Thursday, February 4, 2010

Cross-Platform Exploit Affects Mac Users

A new exploit code has been seen in the wild that attacks Windows, Unix, Linux, and Mac OSX systems. Given this ambitious range of targets, the exploit itself is rather old-style and short, but effective.

It takes advantage of a buffer overflow vulnerability in Sun’s Java Runtime Environment. It occurs when a specially crafted file://URL argument is passed to the getSoundbank() function that can allow a remote attacker to execute arbitrary code.

PC Tools iAntivirus detects the exploit code as Exploit.OSX.Snid.b in the latest database.

The said vulnerability (CVE-2009-3867) is discussed here .

Users are highly advised to upgrade to the latest versions from the following link:
http://java.sun.com/

Tuesday, November 24, 2009

iKee iPhone Worm Strikes Again!

PC Tools' Malware Research Center received a sample of an iPhone worm that is strikingly similar with the iKee worm that displays an image of Rick Astley, and was originally intended as a prank. This one, however, has an added functionality of using compromised iPhones in a Botnet, a network of infected computers and devices that can be controlled by hackers to perform malicious activities.

Like Worm.iPhoneOS.Ikee which we blogged about a few weeks ago, it scans a range of IP addresses mostly from the Netherlands, and Australia.

The worm then attempts to log in to all jailbroken iPhones with SSH installed using the default password, and copies itself to the compromised device.

Once active in the iPhone, the worm will change the default password found in the file, /etc/master.passwd. This is necessary for the attacker to prevent the victim from logging in.

The worm will then download and install all necessary application packages it needs to perform its malicious activities such as sending sensitive information it gathered to the remote server, and providing botnet functionality to the compromised devices.

This worm connects to a command & control center running at 92.61.38.16 in Lithuania.


PC Tools advises its customers not to jailbreak their iPhones due to the security risks involved. Not only does it open to a lot of vulnerabilities for hackers to exploit, it also violates your warranty.

Apple has already issued a brief statement regarding this latest threat as published on The Loop:

"The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software," Apple spokesperson, Natalie Harrison, told The Loop. "As we've said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably."

Wednesday, November 11, 2009

Info Stealer targets Jailbroken iPhones

A week has barely passed since the first iPhone worm (Worm.iPhoneOS.Ikee) came ‘rickrolling’ into our collective awareness, and now we already have its first official copycat!

A new Trojan has been spotted employing the very same technique employed by the ikee worm to break into jailbroken iPhones. It scans a network (a home, office, or public wifi network would suffice) for the presence of jailbroken iPhones still running SSH. Enabling SSH is a common step in jailbreaking as these allows the user to login to the phone remotely and execute shell commands. And, as should be common knowledge by now, all iPhones have the same default root password that users neglect to change after jailbreaking them.

What this new Trojan lacks in originality of technique, however, it more than makes up for with a more vicious payload. Whereas the ikee worm contents itself with changing the iPhone wallpaper, this new Trojan will steal data from compromised devices! This means all SMS and contacts list stored in vulnerable phones are up for grabs!

While these new iPhone malwares are breaking news, we should realize that the SSH vulnerability it exploits is really nothing new. It has been there ever since the first jailbroken iPhone. In fact, before ikee, Ars Technica ran an article article on their site about a ‘ransomware’ spreading in the Netherlands. It scans networks for iPhones with SSH enabled, then sends the owners the following SMS message:




When you visit his site, he then charges you €5 for instructions on how to secure your phone, information that is actually available to anyone for free.

So lets all learn the lesson here. First, there are very real risks to jailbreaking. Second, and more important, never use default passwords, whether for your combination locks at home or for your digital devices.

Monday, November 9, 2009

iPhone Worm Found Rickrollin' in the Wild

A new worm targeting Apple's iPhone has been headlining the news as of late. This iPhone worm, dubbed as Ikee, has been infecting Jailbroken iPhones (hacked iphones allowing installation of applications outside of iTunes) all over Australia, and infected users found themselves having iPhones with a photo of Rick Astley as its wallpaper, and a message stating that "ikee is never going to give you up". This is actually a very popular prank among internet users and is known as Rickrolling.


This worm specifically targets Jailbroken phones with a root login password still set to the default password alpine. This opens a hole for hackers to exploit since Jailbroken phones use an SSH daemon which allows for remote connections.

