Monday, December 15, 2008

Mac OS X Update - 10.5.6

Apple has released an update for OS X - it addresses several severe security issues. 

Please run a Software Update and grab it today!

Security Issues addressed
  • Apple Type Services (ATS) server PDF embedded font handling issue (CVE-ID: CVE-2008-4236)
  • Arbitrary code execution in BOM (CVE-ID: CVE-2008-4217)
  • Heap buffer overflow in CoreGraphics' handling of color spaces (CVE-ID: CVE-2008-3623)
  • Possible user credential disclosure in Safari (CVE-ID: CVE-2008-3170)
  • Enhanced download validation capability, previously warnings were not displayed for all unsafe download content types, this allowed for arbitrary code/command execution (CVE-ID: CVE-2008-4234)
  • Multiple vulnerabilities in the Adobe Flash player plugin (CVE-IDs: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823, CVE-2008-4824)
  • Local privilege escalation issue due to integer overflows in the kernel's i386_get_ldt and i386_get_ldt system calls (affects Intel based machines only) (CVE-ID: CVE-2008-4218)
  • Infinite loop when an exception occurs in a program (or dylib) which resides on an NFS share (CVE-ID: CVE-2008-4219)
  • Integer overflow in the LibSystem inet_net_pton function -> this could affect any program which uses that function (CVE-ID: CVE-2008-4220)
  • Memory corruption issue in the strptime function of LibSystem (CVE-ID: CVE-2008-4221)
  • Multiple integer overflows in the strfmon function of LibSystem (CVE-ID: CVE-2008-1391)
  • Per host configuration in managed client system installs sometimes incorrectly identifies the system (CVE-ID: CVE-2008-4237)
  • natd infinite loop due to a maliciously crafted TCP packet -> only affects systems with the Internet Sharing service enabled (CVE-ID: CVE-2008-4222)
  • Authentication bypass in Podcast Producer (OS X server only) (CVE-ID: CVE-2008-4223)
  • Input validation issue when handling malformed UDF volumes, ISO files. Opening a malformed volume may cause an unexpected syustem shutdown. (CVE-ID: CVE-2008-4224)

Information from Apple here .

Note: All CVE IDs will be linked to their respective pages once they become available.

Wednesday, December 10, 2008

Snow Leopard

Just a quick note to let you all know that we're testing iAntiVirus on Snow Leopard, and apart from a minor installer issue there have been no problems so far! :)

iAntiVirus v1.3 - in testing

Hi everyone,

It's been quite a while since I've posted on this blog, but that's because I've been busy working on the next version of iAntVirus!  The upcoming version has interface improvements, a smaller footprint, and a number of under-the-hood enhancements which will allow really cool additions and new features further down the line... 

Here are some screenshots:

Sunday, November 2, 2008

iAntiVirus 1.2 available

We've just released iAntiVirus v1.2 on Smart Update and on the website.

v1.2 contains the following:
- Addressed time machine incompatibility issue
- Enhanced quarantine functionality (now much faster)
- Various other enhancements

Please get the update and leave your comments on the forum, thanks!

Friday, October 10, 2008

iAntiVirus v1.1 is now available!

iAntiVirus v1.1 was released recently.  Please run a Smart Update or download the package from 

More information available on the forum.

Thursday, October 2, 2008

iAntiVirus 1.1 is coming!

iAntiVirus v1.1 is currently undergoing internal testing.

Some changes in v1.1:

- New scheduled scan type - allows you to specify a scheduled normal or quick scan.

- Updated scan engine which should improve scan speed (it was already fast! :)) and resolves an issue reported on the forum.

- New database with updated signatures and new signatures for 3 exploits .

- Scan progress now displays more information about child objects being scanned (e.g in v1.0 status might say "Scanning /Users/pctools/Downloads/" for a long time, in v1.1 it will be displayed as "Scanning /Users/pctools/Downloads/ for every filename in the archive)".

- Scan complete alert - if you've kept the dock icon hidden, a slideup will alert you once a scan has completed (if the dock icon is visible then it will simply bounce, as previously).

We'll make an announcement here once v1.1 has been confirmed ok by our QA team, so please check back shortly! 

Wednesday, September 24, 2008

iAntiVirus 1.0

Hi everyone,

iAntiVirus 1.0 has passed internal testing and is now available on Smart Update.
Please run Smart Update to get this release!

Thanks to everyone who helped test beta 3.

