General discussion

NEWS - October 27, 2010

Boonana Trojan Horse for Mac OS X spread via Social Media?

SecureMac has discovered a new trojan horse in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The trojan is currently appearing as a link in messages on social networking sites with the subject ?Is this you in this video??

When a user clicks the infected link, the trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the trojan horse hijacks user accounts to spread itself further via spam messages. Users have reported the trojan is spreading through e-mail as well as social media sites.

The java component of the trojan horse is cross-platform, and includes other files that affect Mac OS X as well as Microsoft Windows. There have been reports of similar behavior in recent trojan horses targeting Microsoft Windows, but they have not included cross-platform capabilities until now. The trojan attempts to hide its internet communications and actions through obfuscated code spread through multiple files, and will attempt to contact additional command servers if the primary servers are unavailable.

This trojan horse is currently in the wild affecting users of both operating systems.

?This is a sobering reminder that hackers are turning their efforts toward Mac OS X as Apple?s marketshare grows, and users should be vigilant in protecting their computers and taking precautions when surfing the web,? said Nicholas Ptacek, a security researcher at SecureMac.

SecureMac has released a free removal tool to eliminate this threat, which can be downloaded by visiting or downloaded directly from

Further updates on the status of this trojan horse can be found at, which will be updated as more information becomes available.

Users can protect themselves from infection by turning off Java in their web browser.

Discussion is locked

Reply to: NEWS - October 27, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 27, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Critical vulnerability in Firefox 3.5 and Firefox 3.6

From Mozilla Blog:

Issue: Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.

Impact to users: Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox?s built-in malware protection. However, the exploit code could still be live on other websites.

Status: We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.

In the meantime, users can protect themselves by doing either of the following:
Disabling JavaScript in Firefox
Using the NoScript Add-on

Credit: Morten Kr?kvik of Telenor SOC

Related news: Firefox zero-day under attack at Nobel Prize site

- Collapse -
Nobel Peace Prize Site Serves Firefox 0day

From Krebs on Security:

I just heard back from Norman ASA malware analyst Snorre Fagerland via e-mail, and he has provided a bit more technical analysis of what's going on with this Firefox flaw and with the exploit they discovered. Fagerland says the vulnerability is related to a "use-after-free condition" in certain objects, exploited through Javascript.

"Shellcode and a large heapspray is involved," Fagerland wrote. "The script that does this checks for the following versions:


?and it checks that it is NOT running Vista or Win7 (Windows versions 6.0 and 6.1), pretty much limiting the attack to XP-family OS's. The underlying vulnerability is confirmed to also affect Firefox 3.5x series, but we have not seen exploit code that attacks this."

- Collapse -
Judge slaps Lime Wire with permanent injunction

The end of Lime Wire as it has existed for years appears to be at hand.

U.S. District Judge Kimba Wood issued an injunction today against the company that operates the long popular file-sharing software LimeWire and orders managers there to disable "the searching, downloading, uploading, file trading...and/or all functionality" of the LimeWire software, Lime Wire announced.

In May, Wood, who serves the Southern District of New York, granted summary judgment in favor of the music industry's claims that Lime Group, parent of LimeWire software maker Lime Wire, and founder Mark Gorton committed copyright infringement, engaged in unfair competition, and induced copyright infringement.

LimeWire, the software, was released 10 years ago and quickly emerged as one of the favorite ways to pass pirated music across the Web. Gorton and his company have acknowledged making millions from offering the software.

"While this is not our ideal path, we hope to work with the music industry in moving forward," a Lime Wire spokesperson said in a statement. "We look forward to embracing necessary changes and collaborating with the entire music industry in the future."

Lime Wire continues to exist but no longer operates as a file-sharing service, the spokesperson said. Exactly what the New York-based company will do in the future is unclear. At this point, the company's chances of licensing music for Spoon appear to be small and its prospects dim.

- Collapse -
Emerging Qakbot Exploit Is Ruffling Some Feathers

Fast-spreading attack spreads like a worm, stings like a Trojan, RSA researchers say

It isn't particularly new, and it's not as funny as it sounds. But the Qakbot Trojan recently has been causing plenty of ripples in the IT security pond, researchers say.

In a blog posted yesterday, researchers at RSA Security offered a closer look at Qakbot and how its unusual behavior is causing a flock of troubles on the Web.

