily declining since the beginning of the year, and a few related major events have occurred over the past six months. Blackhole operators have migrated to .info domains, along with other related malicious site operators. Have they pushed .info to become the new .cc?

So, what has this dispersion looked like? Well, let's look back to the beginning of the year. .co.cc and .cz.cc domain registrars offered free dns registration and cheap or free hosting. Malware distributors abused these cheap resources and staged the Blackhole exploit pack using these URL names, serving up FakeAv and other nastiness. Java exploits became the most effective and most popular in the Blackhole set, followed by exploits targeting vulnerable Adobe Reader and Microsoft HCP software. Traffic was directed to these kits by Google Image Search Poisoning, by compromising legitimate sites and redirecting browsers to the kit sites with injected iframe and img src tags, and by successful malvertizing campaigns on major webmail providers. But, what goes up must come down.

0.2
 

Web based threats such as malicious links on social medias, infected websites and malicious ads are terms that we read about quite often. We security experts have for quite some time tried to emphasize the importance of protecting both your website and computer from being infected, since these malicious websites often exploit client vulnerabilities. These vulnerabilities have been one of the major attack vectors for malware writers in recent years, but is it still a problem?

We are constantly seeing new software vulnerabilities , and the bad guys are very quick to developg exploits which are then hosted in their exploit kits. The vulnerabilities themselves are not dangerous unless the attacker is able to exploit them on the victim’s computer. The attackers have therefor developed ways to get victims to visit a website, for example, which then triggers the exploit. Some common ways are through social engineering or infecting a legitimate website with redirection code that points to the exploit kit.

Last month almost all major vendors released critical security updates for their software, such as Adobe, Oracle, Apple, Microsoft and Mozilla. I then started to research the current threat landscape, and focused on Sweden since I am the security researcher for the Nordic region; and after just a few minutes I saw that both Swedish websites and Swedish users were under attack.

In September we saw a 3700% increase in JavaScript-based redirection scripts, specifically Trojan.JS.Redirector.ro. This malicious redirector went from 908th place to 15th place in the list of the most detected malware in Sweden in one month. This code only redirects users to another URL, and I thought it was strange that we did not really see an increase of detected malware in September?