Wednesday, April 30, 2008

Fake YouTube Installs OS X TrojanDNSChanger

".. I clicked on a normal-looking link to a BlogSpot blog. Instead of taking me to the blog it took me to a website that looks 100% identical to a YouTube page. Where a video would normally start playing it instead said "Video ActiveX Error" and a DMG entitled "1234" that was approximately 750kb automatically downloaded to my computer."

Question: How did you get that link ?

Answer: I found it on the wall of a Facebook group. [Read MacRumors Forum]

~~ooOOoo~~

TrojanDNSChanger for Mac is getting in the wild and it is desperately trying to get into users by using channels with wide or massive audience such as social networks.

This incident has been around for a week where a malicious link will redirect users to a Fake YouTube website and without user intervention it automatically download a DMG file, which is the Trojan DNSChanger for Mac.


**Take Note: The installer filename changes everyday.

The installer name usually displays: "MacVideo" or "Porn4Mac".

Although this trojan requires manual installation, it is still possible that some Mac users will get hooked to this trick.

Always be on the look-out for this type of dodgy websites.

Sunday, April 27, 2008

Zero Day Exploit: Safari Address Bar URL Spoofing

There is a zero day threat to all Safari users both in Windows and Mac, where a remote attacker can hide the actual URL address of the web page in the browser location bar. Let's see how this works ...

Since URL and web page spoofing is very common to phishing, I created this sample email with crafted URL on it.


I clicked the link and here's what I got in Safari 3.1 for Windows.


Here's the screenshot in Mac.


So, what happened here?

A security flaw was found in Safari, when you input a URL containing a special characters followed by "@" which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.



As most of Safari users experience the spinning wheel of death, it is evident that there are multiple vulnerabilities that lies within this application.

Is there available security patch/fix ? None, at the moment. So, please refrain from clicking or browsing untrusted websites.

Juan Pablo Lopez Yacubian has recently discovered this vulnerability.

Sunday, April 20, 2008

Apple Fixed The Piggybacking Issue In SU

Couple of weeks ago, I blogged about this "Safari 3.1 Piggybacks In Sofware Update".

There was a series of reaction specifically those who understands information security, criticizing about Safari 3.1 piggybacking or stealth installation through Software Update.

Now, the interesting news is that Apple fixed this issue in Windows Apple Software Update version 2.1 [READ ZDNet]. I reckon earlier last week, the software update tool still includes Safari 3.1 in the list. However today, this is what i found out.

To manually update, click "Apple Software Update" from Windows Program menu.


Notice "Apple Software Update for Windows", this is an update to get the latest SU version 2.1.


Let's install and check it ...


Here's the new look. Apple fixed the issue by creating two sections: (1) Updates (2) New Software. It simply shows that Safari 3.1 is no longer piggybacking in software updates since it has its own category as New Software. Good!


But wait, how come the tick boxes were already filled-in by default?

Perhaps, this update is a complete conformity to information security if they also changed this default behavior to "NO".

Speaking of default behavior, the latest changes in RapidLibrary requires users to install Zango to access a free content but here's the catch... Click "OK" to cancel and "Cancel" to continue.


Funny, this is Psychology of Security [Reference: Bruce Schneier].

Tuesday, April 15, 2008

Q1 Mac Threats RoundUp

The first quarter of this year has gone so fast but for Mac threats everything just started. Let's take a review on Q1 notable threats, the overall perspective on malware categories and OS X reported vulnerabilities and fixes.

Q1 Notable Threats

Trojan.OSX.DNSChanger

Description: This is a malicious Trojan that uses social engineering technique to entice users to manually install the program. It arrives to users as a disguised video codec and associates itself with shared and downloadable videos. During installation, this Trojan modifies users’ DNS IP address to point to its own malicious servers. Infected user will suddenly experience unusual results in its entire web browsing activity.

This trojan is currently seen in-the-wild.

RogueAntiSpyware.OSX.MacSweeper

Description: MacSweeper is a rogue application which uses deceptive sales and marketing techniques to get onto the users’ system. It usually arrives to users as an pop-up advertisements, where it redirect users to download the file.

This is the first rogue application for Mac OS X.

RogueAntiSpyware.OSX.Imunizator

Description: Imunizator is a re-branded version of MacSweeper. It is an exact copy of MacSweeper except for its new name.

Application.OSX.LogKext

Description: LogKext is a free and powerful kernel base Keylogger in Mac OS X. This keylogger has a full stealth capabilities and it is controlled by a command-line client called logKextClient. A new version was recently released in public.

Percentage per Malware Categories


OS X Vulnerabilities


Sunday, April 6, 2008

How To Download DNSChanger DMG In Windows?

