General discussion

NEWS - November 04, 2010

New variant of Boonana Trojan (trojan.osx.boonana.b) discovered

A new variant of the Boonana malware, first documented and named by SecureMac, has been discovered by ESET. The new variant, trojan.osx.boonana.b, behaves in a very similar manner to the original malware, and is currently being distributed on multiple sites. In addition to the website documented by ESET as currently distributing the malware, SecureMac has identified two more websites that are currently hosting the new malware variant. Rather than the initial site which tricks users into running (and installing) the malware, these servers seem to be hosting update code for the malware. The infected machines contact these servers looking for updates to the malware payload. At the time of analysis (November 2nd, 2010), these servers were live, and distributing malware.

In addition to the malware updates, these servers contain what appear to be keystroke logs from infected machines, including usernames and passwords.

With a quick glance, Boonana may look like a variant of Koobface, which was discovered for Windows back in 2008. However, ESET has also confirmed SecureMac's initial analysis of Boonana as a new unique piece of malware, which does not share a common code-base with the previously discovered Koobface worm. ESET's threat analysis of Boonana can be found at:

Additionally, Microsoft identifies the malware as Trojan:Java/Boonana, and rates it as a severe threat for both Mac and Windows:

Microsoft's analysis of the OS X version of Boonana, also with a severe threat level, can be found at:

Another security vendor has verified that the Boonana malware is capable of infecting Linux machines, and will proceed to join a botnet once installed. The malware also affects Mac OS X and Microsoft Windows.

Also see previous news on the above:
Intego classifies new Mac trojan threat as "minimal"

Discussion is locked

Reply to: NEWS - November 04, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - November 04, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
DIY Tool Makes Your Own Antivirus Signatures

Big bad malware and zero-day attacks that fly under the radar of anti-virus software are hitting enterprises everywhere. With that in mind, HBGary is coming out with a 'do-it-yourself' tool to help security managers beat back Windows-based infections or prevent them while a zero-day outbreak is underway.

Called the Inoculator, it's an appliance that would typically sit inside the network, perhaps near Active Directory, and routinely perform a detection scan on Windows-based desktops and servers for signs of malware.

"If detected, it can remove it," says Greg Hoglund, CEO of HBGary. At the same time, Inoculator would install what he calls a "digital antibody" for a specific malware specimen to prevent re-infection. And that signature-based antibody could also be quickly loaded onto other enterprise computers to inoculate them against what might be an ongoing zero-day attack.

The detection process requires Inoculator to connect via remote procedure call to the end node with privileged access so it can carry out the scan. Hoglund says HBGary's scan process will look for things such as Zeus bots that are often missed by anti-virus. In general, it will look for ways malware can affect a computer system, such as registry keys, event logs and other indicators. "A scan policy once a night would be fine," Hoglund says.

Basically, the idea is that the Inoculator security manager will be able to create a specific signature defense for a detected malware specimen even before anti-virus software vendors may come up with one; it has been known to take a day or so even when well-recognized zero-day attacks have started.

- Collapse -
Windows USB attacks by the numbers

In just seven days during October, the Avast CommunityIQ system recorded a total of some 700,000 attacks on member computers. Which is, sadly, pretty much par for the course when it comes to security attack stats these days. The really interesting number reveals itself as the amount of these attacks which were perpetrated using USB devices of one kind or another, and that is 13.5 percent.

If you have been slow, for whatever reason, in shoring up your defences against those who would exploit the security faux pas that is Windows Autorun, then this is surely a timely slap around the chops.

Sure, 84 percent of the Autorun attack attempts spotted by Avast were successfully dealt with by the on-access scans and the remaining 16 percent shot down following scans of the computer hard drives concerned. But it's the fact that these attacks are happening at such a steady and relatively high rate that must be the wake up call.

"AutoRun is a really useful tool, but it is also a way to spread more than two-thirds of current malware" Jan Sirmer, an analyst at the Avast Virus Lab warns.

Malware running on AutoRun

During a one-week period in October, we had 700,000 computers in our CommunityIQ system send us data on actual malware attacks. Out of this total number, 13.5% were from a USB device. That is more than one out of every eight attempted infections ? a number that really surprised me as I did the research.

Our detection code for this malware is ?INF:AutoRun-gen2 [Wrm]?. This malware is a worm that starts an executable file which then invites a wide array of malware into the computer. The incoming malware copies itself into the core of the Windows OS and can replicate itself each time the computer is started.

Out of the total ?INF:AutoRun-gen2 [Wrm]? attacks, 84% of the attempts were repelled by the on-access scans in the avast! System Shield. The malware was detected at the time when the USB device was initially connected. The remaining 16% were discovered during scans of the computer hard-drives.

- Collapse -
Microsoft tool unable to detect new versions of Zeus

Though Microsoft has added new protection capabilities to its Malicious Software Removal Tool (MSRT) to help organizations fight Zeus, its tool is ineffective at detecting the newest version of the insidious data-stealing malware, according to researchers at security firm Trusteer.