Qakbot is different in that it almost exclusively targets U.S. financial institutions, the researchers say. It also is the first Trojan seen to be exclusively targeting business/corporate accounts at these financial institutions.

"The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts," RSA says. "While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict 'preference' by design, and with no exceptions."

How does Qakbot infect its prey? Researchers are not sure.

- Collapse -
Inside Google's Anti-Malware Operation

A Google malware researcher gave a rare peek inside the company's massive anti-malware and anti-phishing efforts at the SecTor conference here, and the data that the company has gathered shows that the attackers who make it their business to infect sites and exploit users are adapting their tactics very quickly and creatively to combat the efforts of Google and others.

While Google is still a relative newcomer to the public security scene, the company has deployed a number of services and technologies recently that are designed to identify phishing sites as well as sites serving malware and prevent users from finding them. The tools include the Google SafeBrowsing API and a handful of services that are available to help site owners and network administrators find and eliminate malware and the attendant bugs from their sites.

All of these are related to Google's constant crawling of the Web, which, among many other things, allows the company to identify malware-distribution sites as well as legitimate sites that have been compromised with injected malicious code. Attackers have taken to infecting legitimate sites for a number of reasons, one of which is that those sites will show up more prominently in Google search results.

To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The company then ties this in with the data that it gathers from its automated crawlers that are tasked with looking for malicious code on legitimate Web sites.

Fabrice Jaubert, of Google's anti-malware team, said that the company has had good luck identifying and weeding out malicious sites of late. Still, as much as 1.5 percent of all search result pages on Google include links to at least one malware-distribution site, he said.

"There's a lot of fluctuation in that over time, and that could be due to a lot of factors. It could be due to a change in the pages, it could be a change in our detection rate and also in the popularity of the infected pages," Jaubert said. "The biggest factor is that we've found a substantial number of malware pages are spammy and have no content. We remove those pages. But it's a cat-and-mouse game, just like viruses and AV. We go and find bad pages and they get better at hiding them."

- Collapse -
Twidiots? New FireSheep-Style Tool Hijacks Twitter Sessions

Days after researchers at the ToorCon Security Conference in San Diego released a tool to hijack insecure Web sessions on Facebook, iGoogle and Flickr, a developer has released a similar tool, dubbed "Idiocy" that does the same for insecure Twitter sessions.

There's a twist, though. Rather than just monitor the unsecured Web sessions, the new tool allows the attacker to post a warning message using the Twitter account of the unsuspecting user (can we call them "Twidiots"?)

The software is the creation of Jonty Wareing, a 26 year old software developer for in London, UK. Wareing, who created idiocy "at 7 AM in a fit of irritation" and released it on The program "quitely (sp) watches for people unsecurely (sp) visiting twitter on public wifi networks, then hijacks their session to post a tweet warning them about the dangers," according to a description that accompanies the application.

Contacted using instant messenger, Wareing said he created the program after reading about FireSheep, the browser plugin that snooped on insecure social networking sessions.

- Collapse -
E-Mail Spam Falls After Russian Crackdown

You may not have noticed, but since late last month, the world supply of V iagra ads and other e-mail spam has dropped by an estimated one-fifth. With 200 billion spam messages in circulation each day, there is still plenty to go around.

But police officials in Russia , a major spam exporter, say they are trying to do their part to stem the flow. On Tuesday, police officials here announced a criminal investigation of a suspected spam kingpin, Igor A. Gusev. They said he had probably fled the country.

Moscow police authorities said Mr. Gusev, 31, was a central figure in the operations of , which paid spammers to promote online pharmacies, sometimes quite lewdly. suddenly stopped operating on Sept. 27. With less financial incentive to send their junk mail, spammers curtailed their activity by an estimated 50 billion messages a day.

Why the site closed was unclear until Tuesday, when Moscow police officials met with reporters to discuss the Gusev case. The officials' actions were a departure from Russia's usual laissez faire approach to online crime.

- Collapse -
bad link
- Collapse -
Works Now On My XP Pro!!
- Collapse -
Give it a try. Sandi able to download it and I tried also

and it is working Happy

- Collapse -
How to protect against Firesheep attacks

A VPN encrypts all traffic between a computer -- a laptop at the airport gate, for instance -- and the Internet in general, including the sites vulnerable to Firesheep hijacking. "It's as good a solution as there is," Wisniewski said, "and no different, really, than using encrypted Wi-Fi."