Last December 27, I blogged about Trojan DNSChanger entitled "Mac OS X: 2007 Year Ender for Zlob", which I mentioned the following:
  • Zlob & Fake Codec History
  • List of Zlob distribution domains
  • Trojan DNSChanger checks whether the user is downloading in Windows or Mac.
  • Network Information that leads to Russian Business Network(RBN)
January 2, when I wrote a follow-up article entitled "Impersonating Mac Browser". This article explains how Trojan DNSChanger serves the right executable to the requesting user and how to impersonate Mac browser to download the right DMG file.

January 10, when I posted "Analysis of OSX Trojan DNS Changer".

Why I am discussing this again?

Because, there is an increase prevalence of this threat that captures more attention of malware analysts. Just recently, I received an email that says "New DNS Changer" with an attachment "jetcodec1000.dmg". But, unfortunately the DMG file was not properly downloaded, instead the file contains MZ header which means Windows executable.


Unfortunately, it was the same story posted in ISC Diary "When is a DMG file not a DMG file".

So, how to download DNSChanger DMG file in Windows?

When you visit any of Trojan DNSChanger websites, your browser sends a User-Agent information to the server, which contain details about your operating system, web browser you use, application version and language preference. Base from this information, the malicious server decides whether to serve PE file for Windows or DMG file for Mac.


This means that you cannot download the right file by simply modifying the URL. In this case, you need to impersonate by changing your User-Agent info to this value:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us)

To perform this task, you can either use Wget for Windows or Malzilla.

Using Wget

Example,

[c:\] wget -U "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us)" http://jetcodec.com/download/jetcodec1000.dmg

**Note: -U means user-agent

This site (jetcodec.com) is not available today. But there's another site that is up today and I can show you how this works.



Using Malzilla



I just created a YouTube account and started to upload demo videos, hopefully this week I can upload a video for this one.

Wednesday, April 2, 2008

Safari 3.1 Piggybacks In Sofware Update


"Piggybacking is a method used to gain unauthorized access to the computer. This occurs when an authorize application allows another non-related or unauthorized application to pass through or get into user's system."

Couple of weeks ago while I was working in my infect machine, I got this alert message from Apple Software Update. I was a little bit busy so I just minimize the window. Last monday, I had the chance to check and read what it says. Surprisingly, I found Safari 3.1 in the list which I know I haven't installed any of its version. So, what's happening here ?


As shown in the figure above, the QuickTime program I installed checks for updates. Then, the server replied with the update information. However, it doesn't end there, the server exploited the communication to perform an unauthorized task, which is to offer Safari 3.1 installer.

This is completely unacceptable behavior and a breach to information security.

Tuesday, April 1, 2008

March OSX News Makers

March 18 - Apple Released Its Gigantic Update.
  • Security Update 2008-002 fixes 95 security vulnerabilities found in different components of Mac OS X operating system.
  • Safari 3.1 fixes 13 security vulnerabilities found in Safari for Mac (10) and Windows (3).
March 20 - "iMunizator" The 2nd Rogue In Mac
  • iMunizator a rebranded version of MacSweeper.
  • It was first seen in Apple Discussions web site, where someone asked this question "What is iMunizator?"
  • Difference between the two:
      • iMunizatorSetup.dmg file size is 1.49Mb while MacSweeper 1.52Mb.
      • iMunizator company is iMunizator.com while MacSweeper is KiVVi Software.
      • iMunizator executable file size is 407,036 bytes while MacSweeper 407,468 bytes.
      • iMunizator resource folder does not contain TODO.txt.
      • If Last time, MacSweeper is sharing NS server with Cleanator (a known rogue program in windows) this time iMunizator.com neighbor is AntiSpywaredeluxe.com [67.205.72.9] which is also a rogue program in Windows. iMunizator.com network information below:

March 27 - Mac OS X Hacked in 2 Minutes Read [CNET News]
      • VAIO VGN-TZ37CN running Ubuntu 7.10
      • Fujitsu U810 running Vista Ultimate SP1
      • MacBook Air running OSX 10.5.2
  • March 26 (1st Day) when the contest started. However, nobody was able to hacked any of these three operating systems in a limited resources and confined local network connection.
  • March 27 (2nd Day) when the attackers were given internet connection.
  • March 28 (3rd Day) when the attackers were allowed to use popular software to exploit.
  • The results are as follows:
      • On the 2nd day, Mac OS X was successfully hacked in 2 minutes using a zero-day exploit in Safari.
      • On the 3rd day, Vista was successfully hacked after 7 hours using zero-day exploit in Adobe Flash.
      • Linux stays intact and won against hackers.