In the case of Ikee, the worm scans a hardcoded list of IP ranges belonging to several Australian Telecom companies for vulnerable iPhones. Once a vulnerable iPhone has been found, the worm copies several files including a copy of itself to the iPhone, and changes its wallpaper to a photo of Rick Astley. It then disables the SSH service to prevent reinfection, and calls for another scan on the network to look for other vulnerable iPhones.

Jailbroken iPhones obviously pose some serious risks. If you have decided to do so, make sure you have changed your SSH password (instructions for changing the password can be found here courtesy of Cydia) and be aware that you have a greater risk of getting infected than non - Jailbroken iPhones.

Thursday, October 29, 2009

Entertainment in exchange for loss of data!

There’s a new game available for download on the internet called Loose/Loose. It has the look and feel of the arcade classics from the 80s like Space Invaders and Missile Command.

The following snapshot shows a lone silver airship at the bottom of the screen battling multicolored alien ships descending down on him:

But wait…if we zoom a little closer on those alien ships that have been shot and that has exploded into a hundred tiny pieces and…are those words spelling out file types names (wav) !?


Apparently, this seemingly innocent and nostalgic piece of software comes with a nasty twist. Each of those alien enemy ships represent an actual file chosen at random in your hard drive. Destroy an alien ship and you delete the file it represents permanently! Entertainment in exchange for loss of data!

The game’s creator, Zach Gage, is a digital mixed media artist who has lately been active in developing applications for the iphone. Based on his web page, he seem to want us to consider this video game as a testament to our modern age’s increasing acceptance of technology as a ‘given’ in our lives…how it has become as mundane and ingrained to us as our day to day tasks.

As quoted from his site:
Why do we assume that because we are given a weapon an awarded for using it, that doing so is right?
By way of exploring what it means to kill in a video-game, Lose/Lose broaches bigger questions. As technology grows, our understanding of it diminishes, yet, at the same time, it becomes increasingly important in our lives. At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data? What implications does trusting something so important to something we understand so poorly have?

And so the big question: is this a philosophical piece of art, or is it an amusing Trojan with a cruel payload? There seem to be no social engineering involved, and Mr. Gage gives ample warning to anyone who downloads his game:



And then again:



Technically, however, a Trojan is defined as a piece of software that pretends to be a normal application while doing something entirely different from its intended purpose and without the user’s permission. We believe Loose/Loose falls (if not perfectly) into this definition and so we detect it as Application.OSX.Loselose.A.

We know he has completely declared the games intentions, but it’s too easy to succumb to one’s curiosity and just play the game before understanding of what’s happening sinks in to our consciousness. And released in the wild, taken out of the context the author intended it to be, it is not hard to imagine someone getting aversely affected by the payload (and getting your data deleted is about as averse as it can get). Bottom line, it’s better to be strict when your important files are concerned.




Thursday, September 10, 2009

Apple Provides an Update for Snow Leopard


Mac OS X 10.6.1 was released earlier today which includes general operating system fixes that improves the compatibility, stability, and security of your Mac. The most notable among the fixes in 10.6.1 is an update to the Adobe Flash Player plugin that comes with the 1st release of Snow Leopard, which as many of us may have noticed, have downgraded the version of Adobe Flash Player after installation resulting into your Mac to have a vulnerable copy of the Flash player.

Adobe posted a few days ago in its Security Bulletin all the details about this vulnerability, and how you can update to the latest version of Flash Player. If you haven't done so, then we highly recommend to update your Snow Leopard's Flash to 10.0.32.18, which is the latest version. Just choose Sofware Update from the Apple Logo menu to check for available updates via the Internet, and choose this update for a safer browsing experience.

Tuesday, August 25, 2009

More Variants of RSPlug Discovered


PC Tools' Malware Research Team recently discovered quite a few variants of a DNS changing trojan called RSPlug in the wild.

Three strains of this ubiquitous Trojan have been discovered masquerading as a Foxit Reader PDF viever, a Quicktime Pro update, and a Flash Player installer. PC Tools iAntivirus detect these variants as Trojan.OSX.RSPlug.O, Trojan.OSX.RSPlug.P, and Trojan.OSX.RSPlug.Q respectively.

Like all the other variants, these newly discovered trojan variants pose as legitimate software in order to lure users to download and run them on their computer. This will enable the trojan to change the DNS settings on the compromised computer and redirect the user to phishing websites and such.

We highly advise iAntivirus users to Smart Update for the latest protection in Mac threats, and to avoid untrusted websites in the Internet, which may harbor such malicious files.