Tuesday, September 23, 2008

iAntiVirus 1.0 (non-beta!)

iAntiVirus 1.0 - not a beta, but the full release is currently in internal testing and should be confirmed ok for public use shortly.

Thanks to everyone who gave comments, suggestions and reported issues ( well 1 issue! :) ) with iAntiVirus 1.0 beta 3.

Once the full 1.0 release has been confirmed ok, it will be announced here first so please check back shortly.

Wednesday, September 17, 2008

iAntiVirus 1.0 public beta 3

Hi everyone,

iAntiVirus b3 has passed internal testing and is now available on Smart Update!

This version includes a new scan engine, the ability to schedule quick scans, drag and drop scan support, the ability to enable or disable the dock icon and a variety of other enhancements and fixes.

Please run Smart Update now to get beta 3 and let us know your thoughts on the iAntiVirus forum.


Tuesday, September 16, 2008

Apple Security Update

Apple has made a large set of security updates available on Software Update.
If you haven't done so already, please update - it helps keep your Mac secure!

More information about the update and issues it addresses can be found at:

Wednesday, September 10, 2008

New version is coming

Hi everyone,

Sorry for the lack of updates recently, we've been busy working on the next version of iAntiVirus!

The next beta is currently being put through it's paces by our QA team and should be confirmed ready for public release shortly.

Some of the changes are:
- New version of the anti-virus engine
- Scheduled Quick Scans
- The ability to enable/disable the dock icon (some people really didn't like the dock icon!)
- Drag-and-drop support: if you haven't disabled the dock icon you can simply drag and drop folders+files onto it, iAntiVirus will then scan them
- A whole bunch of internal changes and some bugfixes

Please check back occasionally as updates of progress will be posted here first.

Thursday, July 10, 2008

New update

Hi everyone, there is a new database available so please run Smart Update if you haven't already.

This update includes two new detections (Trojan-PSW.OSX.Corpref.A and Exploit.OSX.ARDAgent) plus a variant of an existing threat.

Tuesday, July 1, 2008

Thanks for the feedback

Hi everyone, just a quick note to thank you for the feedback you've been giving on the iAntiVirus forum!

Your comments are appreciated and we've taken some of your suggestions on board for the next build of iAntiVirus beta.

Stay tuned and keep the comments coming, updates will be announced here soon.

Monday, June 30, 2008

iAntiVirus in the press

Hi everyone, iAntiVirus has been picked up by various news sources :)

Macworld, TechNewsWorld,,, BetaNews

Thursday, June 26, 2008

iAntiVirus public beta 2

Hi everyone, we've recently released iAntiVirus beta 2!

Changes in this version:
1. Addresses a scan issue reported by 2 of our external beta testers.
2. Installer includes the latest virus definitions

You can update by downloading and installing the package from, or by simply running Smart Update if you are already an iAntiVirus user:

1. Click the Smart Update icon on the top right of the iAntiVirus main window.
2. Click "Upgrade now" at the upgrade available prompt:

3. Wait for the upgrade to be downloaded:

4. Enter your password when prompted:

5. iAntiVirus will restart and you will be running the latest version currently available :)

Tuesday, June 24, 2008

Requesting comments

The iAntiVirus beta was released recently and we are looking forward to everyone's comments!

Please leave any feedback you may have on the forum.

If you haven't already done so, download iAntiVirus v1.0b from the iAntiVirus website.

Tell us what you like, dislike and also what you would like to see in future versions!


Monday, June 23, 2008

iAntiVirus update

Hi everyone,

The iAntiVirus database has been updated to include a trojan which has been seen in the wild exploiting the Apple Remote Desktop vulnerability.

Please be sure to run Smart Update and get the latest protection!

Monday, June 16, 2008

Apple Guide In Securing Mac OS X

Apple has released a comprehensive security configuration guide for users of Mac OS X v10.5 and later. [Download here]

The document is in PDF format and it contains more than 200 pages of detailed instructions and recommendations for Mac OS X "advance" users.

While most Mac users are complacent in securing their computer against online or digital threats, this intensive document under Advance Security Management advises Mac OS X users to install Antivirus Tools and Intrusion Detection Systems.

Definitely, Apple acknowledges the importance of hardening computers and in today's prevalent threats such as Zlob's DNSChanger for Mac, it is no doubt that these internet security tools will certainly help users in keeping their computer safe.

This is Methusela Cebrian Ferrer and I'm now signing off.

Stay Safe Online!

