NEWS - May 20, 2011

Apple to support reps: "Do not attempt to remove malware"

Apple is actively conducting an internal investigation into the Mac Defender malware attack I wrote about yesterday (here and here). An internal document with a Last Modified date of Monday, May 16, 2011 notes that this is an "Issue/Investigation In Progress."

The document (shown below) provides specific instructions for support personnel to follow when dealing with a customer who has called AppleCare to request help with this specific attack. [Screenshot]

There are two different resolution paths, depending on whether the customer says Mac Defender / Mac Security has or has not been installed.

According to this document, if the caller says he or she has not installed the software, the support rep should "suggest they quit the installer and delete the software immediately." That is followed by this disclaimer:

AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer's Mac is infected or not.

If the software is already installed, support personnel are instructed to make sure all security updates have been installed using Software Update. They are then to direct the customer to the "What is Malware?" Help document using Finder. The final step is clear:

Explain that Apple does not make recommendations for specific software to assist in removing malware. The customer can be directed to the Apple Online Store and the Mac App Store for antivirus software options.

Finally, that is followed by these four bullet points.

Continued :
Discussion is locked
Reply to: NEWS - May 20, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - May 20, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Firefox add-on with 7m downloads can invade privacy

A high-rated Firefox extension with more than 7 million downloads secretly collects data about every website the open-source browser visits and combines it with uniquely traceable information tied to the user, an independent security researcher said.

The undisclosed behavior of the Ant Video Downloader and Player add-on takes place even when the Firefox private browsing mode is turned on or when users are availing themselves of anonymity services such as Tor. The add-on carries a rating of four out of five possible stars and gets an average of almost 7,000 downloads per day, according to official Mozilla statistics.

The revelations raise new questions about the safety of extensions offered on Mozilla's website. A spokeswoman for the open-source developer said the media player, like all public extensions not designated experimental, was vetted to make sure it meets a list of criteria. Chief among them is that add-ons "must make it very clear to users what [privacy and security] risks they might encounter, and what they can do to protect themselves."

Continued :

- Collapse -
BlackHole RAT Evolves Again: New Variant Found

Intego's Mac Security Blog:

Intego has discovered a new variant of the BlackHole RAT which we discussed in February. While the main principles of the tool - a remote administration tool - remain the same, it includes a backdoor, called, and a keylogger, called It also adds these two latter elements to a user's Login Items. The full toolkit is installed in a folder named .JavaUpdater; this folder is normally invisible, at least in the Finder, as are all items whose names begin with a period.

The RAT also installs a video capture tool, available from a "normal" website - ie., not a hacker module - which can be eventually used to capture video from an iSight camera. All of these modules are written in RealBasic, a portable, cross-platform language that creates executables using a runtime. [Screenshot]

For now, the risk is still very low. Malicious users need access to Macs to install this software, either by physically accessing a Mac, or by accessing it over a network. It is recommended to use a firewall, to prevent such network attacks, such as that found in Intego VirusBarrier X6.

- Collapse -
Phishing Site Found on a Sony Server

F-Secure Weblog:

We know you're not supposed to kick somebody when they're already down? but we just found a live phishing site running on one of Sony's servers.

However, this incident has nothing to do with the Sony PSN hack.

This is the official homepage of Sony Thailand: [Screenshot]

And here's a phishing site running under, targeting an Italian credit card company. [Screenshot]

Basically this means that Sony has been hacked, again. Although in this case the server is probably not very important.

Sony has been notified. The malicious URL is blocked for our customers.

We have also received unconfirmed reports about a new phishing campaign, asking people to reset their Sony PSN password. We're still investigating this.

Related: Sony Breach May Lead To Spear Phishing Attacks

- Collapse -
Eureka! Google breakthrough makes SSL less painful

Google researchers say they've devised a way to significantly reduce the time it takes websites to establish encrypted connections with end-user browsers, a breakthrough that could make it less painful for many services to offer the security feature.

What's more, the technique known as False Start requires that only simple changes be made to a user's browser and appears to work with 99 percent of active sites that offer SSL, or secure sockets layer, protection.

"We implemented SSL False Start in Chrome 9, and the results are stunning, yielding a significant decrease in overall SSL connection setup times," Google software engineer Mike Belshe wrote in a blog post published Wednesday. "SSL False Start reduces the latency of a SSL handshake by 30%. That is a big number."

The finding should come as welcome news to those concerned about online privacy. With the notable exceptions of Twitter, Facebook, and a handful of Google services, many websites send the vast majority of traffic over unencrypted channels, making it easy for governments, administrators, and Wi-Fi hotspot providers to snoop or even modify potentially sensitive communications while in transit. Companies such as eBay have said it's too costly to offer always-on encryption.

Continued :

- Collapse -

I hadn't noticed any problems connecting via HTTPS and SSL, but any improvements are welcome.

I know SSL has its problems, and it will be interesting to see what the security experts think of this new procedure.


