iAntiVirus Blog

Cross-Platform Exploit Affects Mac Users

2010-02-04T18:53:00.000-08:00

A new exploit code has been seen in the wild that attacks Windows, Unix, Linux, and Mac OSX systems. Given this ambitious range of targets, the exploit itself is rather old-style and short, but effective.

It takes advantage of a buffer overflow vulnerability in Sun’s Java Runtime Environment. It occurs when a specially crafted file://URL argument is passed to the getSoundbank() function that can allow a remote attacker to execute arbitrary code.

PC Tools iAntivirus detects the exploit code as Exploit.OSX.Snid.b in the latest database.

The said vulnerability (CVE-2009-3867) is discussed here .

Users are highly advised to upgrade to the latest versions from the following link:
http://java.sun.com/

iKee iPhone Worm Strikes Again!

2009-11-24T15:35:00.000-08:00

PC Tools' Malware Research Center received a sample of an iPhone worm that is strikingly similar with the iKee worm that displays an image of Rick Astley, and was originally intended as a prank. This one, however, has an added functionality of using compromised iPhones in a Botnet, a network of infected computers and devices that can be controlled by hackers to perform malicious activities.

Like Worm.iPhoneOS.Ikee which we blogged about a few weeks ago, it scans a range of IP addresses mostly from the Netherlands, and Australia.

The worm then attempts to log in to all jailbroken iPhones with SSH installed using the default password, and copies itself to the compromised device.

Once active in the iPhone, the worm will change the default password found in the file, /etc/master.passwd. This is necessary for the attacker to prevent the victim from logging in.

The worm will then download and install all necessary application packages it needs to perform its malicious activities such as sending sensitive information it gathered to the remote server, and providing botnet functionality to the compromised devices.

This worm connects to a command & control center running at 92.61.38.16 in Lithuania.

PC Tools advises its customers not to jailbreak their iPhones due to the security risks involved. Not only does it open to a lot of vulnerabilities for hackers to exploit, it also violates your warranty.

Apple has already issued a brief statement regarding this latest threat as published on The Loop:

"The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software," Apple spokesperson, Natalie Harrison, told The Loop. "As we've said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably."

Info Stealer targets Jailbroken iPhones

2009-11-11T14:21:00.000-08:00

A week has barely passed since the first iPhone worm (Worm.iPhoneOS.Ikee) came ‘rickrolling’ into our collective awareness, and now we already have its first official copycat!

A new Trojan has been spotted employing the very same technique employed by the ikee worm to break into jailbroken iPhones. It scans a network (a home, office, or public wifi network would suffice) for the presence of jailbroken iPhones still running SSH. Enabling SSH is a common step in jailbreaking as these allows the user to login to the phone remotely and execute shell commands. And, as should be common knowledge by now, all iPhones have the same default root password that users neglect to change after jailbreaking them.

What this new Trojan lacks in originality of technique, however, it more than makes up for with a more vicious payload. Whereas the ikee worm contents itself with changing the iPhone wallpaper, this new Trojan will steal data from compromised devices! This means all SMS and contacts list stored in vulnerable phones are up for grabs!

While these new iPhone malwares are breaking news, we should realize that the SSH vulnerability it exploits is really nothing new. It has been there ever since the first jailbroken iPhone. In fact, before ikee, Ars Technica ran an article article on their site about a ‘ransomware’ spreading in the Netherlands. It scans networks for iPhones with SSH enabled, then sends the owners the following SMS message:

When you visit his site, he then charges you €5 for instructions on how to secure your phone, information that is actually available to anyone for free.

So lets all learn the lesson here. First, there are very real risks to jailbreaking. Second, and more important, never use default passwords, whether for your combination locks at home or for your digital devices.

iPhone Worm Found Rickrollin' in the Wild

2009-11-09T15:55:00.000-08:00

A new worm targeting Apple's iPhone has been headlining the news as of late. This iPhone worm, dubbed as Ikee, has been infecting Jailbroken iPhones (hacked iphones allowing installation of applications outside of iTunes) all over Australia, and infected users found themselves having iPhones with a photo of Rick Astley as its wallpaper, and a message stating that "ikee is never going to give you up". This is actually a very popular prank among internet users and is known as Rickrolling.

This worm specifically targets Jailbroken phones with a root login password still set to the default password alpine. This opens a hole for hackers to exploit since Jailbroken phones use an SSH daemon which allows for remote connections.

In the case of Ikee, the worm scans a hardcoded list of IP ranges belonging to several Australian Telecom companies for vulnerable iPhones. Once a vulnerable iPhone has been found, the worm copies several files including a copy of itself to the iPhone, and changes its wallpaper to a photo of Rick Astley. It then disables the SSH service to prevent reinfection, and calls for another scan on the network to look for other vulnerable iPhones.

Jailbroken iPhones obviously pose some serious risks. If you have decided to do so, make sure you have changed your SSH password (instructions for changing the password can be found here courtesy of Cydia) and be aware that you have a greater risk of getting infected than non - Jailbroken iPhones.

Entertainment in exchange for loss of data!