Sunday, June 1, 2008

Critical: Mac OS X 10.5.3 and Security Update 2008-003

Apple released its third security update for this year where it fixes 40 security vulnerabilities found in different components of Mac OS X operating system.

It was just two months ago when Apple released its gigantic update fixing over 90 vulnerabilities. That security fixes is still unbeatable compare to this month update.

Security Update 2008-03 addresses 16 critical vulnerabilities which may lead to arbitrary code execution.

This latest update affects the following:
  • AFP Server
  • Apache
  • Apple Pixlet Video
  • ATS
  • CFNetwork
  • CoreFoundation
  • CoreGraphics
  • CoreTypes
  • CUPS
  • Flash Player Plug-in
  • Help Viewer
  • iCal
  • International Components for Unicode
  • Image Capture
  • Image Capture
  • ImageIO
  • Kernel
  • LoginWindow
  • Mail
  • ruby
  • Single Sign-On
  • Wiki Server
Mac users can manually download the patch from Apple Downloads.

Sunday, May 25, 2008

iAntiVirus Beta Release Coming Soon

PC Tools will soon release iAntiVirus Beta version. This scanner has a powerful features that catches and removes known malwares in real-time. It also detects new threats in Mac OS X including keyloggers and hacktools.

With today's emerging threats, this product will definitely ensure your Mac remains safe and virus free.

Sunday, May 11, 2008

Identity Theft And Your MSN Account

There are more MSN fraudsters roaming around and this time they are serving twenty different languages.

Last February, I posted this topic "Your MSN Account Has Been 0WN3D".

These are phising sites that employs social engineering technique to lure MSN users in giving out their email address and password.

As an effect, the MSN stolen identity can remotely perform instant messaging and email spamming to all contacts as well as it can sneak your personal messages.

As of the moment, the following IP addresses and domain names are actively serving these MSN phising sites.

Be careful and stay away from these sites!

Wednesday, April 30, 2008

Fake YouTube Installs OS X TrojanDNSChanger

".. I clicked on a normal-looking link to a BlogSpot blog. Instead of taking me to the blog it took me to a website that looks 100% identical to a YouTube page. Where a video would normally start playing it instead said "Video ActiveX Error" and a DMG entitled "1234" that was approximately 750kb automatically downloaded to my computer."

Question: How did you get that link ?

Answer: I found it on the wall of a Facebook group. [Read MacRumors Forum]


TrojanDNSChanger for Mac is getting in the wild and it is desperately trying to get into users by using channels with wide or massive audience such as social networks.

This incident has been around for a week where a malicious link will redirect users to a Fake YouTube website and without user intervention it automatically download a DMG file, which is the Trojan DNSChanger for Mac.

**Take Note: The installer filename changes everyday.

The installer name usually displays: "MacVideo" or "Porn4Mac".

Although this trojan requires manual installation, it is still possible that some Mac users will get hooked to this trick.

Always be on the look-out for this type of dodgy websites.

Sunday, April 27, 2008

Zero Day Exploit: Safari Address Bar URL Spoofing

There is a zero day threat to all Safari users both in Windows and Mac, where a remote attacker can hide the actual URL address of the web page in the browser location bar. Let's see how this works ...

Since URL and web page spoofing is very common to phishing, I created this sample email with crafted URL on it.

I clicked the link and here's what I got in Safari 3.1 for Windows.

Here's the screenshot in Mac.

So, what happened here?

A security flaw was found in Safari, when you input a URL containing a special characters followed by "@" which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.

As most of Safari users experience the spinning wheel of death, it is evident that there are multiple vulnerabilities that lies within this application.

Is there available security patch/fix ? None, at the moment. So, please refrain from clicking or browsing untrusted websites.

Juan Pablo Lopez Yacubian has recently discovered this vulnerability.

Sunday, April 20, 2008

Apple Fixed The Piggybacking Issue In SU

Couple of weeks ago, I blogged about this "Safari 3.1 Piggybacks In Sofware Update".

There was a series of reaction specifically those who understands information security, criticizing about Safari 3.1 piggybacking or stealth installation through Software Update.

Now, the interesting news is that Apple fixed this issue in Windows Apple Software Update version 2.1 [READ ZDNet]. I reckon earlier last week, the software update tool still includes Safari 3.1 in the list. However today, this is what i found out.

To manually update, click "Apple Software Update" from Windows Program menu.

Notice "Apple Software Update for Windows", this is an update to get the latest SU version 2.1.

Let's install and check it ...

