Thursday, February 4, 2010
It takes advantage of a buffer overflow vulnerability in Sun’s Java Runtime Environment. It occurs when a specially crafted file://URL argument is passed to the getSoundbank() function that can allow a remote attacker to execute arbitrary code.
PC Tools iAntivirus detects the exploit code as Exploit.OSX.Snid.b in the latest database.
The said vulnerability (CVE-2009-3867) is discussed here .
Users are highly advised to upgrade to the latest versions from the following link:
Tuesday, November 24, 2009
Like Worm.iPhoneOS.Ikee which we blogged about a few weeks ago, it scans a range of IP addresses mostly from the Netherlands, and Australia.
The worm then attempts to log in to all jailbroken iPhones with SSH installed using the default password, and copies itself to the compromised device.
Once active in the iPhone, the worm will change the default password found in the file, /etc/master.passwd. This is necessary for the attacker to prevent the victim from logging in.
The worm will then download and install all necessary application packages it needs to perform its malicious activities such as sending sensitive information it gathered to the remote server, and providing botnet functionality to the compromised devices.
This worm connects to a command & control center running at 18.104.22.168 in Lithuania.
PC Tools advises its customers not to jailbreak their iPhones due to the security risks involved. Not only does it open to a lot of vulnerabilities for hackers to exploit, it also violates your warranty.
Apple has already issued a brief statement regarding this latest threat as published on The Loop:
"The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software," Apple spokesperson, Natalie Harrison, told The Loop. "As we've said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably."
Wednesday, November 11, 2009
A new Trojan has been spotted employing the very same technique employed by the ikee worm to break into jailbroken iPhones. It scans a network (a home, office, or public wifi network would suffice) for the presence of jailbroken iPhones still running SSH. Enabling SSH is a common step in jailbreaking as these allows the user to login to the phone remotely and execute shell commands. And, as should be common knowledge by now, all iPhones have the same default root password that users neglect to change after jailbreaking them.
What this new Trojan lacks in originality of technique, however, it more than makes up for with a more vicious payload. Whereas the ikee worm contents itself with changing the iPhone wallpaper, this new Trojan will steal data from compromised devices! This means all SMS and contacts list stored in vulnerable phones are up for grabs!
While these new iPhone malwares are breaking news, we should realize that the SSH vulnerability it exploits is really nothing new. It has been there ever since the first jailbroken iPhone. In fact, before ikee, Ars Technica ran an article article on their site about a ‘ransomware’ spreading in the Netherlands. It scans networks for iPhones with SSH enabled, then sends the owners the following SMS message:
When you visit his site, he then charges you €5 for instructions on how to secure your phone, information that is actually available to anyone for free.
So lets all learn the lesson here. First, there are very real risks to jailbreaking. Second, and more important, never use default passwords, whether for your combination locks at home or for your digital devices.
Monday, November 9, 2009
This worm specifically targets Jailbroken phones with a root login password still set to the default password alpine. This opens a hole for hackers to exploit since Jailbroken phones use an SSH daemon which allows for remote connections.
In the case of Ikee, the worm scans a hardcoded list of IP ranges belonging to several Australian Telecom companies for vulnerable iPhones. Once a vulnerable iPhone has been found, the worm copies several files including a copy of itself to the iPhone, and changes its wallpaper to a photo of Rick Astley. It then disables the SSH service to prevent reinfection, and calls for another scan on the network to look for other vulnerable iPhones.
Jailbroken iPhones obviously pose some serious risks. If you have decided to do so, make sure you have changed your SSH password (instructions for changing the password can be found here courtesy of Cydia) and be aware that you have a greater risk of getting infected than non - Jailbroken iPhones.
Thursday, October 29, 2009
The following snapshot shows a lone silver airship at the bottom of the screen battling multicolored alien ships descending down on him:
The game’s creator, Zach Gage, is a digital mixed media artist who has lately been active in developing applications for the iphone. Based on his web page, he seem to want us to consider this video game as a testament to our modern age’s increasing acceptance of technology as a ‘given’ in our lives…how it has become as mundane and ingrained to us as our day to day tasks.
As quoted from his site:
By way of exploring what it means to kill in a video-game, Lose/Lose broaches bigger questions. As technology grows, our understanding of it diminishes, yet, at the same time, it becomes increasingly important in our lives. At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data? What implications does trusting something so important to something we understand so poorly have?
And so the big question: is this a philosophical piece of art, or is it an amusing Trojan with a cruel payload? There seem to be no social engineering involved, and Mr. Gage gives ample warning to anyone who downloads his game:
Technically, however, a Trojan is defined as a piece of software that pretends to be a normal application while doing something entirely different from its intended purpose and without the user’s permission. We believe Loose/Loose falls (if not perfectly) into this definition and so we detect it as Application.OSX.Loselose.A.
We know he has completely declared the games intentions, but it’s too easy to succumb to one’s curiosity and just play the game before understanding of what’s happening sinks in to our consciousness. And released in the wild, taken out of the context the author intended it to be, it is not hard to imagine someone getting aversely affected by the payload (and getting your data deleted is about as averse as it can get). Bottom line, it’s better to be strict when your important files are concerned.
Thursday, September 10, 2009
Mac OS X 10.6.1 was released earlier today which includes general operating system fixes that improves the compatibility, stability, and security of your Mac. The most notable among the fixes in 10.6.1 is an update to the Adobe Flash Player plugin that comes with the 1st release of Snow Leopard, which as many of us may have noticed, have downgraded the version of Adobe Flash Player after installation resulting into your Mac to have a vulnerable copy of the Flash player.
Adobe posted a few days ago in its Security Bulletin all the details about this vulnerability, and how you can update to the latest version of Flash Player. If you haven't done so, then we highly recommend to update your Snow Leopard's Flash to 10.0.32.18, which is the latest version. Just choose Sofware Update from the Apple Logo menu to check for available updates via the Internet, and choose this update for a safer browsing experience.
Tuesday, August 25, 2009
PC Tools' Malware Research Team recently discovered quite a few variants of a DNS changing trojan called RSPlug in the wild.
Three strains of this ubiquitous Trojan have been discovered masquerading as a Foxit Reader PDF viever, a Quicktime Pro update, and a Flash Player installer. PC Tools iAntivirus detect these variants as Trojan.OSX.RSPlug.O, Trojan.OSX.RSPlug.P, and Trojan.OSX.RSPlug.Q respectively.
Like all the other variants, these newly discovered trojan variants pose as legitimate software in order to lure users to download and run them on their computer. This will enable the trojan to change the DNS settings on the compromised computer and redirect the user to phishing websites and such.
We highly advise iAntivirus users to Smart Update for the latest protection in Mac threats, and to avoid untrusted websites in the Internet, which may harbor such malicious files.