2009-10-29T16:38:00.000-07:00

There’s a new game available for download on the internet called Loose/Loose. It has the look and feel of the arcade classics from the 80s like Space Invaders and Missile Command.

The following snapshot shows a lone silver airship at the bottom of the screen battling multicolored alien ships descending down on him:

But wait…if we zoom a little closer on those alien ships that have been shot and that has exploded into a hundred tiny pieces and…are those words spelling out file types names (wav) !?

Apparently, this seemingly innocent and nostalgic piece of software comes with a nasty twist. Each of those alien enemy ships represent an actual file chosen at random in your hard drive. Destroy an alien ship and you delete the file it represents permanently! Entertainment in exchange for loss of data!

The game’s creator, Zach Gage, is a digital mixed media artist who has lately been active in developing applications for the iphone. Based on his web page, he seem to want us to consider this video game as a testament to our modern age’s increasing acceptance of technology as a ‘given’ in our lives…how it has become as mundane and ingrained to us as our day to day tasks.

As quoted from his site:

Why do we assume that because we are given a weapon an awarded for using it, that doing so is right?
By way of exploring what it means to kill in a video-game, Lose/Lose broaches bigger questions. As technology grows, our understanding of it diminishes, yet, at the same time, it becomes increasingly important in our lives. At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data? What implications does trusting something so important to something we understand so poorly have?

And so the big question: is this a philosophical piece of art, or is it an amusing Trojan with a cruel payload? There seem to be no social engineering involved, and Mr. Gage gives ample warning to anyone who downloads his game:

And then again:

Technically, however, a Trojan is defined as a piece of software that pretends to be a normal application while doing something entirely different from its intended purpose and without the user’s permission. We believe Loose/Loose falls (if not perfectly) into this definition and so we detect it as Application.OSX.Loselose.A.

We know he has completely declared the games intentions, but it’s too easy to succumb to one’s curiosity and just play the game before understanding of what’s happening sinks in to our consciousness. And released in the wild, taken out of the context the author intended it to be, it is not hard to imagine someone getting aversely affected by the payload (and getting your data deleted is about as averse as it can get). Bottom line, it’s better to be strict when your important files are concerned.

Apple Provides an Update for Snow Leopard

2009-09-10T17:23:00.000-07:00

Mac OS X 10.6.1 was released earlier today which includes general operating system fixes that improves the compatibility, stability, and security of your Mac. The most notable among the fixes in 10.6.1 is an update to the Adobe Flash Player plugin that comes with the 1st release of Snow Leopard, which as many of us may have noticed, have downgraded the version of Adobe Flash Player after installation resulting into your Mac to have a vulnerable copy of the Flash player.

Adobe posted a few days ago in its Security Bulletin all the details about this vulnerability, and how you can update to the latest version of Flash Player. If you haven't done so, then we highly recommend to update your Snow Leopard's Flash to 10.0.32.18, which is the latest version. Just choose Sofware Update from the Apple Logo menu to check for available updates via the Internet, and choose this update for a safer browsing experience.

More Variants of RSPlug Discovered

2009-08-25T16:18:00.000-07:00

PC Tools' Malware Research Team recently discovered quite a few variants of a DNS changing trojan called RSPlug in the wild.

Three strains of this ubiquitous Trojan have been discovered masquerading as a Foxit Reader PDF viever, a Quicktime Pro update, and a Flash Player installer. PC Tools iAntivirus detect these variants as Trojan.OSX.RSPlug.O, Trojan.OSX.RSPlug.P, and Trojan.OSX.RSPlug.Q respectively.

Like all the other variants, these newly discovered trojan variants pose as legitimate software in order to lure users to download and run them on their computer. This will enable the trojan to change the DNS settings on the compromised computer and redirect the user to phishing websites and such.

We highly advise iAntivirus users to Smart Update for the latest protection in Mac threats, and to avoid untrusted websites in the Internet, which may harbor such malicious files.

Say No to Software Piracy

2009-07-21T23:36:00.000-07:00

A new variant of the RSPlug Trojan horse, aptly named by PC Tools as Trojan.OSX.RSPlug.N, was spotted in a warez web site masquerading as a keygen (serial number generator) for the Mac OS X Leopard.

Unwary Mac users looking to save a few bucks on a pirated Mac OS X will most likely get infected by this Trojan horse, but if you're keen enough, you'll notice that this keygen, particularly the details in the web site as seen in the picture above, is pretty odd and dubious. First, Mac OS X Leopard was never available for AMD processors as it only supports Intel, and PowerPC processors. Second, it doesn't make use of a serial number, so this keygen would be of no use for users who doesn't want to pay for legitimate software. Ehem, we shouldn't be supporting software piracy and downloading keygens in the first place.

Anyway, this new version of RSPlug is essentially the same in terms of function like the other variants. Read a detailed description of the RSPlug trojan here.

PC Tools iAntivirus has updated their database to protect its users from Trojan.OSX.RSPlug.N, so Smart Update now for utmost protection on the latest threats!

Mozilla Firefox Memory Corruption Vulnerability Fixed in 3.5.1

2009-07-18T16:47:00.000-07:00

Mozilla recently announced a bug in Firefox 3.5's Just-In-Time (JIT) compiler in which an error in its escape() function could lead the browser into a corrupt state, thereby allowing attackers to run arbitrary code such as installing malware.