- Collapse -
Siemens says it will fix SCADA bugs

Siemens is working on a fix for some serious vulnerabilities recently discovered in its industrial control system products used to manage machines on the factory floor.

The company said Thursday that it was testing patches for the issues, just one day after a security researcher, Dillon Beresford of NSS Labs, was forced to cancel a talk on the issue because of security concerns.

NSS Labs had been working with Siemens and the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response (ICS CERT) on addressing the issues for the past week-and-a-half. But the company decided to pull its talk when it turned out that Siemens' proposed fixes were not completely effective, according to Rick Moy, CEO of NSS Labs.

Siemens didn't say when it expected to fix the problems. "Our team continues to work diligently on this issue -- also together with both NSS Labs and ICS CERT. We are in the process of testing patches and developing mitigation strategies," Siemens said in a statement.

Industrial control systems have come under increased scrutiny in the year since the Stuxnet worm was discovered. Stuxnet, thought to have been built to disrupt Iran's nuclear program, was the first piece of malware built with industrial systems in mind, and it targeted a Siemens system.

Continued :

Related: Siemens SCADA hacking talk pulled over security concerns

- Collapse -
Microsoft links fake Mac AV to Windows scareware gang

"Similarities point to Russian group that's also responsible for one of 2010's most widespread security scams"

Microsoft said this week that it has evidence of a link between the fake security software now plaguing Mac users and a hard-charging family of similar software on Windows.

Phony security software, labeled "rogueware" and "scareware" by experts, has long been a huge thorn in Windows' side. But earlier this month researchers announced the discovery of a Mac-specific scam that claims the machine is heavily infected.

Once installed, the software nags users with pervasive pop-ups and fake alerts until they fork over a fee to purchase the worthless program.

To get rid of the program's alerts -- and the occasional pornographic page that pops up in the browser, a new twist intended to make victims think their computers have been hijacked -- many Mac owners pay the $79.50 "registration fee" for the worthless program.

Mac users have reported being duped into downloading the fake software on Apple's support forums and increasing numbers to Mac-centric antivirus vendor Intego, which has identified at least three names for the same product: MacDefender, MacSecurity and MacProtector.

Continued :

Also: New Mac fake-defenders similar to Windows scareware

Related: Winwebsec gang responsible for FakeMacdef?

- Collapse -
Converting currency on Google can lead to malware attack

One of the guys at the North American branch of SophosLabs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.

So he did what any of us would probably do. He Googled it.

215 euro to usd

Google very cleverly and kindly tells you what it believes the conversion rate to be, but you're also given a number of search results: [Screenshot]

It's that final search result which is of interest to us. A quick search finds a number of other webpages which don't just use keywords related to currency conversion, but also other terms - "dirty sexist jokes", for instance. [Screenshot]

What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.

The good news is that Sophos can offer a layered defence against this attack.

The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.

The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.

Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.

Continued :

- Collapse -
W32.Qakbot - Under The Surface
W32.Qakbot is a worm that's been around since at least 2009. The worm initially infects users by exploiting vulnerabilities when a certain Web pages are visited. It subsequenly spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. During the past few months we've seen high levels of active development from the malware author's side with the intent of circumventing detection techniques used by various security software.

The Symantec Security Response team has been monitoring this worm for the past couple of years. Activity around Qakbot appears every couple of months with external entities claiming to see an outbreak. The last major wave we saw started in early April. We took that opportunity to spend additional time to analyze and document the working of this threat in a little more detail. We took some actions to monitor the threat's prevalence and learnt a good amount.

Data acquired using our in-field telemetry show us just how prevalent this worm is. In the first quarter of 2011 the worm activity wasn't very different as compared to most other active worms. Once the author seeded the newer variants, its hard to believe if he/she could have foreseen its ability to spread. [Screenshots: Qakbot Hits in 2011]


Qakbot Related: Qakbot family of malware blamed for data breach
- Collapse -
Sony's PSN password server online again

After the second security breach that allowed attackers to change the passwords of PlayStation Network (PSN) and Qriocity users, Sony has brought the web servers that manage accounts back online. In a post on its PlayStation Blog, Sony says that the security flaw which allowed for the resetting of passwords has now been fixed.

A brief test by The H's associates at heise Security confirmed that the hole could no longer be exploited. Nonetheless, users are still advised to make sure that their computers are protected with virus scanners and only download email via encrypted SSL connections in order to prevent sniffing attacks.

The security hole was open on May 16 and 17. In order to take advantage of the URL exploit, an attacker had to provide the registered email address of the account holder and their date of birth. PSN and Qriocity users who received unsolicited emails from Sony during that time telling them that their password had been reset or changed should immediately contact PSN support to regain access to their accounts. It is not yet known how many accounts were taken over on those two days.

Continued :

- Collapse -
Facebook Prepares to Launch Bug Bounty Program

Facebook is working on setting up a bug bounty program that would encourage security researchers to discover vulnerabilities on its platform and report them responsibly.