Here's the new look. Apple fixed the issue by creating two sections: (1) Updates (2) New Software. It simply shows that Safari 3.1 is no longer piggybacking in software updates since it has its own category as New Software. Good!

But wait, how come the tick boxes were already filled-in by default?

Perhaps, this update is a complete conformity to information security if they also changed this default behavior to "NO".

Speaking of default behavior, the latest changes in RapidLibrary requires users to install Zango to access a free content but here's the catch... Click "OK" to cancel and "Cancel" to continue.

Funny, this is Psychology of Security [Reference: Bruce Schneier].

Tuesday, April 15, 2008

Q1 Mac Threats RoundUp

The first quarter of this year has gone so fast but for Mac threats everything just started. Let's take a review on Q1 notable threats, the overall perspective on malware categories and OS X reported vulnerabilities and fixes.

Q1 Notable Threats


Description: This is a malicious Trojan that uses social engineering technique to entice users to manually install the program. It arrives to users as a disguised video codec and associates itself with shared and downloadable videos. During installation, this Trojan modifies users’ DNS IP address to point to its own malicious servers. Infected user will suddenly experience unusual results in its entire web browsing activity.

This trojan is currently seen in-the-wild.


Description: MacSweeper is a rogue application which uses deceptive sales and marketing techniques to get onto the users’ system. It usually arrives to users as an pop-up advertisements, where it redirect users to download the file.

This is the first rogue application for Mac OS X.


Description: Imunizator is a re-branded version of MacSweeper. It is an exact copy of MacSweeper except for its new name.


Description: LogKext is a free and powerful kernel base Keylogger in Mac OS X. This keylogger has a full stealth capabilities and it is controlled by a command-line client called logKextClient. A new version was recently released in public.

Percentage per Malware Categories

OS X Vulnerabilities

Sunday, April 6, 2008

How To Download DNSChanger DMG In Windows?

Last December 27, I blogged about Trojan DNSChanger entitled "Mac OS X: 2007 Year Ender for Zlob", which I mentioned the following:
  • Zlob & Fake Codec History
  • List of Zlob distribution domains
  • Trojan DNSChanger checks whether the user is downloading in Windows or Mac.
  • Network Information that leads to Russian Business Network(RBN)
January 2, when I wrote a follow-up article entitled "Impersonating Mac Browser". This article explains how Trojan DNSChanger serves the right executable to the requesting user and how to impersonate Mac browser to download the right DMG file.

January 10, when I posted "Analysis of OSX Trojan DNS Changer".

Why I am discussing this again?

Because, there is an increase prevalence of this threat that captures more attention of malware analysts. Just recently, I received an email that says "New DNS Changer" with an attachment "jetcodec1000.dmg". But, unfortunately the DMG file was not properly downloaded, instead the file contains MZ header which means Windows executable.

Unfortunately, it was the same story posted in ISC Diary "When is a DMG file not a DMG file".

So, how to download DNSChanger DMG file in Windows?

When you visit any of Trojan DNSChanger websites, your browser sends a User-Agent information to the server, which contain details about your operating system, web browser you use, application version and language preference. Base from this information, the malicious server decides whether to serve PE file for Windows or DMG file for Mac.

This means that you cannot download the right file by simply modifying the URL. In this case, you need to impersonate by changing your User-Agent info to this value:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us)

To perform this task, you can either use Wget for Windows or Malzilla.

Using Wget


[c:\] wget -U "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us)"

**Note: -U means user-agent

This site ( is not available today. But there's another site that is up today and I can show you how this works.

Using Malzilla

I just created a YouTube account and started to upload demo videos, hopefully this week I can upload a video for this one.

Wednesday, April 2, 2008

Safari 3.1 Piggybacks In Sofware Update

"Piggybacking is a method used to gain unauthorized access to the computer. This occurs when an authorize application allows another non-related or unauthorized application to pass through or get into user's system."

Couple of weeks ago while I was working in my infect machine, I got this alert message from Apple Software Update. I was a little bit busy so I just minimize the window. Last monday, I had the chance to check and read what it says. Surprisingly, I found Safari 3.1 in the list which I know I haven't installed any of its version. So, what's happening here ?

As shown in the figure above, the QuickTime program I installed checks for updates. Then, the server replied with the update information. However, it doesn't end there, the server exploited the communication to perform an unauthorized task, which is to offer Safari 3.1 installer.

This is completely unacceptable behavior and a breach to information security.