Last month, coinciding with the release of its monthly bundle of security fixes, Microsoft added Zeus detection and removal capabilities to the freely distributed MSRT.

But after testing the tool against hundreds of Zeus files, Trusteer researchers determined that it is able to detect and remove an old version of Zeus 46 percent of the time but is unable to protect against the latest version, Mickey Boodaei, CEO of Trusteer, told on Wednesday.

"What Microsoft did is a good first step, but in terms of effectiveness and sustainability against Zeus, we think there is a lot more work to do," Boodaei said.

The most recent version of Zeus contains sophisticated capabilities to evade detection, Boodaei said. [...]

"The good news is that MSRT has and will be able to kill approximately half of the Zeus population," Boodaei wrote in a blog post Wednesday. "This detection rate is very respectable since most anti-virus solutions, if not all, have a much lower detection rate."

Also see: Microsoft tool now roots out Zeus malware

- Collapse -
Zeus Attackers Deploy ******** Against Researchers, ...

Phony administrative panel posts fake data on recent electronic quarterly federal tax payment attacks, fake 'new botnet' malware.

Attackers turned the tables on both their competitors and researchers investigating a recent Zeus attack, which targeted quarterly federal tax payers who file electronically, by feeding them a phony administrative panel with fake statistics.

The massive and relatively sophisticated spam campaign last month posed as email alerts to victims, notifying them that their electronic federal tax payments had failed and sending them to a link that both infects the victim with the Zeus Trojan and sends victims to the legitimate Treasury Department website,, for filing quarterly taxes.

Brett Stone-Gross, a researcher with The Last Line of Defense, discovered that attackers had set up a ruse for those trying to hack or access its administrative interface for the malware after studying the back-end malware server used in the EFTPS attack. The purpose appeared to be all about providing false information. Stone-Gross says the toolkit used in the attack came with an administrative interface that acts as a hacker's ******** of sorts, gathering intelligence about the researchers or other users who try to access the console login or hack into it.

The login system to the "admin panel" practically begs to be hacked: It accepts default and easily guessed passwords as well as common SQL injection strings, according to Stone-Gross.

Most exploit toolkits come with an admin interface that manages exploits and payloads, and tracks exploit success rates, but this fake one was a new twist, Stone-Gross says. He found the fake panel while browsing the gang's source code. "It had a directory called 'fake admin' where they stored the logs of all of the IP addresses of people who tried the console and tried to access it," Stone-Gross says. There were also comments in Russian, he says.

"The faked admin panel serves two purposes: leading the researchers looking at their infrastructure, and they want to see who their competitors are," he says. They can then blacklist the researchers or use the information to DDoS or attack security vendors trying to investigate their malware campaigns, he says.
- Collapse -
PayPal rushes out patched iPhone app

Old one didn't detect spoof sites

PayPal has submitted an updated iPhone application after learning that the previous one failed to check the digital certificates that confirmed the authenticity of the online-payment website.

The hole leaves iPhone users who rely on the app open to man-in-the-middle attacks when connecting over unsecured networks such as Wi-Fi hotspots. PayPal learned of the flaw on Tuesday, when a Wall Street Journal reporter asked for comment. A day later, the company rushed out a patched version to Apple's app store.

"We submitted a revised application to Apple within 24 hours of being notified," Anuj Nayar, spokesman for the eBay-owned division, told The Register. "We don't believe that any customers have been affected. Even if they had been, it's very clear that our protection policy would cover them 100 percent."

- Collapse -
Software engineer blogs own Starbucks wiretap

Firesheep theatre

Firesheep - the Firefox extension that lets you nab people's cookies over insecure networks and hijack their web accounts - doesn't do anything that hasn't been done for years. But it makes for good theatre.

Last week, in an effort to "spread the word" about the dangers of sidejacking, New York-based software engineer Gary LosHuertos fired up Firesheep at his local Starbucks and started nabbing identities.

"I thought I'd spread the word and help some laymen out after work since there's a large Starbucks near my apartment. I dropped in, bought some unhealthy food, opened my laptop and turned on Firesheep. Less than one minute later, there were five or six identities sitting in the sidebar," he writes on his personal blog. "Around half an hour later, I'd collected somewhere between 20 and 40 identities."

Most were Facebook identities. So Gary started sending people messages from their own Facebook accounts warning them he had just hijacked their Facebook accounts. "Since Facebook was by far the most prevalent (and contains more personal information than Twitter), I decided to send the users messages from their own accounts to warn them of their accounts' exposure," he says.

After a few minutes, he decided he had done some good. Some names disappeared from Firesheep. Then the names appeared again. So he logged into their Facebook accounts a second time. "Did they receive the first message?" he says. "Surely enough, they had."

So then he sidejacked somebody's Amazon account. "One of them was even on, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a 'no, seriously' message on Facebook from his account including the fun fact about his music choices."

- Collapse -
Tencent to shut down IM access for some users

Tencent Holdings is planning to shut down access to its popular instant messaging platform for millions of users after a public spat with China's top antivirus software provider, Qihoo 360.