Mr. Joe Sullivan, Facebook's chief security officer, told us today at the Hack in the Box Amsterdam 2011 security conference that the company is currently testing such a system and hopes to launch it soon.

Vulnerability reward programs are not new. In fact, they've been around since the Netscape era.

In 2004 Mozilla introduced a bug bounty system for vulnerabilities discovered in Firefox, then last year Google did the same for Chromium, the open source project behind Google Chrome.

However, it was Google that began rewarding vulnerabilities found in its web services first, a move that was mirrored by Mozilla a month later.

Facebook has a pretty good relationship with security researchers already and many of them are reporting vulnerabilities to the company responsibly.

Continued :

- Collapse -
Rootkit Banker - now also to 64-bit

Yesterday Kaspersky Lab detected the first rootkit banker created to infect 64-bit systems. It was detected in a drive-by-download attack made by Brazilian cybercriminals.

We found a malicious Java applet inserted in a popular Brazilian website. The attack was made using a malicious applet in such a way as to infect users running old versions of the JRE (Java Runtime Environment) and was prepared to infect users running versions of both 32 and 64 bits systems.

Inside this applet we found some interesting files: [Screenshot]

The entire malicious scheme is simple yet interesting. The file add.reg will disable the UAC (User Access Control) and modify the Windows Registry by adding fake CAs (Certification Authorities) in the infected machine: [Screenshot]

The file cert_override.txt is a fake digital certificate signed by the fake CA registered in the system. The main purpose of this attack is to redirect the user to a phishing domain. The fake website will then show an icon of an https connection, simulated to be the real page of the bank. This scheme to register a malicious CA in an infected system has been used by Brazilian bad guys since last year.

Continued :

- Collapse -
Krebs's 3 Basic Rules for Online Safety

Yes, I realize that's an ambitious title for a blog post about staying secure online, but there are a handful of basic security principles that - if followed religiously - can blunt the majority of malicious threats out there today.

Krebs's Number One Rule for Staying Safe Online: "If you didn't go looking for it, don't install it!" A great many online threats rely on tricking the user into taking some action - whether it be clicking an email link or attachment, or installing a custom browser plugin or application. Typically, these attacks take the form of scareware pop-ups that try to frighten people into installing a security scanner; other popular scams direct you to a video but then complain that you need to install a special "codec," video player or app to view the content. Only install software or browser add-ons if you went looking for them in the first place. And before you install anything, it's a good to grab the software directly from the source. Sites like and claim to screen programs that they offer for download, but just as you wouldn't buy a product online without doing some basic research about its quality and performance, take a few minutes to search for and read comments and reviews left by other users of that software to make sure you're not signing up for more than you bargained. Also, avoid directly responding to email alerts that (appear to) come from Facebook, LinkedIn, Twitter, your bank or some other site that holds your personal information. Instead, visit these sites using a Web browser bookmark.

Krebs's Rule #2 for Staying Safe Online: "If you installed it, update it." Yes, keeping the operating system current with the latest patches is important, but maintaining a secure computer also requires care and feeding for the applications that run on top of the operating system. Bad guys are constantly attacking flaws in widely-installed software products, such as Java, Adobe PDF Reader, Flash and QuickTime. The vendors that make these products ship updates to fix security bugs several times a year, so it's important to update to the latest versions of these products as soon as possible....

Continued :

- Collapse -
An Apple a day promotes WikiPharmacy

From Websense Security:

Fake Apple Store Order Notifications have been making rounds for months now. The volume of this particular spam campaign is not as astonishing as other past campaigns. It is actually the exact opposite of those massive outbreaks that distribute hundreds of thousands of spam emails for a few hours and suddenly stop the next day.

Typically, the email contains a link that redirects users to a very familiar pharmacy spam site. These links either belong to compromised sites or newly registered domains. [Screenshot]

Today, we noticed the same fake Apple Store email redirecting users to a different, relatively new pharmacy spam web template. The new template channels a wikipedia feel to it and is cleverly titled "WikiPharmacy". [Screenshot]

Continued :

- Collapse -
Profile Stalkers on Facebook? Check out the viral scam
Profile Stalkers on Facebook? Check out the viral scam that's spreading

Another scam is being spammed out across Facebook, tricking users into helping its spread by fooling them into believing they will discover who is secretly viewing their profile.

Using a cartoon image of what appears to be a chimpanzee looking through binoculars,
the messages are being sent from other Facebook users who have already fallen into the trap of clicking on the link and following the scammers' instructions.

Clicking on the link contained inside the message (which I have obscured in the screen grab below) is a big mistake, as it takes you one step further into the criminals' trap. [Screenshot]

WICKED! Now you can see who views your facebook profile.. i saw my top profile stalkers and my EX is still creeping my profile every day

Checkout your PROFILE stalkers

Now you can see who stalks your profile daily

If you do click on the link you are taken to a third-party webpage which urges you to cut-and-paste some JavaScript code into your web browser's address bar. The page claims that it is your unique code to view your Top 10 Profile Spys - but it's not true at all.

Continued :

CNET Forums