One provider, Strong VPN, prices its service starting at $7 per month or $55 per year.

Gallagher, however, warned that a VPN isn't a total solution. "That's just pushing the problem to that VPN or SSH endpoint," he said. "Your traffic will then leave that server just as it would when it was leaving your laptop, so anyone running Firesheep or other tools could access your data in the same way." [..]

If free is the object, there are options there, too, said Wisniewski, Sullivan and Gallagher, who pointed to a pair of free Firefox add-ons that force the browser to use an encrypted connection when it accesses certain sites.

One of those Firefox add-ons, HTTPS-Everywhere, provided by the Electronic Frontier Foundation (EFF), only works with a defined list of sites, including Twitter, Facebook, PayPal and Google's search engine.

The other choice, Force-TLS, serves the same purpose as the EFF's extension, but lets users specify which sites on which to enforce encryption.

However, other browsers, such as Microsoft's Internet Explorer and Google's Chrome, lack similar add-ons, leaving their users out in the cold.

I expect that [Firesheep] will spur the EFF or others, maybe in the open source community, to some additional development [of such add-ons], maybe Chrome ports of those extensions," Sullivan said.

That could take months. In the meantime, Sullivan had another idea. "A MiFi device can encrypt [traffic], so with one you're always carrying your own Wi-Fi hotspot with you," he said.

MiFi isn't cheap, however. Verizon, for example, gives away the hardware but charges between $40 and $60 per month for the access to its 3G network.

- Collapse -
FTC closes investigation into Google's Wi-Fi snooping

The U.S. Federal Trade Commission has closed an investigation into Google Street View cars snooping into open Wi-Fi networks, with the agency declining to take action.

Google's announcement in May that its Street View cars mistakenly collected data from open Wi-Fi networks raised FTC concerns "about the internal policies and procedures that gave rise to this data collection," wrote David Vladeck, director of the FTC's Bureau of Consumer Protection, in a Wednesday letter to Google.

However, Google has announced improvements to its internal processes, added privacy training for key employees, and has begun a privacy review process for new initiatives, Vladeck added. The company has also promised to delete the data collected, and has told the FTC that it will not used the data in any product or service, he wrote.

"This assurance is critical to mitigate the potential harm to consumers from the collection of the payload data," Vladeck wrote.

- Collapse -
Credit card 'flash attack' steals up to $500,000 a month

Credit card fraudsters may have pocketed as much as $500,000 over the past month by pursuing a new type of attack that exploits a major blind spot in payment processors' defenses, an analyst said.

The "flash attacks" recruit hundreds of money mules who go to ATMs throughout the US and almost simultaneously withdraw relatively small sums of money from a single compromised account, according to Avivah Litan, vice president at market research firm Gartner, who follows the credit card industry. They then move on to a new account. At the end of the month, the heists can fetch as much as $500,000.

"The resulting cash transactions fly under the radar of existing fraud detection systems -- they are typically small amounts that don't raise any alarms," Litan blogged on Tuesday.

She has dubbed the method a "flash attack" because as much as $100,000 can be stolen in as little as 10 minutes.

- Collapse -
Notorious Koobface worm ported to Mac OS X

Security researchers say they've been monitoring a Mac OS X version of the notorious Koobface worm, which uses advanced rootkit techniques to stealthily hijack infected machines.

Although the Mac version isn't yet ready for prime time, it is nonetheless a sophisticated piece of software that developers put a fair amount of effort into implementing. It was designed to use Oracle's Java framework to infect not just Macs, but Linux and Windows machines as well, according to Mac antivirus provider Intego. Once installed, the malware gives attackers complete control over the computer.

"While this is an especially malicious piece of malware, the current Mac OS X implementation is flawed, and the threat is therefore low," Intego researchers wrote in a blog post published Wednesday. "However, Mac users should be aware that this threat exists, and that it is likely to be operative in the future, so this Koobface Trojan horse may become an issue for Macs."

For that to happen, attackers will probably have to figure out how to bypass a window OS X prominently displays warning that a self-signed Java applet is requesting access to the computer

CNET Forums

Forum Info