Tencent is making users choose between running its QQ messaging platform, China's largest with more than 600 million users or Qihoo 360's antivirus software.

"We have just made a very difficult decision ... We have decided that computers running 360 software will not be able to run QQ software," the firm said in a statement.

Tencent, China's largest Internet firm by market capitalization, and Qihoo 360, China's top provider of free security software, have been involved in a tussle for more than a month accusing each other of bad business practices, such as spying, hacking and leaking users' privacy.

- Collapse -
Blackhat SEO Still Out There, Now Using Image Files

From TrendLabs Blog:

The U.S. midterm elections may have come and gone but cybercriminals have yet to cease related attacks on users eager for news on the turnout. As the Republicans take center stage, so do blackhat search engine optimization (SEO)-poisoned results.

Case in point, searching for updates on the U.S. midterm election results led to a poisoned link. This, of course, then led to the all-too-common FAKEAV warning prompt and fake scanning page.

What was interesting about this attack, however, is the fact that in addition to relying on keyword density and backlinks to increase a malicious page?s ranking, the cybercriminals also counted on related images to lead unwitting users into their trap. This was most probably done to trick search engines into increasing the doorway page?s ranking.

- Collapse -
Microsoft tempts antitrust lawyers with expanded antivirus..

You want a good, solid, free antivirus program? Microsoft Security Essentials fills the bill nicely. Unfortunately, even though it was officially released more than a year ago, it's still one of the best-kept secrets in personal computing. Its installed base of 30 million users worldwide might sound big in raw numbers, but it's a drop in the bucket compared to the billion-plus Windows PCs in use.

All that's about to change, as Microsoft has now begun delivering Microsoft Security Essentials via Microsoft Update to customers in the United States (a pilot program in the UK started earlier this year). If Windows detects that you?re currently running without up-to-date antivirus protection, this is what you'll see in the Optional Updates section.

Although this development might seem like a logical one for Microsoft, it's actually a big step?and a potentially risky one. Security software vendors have their antitrust lawyers on speed dial in anticipation of the day when Microsoft begins bundling antimalware protection directly into Windows. As a result, this long-overdue development is moving at glacially slow speeds. [...]

As the screenshot above makes clear, this update was released roughly two weeks ago, on October 19, but it?s only now beginning to appear on update screens across the United States. (Lee Mathews at Download Squad spotted this update in the wild last week. It wasn?t available on my system then or even earlier today, when I checked for updates manually. Ironically, I was in Redmond at the time, meeting with the Microsoft Security Essentials team and discussing this very issue. It appeared on my system for the first time just a few minutes ago.)
- Collapse -
AV scam: is it a rogue or is it AVG?s free edition for sale?

Alert reader Laurie (my boss actually) forwarded a copy an email she received from a friend. It said the sender was "?pleased to announce the newest version of Antivirus 2010 for Windows."

There was a link to click, of course. [Screenshot]

Something called "Antivirus 2010" for sale in November is very odd for three reasons:

1) It's nearly 2011 and legitimate AV companies are putting out their 2011 versions.
2) There was a rogue security product last year called "Antivirus 2010." (VIPRE detection: FraudTool.Win32.Antivirus2010 (v))
3) Although a lot of companies make a product named Anti-Virus 2010, they usually put their name in front of it, such as "Kaspersky Anti-Virus 2010" or "Norton AntiVirus 2010."

The Antivirus 2010 rogue graphic interface from 2009: [Screenshot]

We checked out the URL ( in the email, putting in our name and "promotion code" (actually any number will do) , went past the "member login page" that made some mentions of the very legitimate AVG anti-virus company, and went on to a credit card payment page. The REAL AVG company (fourth largest AV vendor in the world) offers "AVG Anti-Virus Free Edition 2011" in addition to security software that users purchase. [Screenshot]

We noticed the logo on the page mimicked the colors of the AVG logo:

Continued @ the Sunbelt Blog

- Collapse -
Adobe Reader and Acrobat Hit by New Zero-Day

French security research company VUPEN confirmed that an Adobe Reader and Acrobat vulnerability reported as a zero-day earlier today, can be exploited to execute arbitrary code.

According to the reputed vulnerability intelligence vendor, the flaw is caused by a heap corruption error in the EScript.api plugin, which can occur when processing a function called printSeps().

VUPEN writes in its advisory that the vulnerability "could be exploited by attackers to crash an affected application or potentially compromise a vulnerable system by tricking a user into opening a specially crafted PDF file."

The bug affects Adobe Reader and Acrobat 9.4 and successful exploitation was confirmed on both Windows 7 and Windows XP SP3.

A proof-of-concept PDF exploit targeting this flaw was sent yesterday to the Full Disclosure mailing list by a anonymous reporter, with the comment "a mystery inside an enigma."

However, it seems that the vulnerability has been known in some circles for almost a year. Details about it were published on a Russian-language blog called "[Security Solutions] Research Lab," in November, 2009.

CNET Forums

Forum Info