Tuesday, April 1, 2008

March OSX News Makers

March 18 - Apple Released Its Gigantic Update.
  • Security Update 2008-002 fixes 95 security vulnerabilities found in different components of Mac OS X operating system.
  • Safari 3.1 fixes 13 security vulnerabilities found in Safari for Mac (10) and Windows (3).
March 20 - "iMunizator" The 2nd Rogue In Mac
  • iMunizator a rebranded version of MacSweeper.
  • It was first seen in Apple Discussions web site, where someone asked this question "What is iMunizator?"
  • Difference between the two:
      • iMunizatorSetup.dmg file size is 1.49Mb while MacSweeper 1.52Mb.
      • iMunizator company is while MacSweeper is KiVVi Software.
      • iMunizator executable file size is 407,036 bytes while MacSweeper 407,468 bytes.
      • iMunizator resource folder does not contain TODO.txt.
      • If Last time, MacSweeper is sharing NS server with Cleanator (a known rogue program in windows) this time neighbor is [] which is also a rogue program in Windows. network information below:

March 27 - Mac OS X Hacked in 2 Minutes Read [CNET News]
      • VAIO VGN-TZ37CN running Ubuntu 7.10
      • Fujitsu U810 running Vista Ultimate SP1
      • MacBook Air running OSX 10.5.2
  • March 26 (1st Day) when the contest started. However, nobody was able to hacked any of these three operating systems in a limited resources and confined local network connection.
  • March 27 (2nd Day) when the attackers were given internet connection.
  • March 28 (3rd Day) when the attackers were allowed to use popular software to exploit.
  • The results are as follows:
      • On the 2nd day, Mac OS X was successfully hacked in 2 minutes using a zero-day exploit in Safari.
      • On the 3rd day, Vista was successfully hacked after 7 hours using zero-day exploit in Adobe Flash.
      • Linux stays intact and won against hackers.

Tuesday, March 18, 2008

iAntivirus Protects Your Mac

PC Tools will soon release iAntivirus security software for Mac users. The product displays a Mac-like simplicity and elegance, yet with powerful features that catches and removes known malwares in real-time.

Internet Downloads

A good example here is Trojan DNSChanger. This threat has been in the internet for more than four months now and it's continually eluding security analyst by changing its domain names, IP addresses and ways in delivering this trojan to mac users.

iAntivirus on-guard catches this threat in real time.

Files Through Messengers

Let say someone you know or close to you sent you a file through messenger. Without your knowledge, the file is a Backdoor server component which the sender wishes you to install so that the client component which is on the attacker side could perform unauthorized task to your machine. Here's the impressive real time catch of iAntivirus.

Files In Your USB Flash Drive

In our daily computing activities, USB flash or portable drives plays important role in storing, exchanging and transferring files. You often get out of control when too much files are stored and worst if one day you are dragging malicious files to your local hard drive.

Running Process

Perhaps, a keylogger running in background.

Are you excited to have a copy of this?

Then drop your email address and we will notify you once iAntivirus beta version is available.

Monday, March 10, 2008

Should Safari Join The Rat Race?

Few weeks ago, PayPal published a frequently asked question guide about "Safer Web Browsers". The news maker part is this:

Which browser have anti-phishing features?
- Microsoft Internet Explorer 7 or later
- Mozilla Firefox 2 or later
- Opera 9.1 or later

Yes, this is true Safari 3.1 is not capable of detecting phishing site and this is where PayPal is most worried about - because they are always targeted by phishers.

Notice the two screenshots above, obviously Safari does not recognize anything while Firefox displays an alert message.

Base from last year report, Anti-Phishing Working Group receives an average of 25,000 new phishing sites per month and 91.7% of this attacks are related to Financial Services.

This is the reason why we will be seeing more security features integrating to web browsers just like Internet Explorer 8 Beta 1 - which was released last week. There are two significant security features in this version:

Safety Filter - It prevents known malicious sites from loading. However, this feature does not work in my testing. Perhaps, they are still working on it.

Domain Name Highlighting - As shown in the example below, the real domain name is not instead it is Absolutely, a phishing site! This feature is also available in Mozilla plug-in "Locationbar&sup2".

Mozilla Firefox 3 Beta 1 was previously announced and this version provides more security features including "Malware Protection", "Anti-virus Integration" and "One-click site info". Check the full release notes here.

The continuous proliferation of threats in the internet has escalated user's security awareness. And this, factors into users' expectation that softwares and application should provide security features. Beating up threats is just like a rat race and whether this is users' problem or not, the trend is now pressuring Safari to blend in.