Earlier versions of Firefox which does not support the JIT compiler are not affected. However, this is considered a critical vulnerability as there are already reports of an exploit code for this security flaw in the wild. Mozilla, after learning about this security issue, quickly posted a workaround solution until a fix has been provided.

Fortunately for us Firefox users, Mozilla has already released Firefox 3.5.1 to resolve this issue. PC Tools' Malware Research Team highly advises users to update to this new version ASAP.

Mozilla Firefox 3.5.1 can be downloaded here.

Safari Update Now Available for Download

2009-07-09T16:16:00.000-07:00

Apple has released Safari version 4.0.2 for Mac OSX 10.4 and 10.5, Windows XP, Vista, and 7 beta which, according to the release notes, improves the stability of its Nitro JavaScript engine, and also includes two security fixes.

The said security fixes addresses the issue on Webkit's handling on the parent and top objects which may result in a cross-site scripting attack when visiting a maliciously crafted website, as well as its handling of numeric character references which causes memory corruption. Apple has posted a knowledge base article on these two vulnerabilities, and more information can be found here.

This 40MB update is available via Software Update, or by manual download in the Apple website.

Lady Gaga's Latest Album leads to Malware Download

2009-07-02T22:39:00.000-07:00

The RSPlug trojan horse seems to be spawning quite rapidly the past few months. After only a few days when a variant of this trojan horse was spotted on a gaming website, our Malware Research Team discovered a newer variant of this threat lurking in a website offering free "music" downloads.

This new variant, which iAntivirus detects as Trojan.OSX.RSPlug.M, disguises itself as one of the many music album downloads available in the website like Lady Gaga's latest album pictured above. All music album links in the website will lead Mac users to download disk images containing RSPlug.M. Windows users, however, are led to download its Windows executable counterpart which PCTools Internet Security for Windows detects as Trojan.Alureon.a.

This new variant exhibits the same behavior just like the others. The only notable difference is a slight modification in the code to evade Antivirus scanners.

Mac users should be wary when downloading music from untrusted sources. It's also worth mentioning that digital music doesn't normally come as a disk image file (.dmg), and this alone should raise one's suspicion that the file being downloaded is not legit.

From Porn and Warez to Game Sites

2009-06-25T17:43:00.000-07:00

The Malware Research Team found a new variant of the Trojan.OSX.RSPlug threat masquerading as a gaming software. Previous versions of this threat were mostly found on sleazy porn, and warez sites. Malware writers responsible for this threat took a different route this time targeting unsuspecting gamers.

The new variant which PC Tools iAntivirus detects as Trojan.OSX.RSPlug.k were discovered in this website:

The threat is disguised as a DMG (Mac Disk Image) file of a game whose file name is as follows:

Clicking on the link pointing to the said malicious file will download it onto the unsuspecting user's computer and is automatically executed.

Like most RSPlug variants, this one also displays the MacCinema installation window:

This threat pretends to install a legitimate program on the user's computer, but silently runs malicious BASH scripts that are packaged in the DMG file in the background. Moreover, these scripts are found to be encoded in UUencode using the SED command.

Here's a screen capture of one of the said BASH scripts:

These scripts are further encoded (in three layers), and further decoding the script will reveal a PERL script with a HTTP GET request for another PERL script called generator.pl:

Like the previous variants, the PERL script that is being retrieved via the HTTP GET request also changes the user's DNS server using SCUTIL commands resulting into the user being redirected to phishing or malicious sites.

PC Tools iAntivirus recommends its users to Smart Update to our latest database for full protection against this threat.

iAntiVirus in the Boston Globe

2009-02-12T23:31:00.000-08:00

Came across this article yesterday which mentions iAntiVirus.

Apple security update available

2009-02-12T23:29:00.001-08:00

Please run software update to get it right away!

New database

2009-01-21T18:50:00.001-08:00

Hi everyone,

We've just released a new version of the virus database for iAntiVirus.
If you haven't got Smart Update set to automatic then please run it manually to ensure you have the latest protection available!

Detections - updated/new:
Trojan.OSX.DNSChanger.E
Exploit. Trojan.MacOS.Tweesh.a

QuickTime 7.6

2009-01-21T16:25:00.000-08:00

Apple has released an update for QuickTime, amongst the changes are security fixes.

Please run Apple Software Update to get it!

This update addresses heap overflows, buffer overflows, memory corruption issues and others - all of which may lead to arbitrary code execution.

Official information here.

iAntiVirus v1.3 is available

2009-01-07T17:39:00.001-08:00

iAntiVirus v1.3 has passed testing and is now available!

You can grab it from here or run a Smart Update to upgrade.

Changes in this version have been mentioned in a previous post.

Mac OS X Update - 10.5.6

2008-12-15T16:01:00.000-08:00

Apple has released an update for OS X - it addresses several severe security issues.

Please run a Software Update and grab it today!

Security Issues addressed

Apple Type Services (ATS) server PDF embedded font handling issue (CVE-ID: CVE-2008-4236)
Arbitrary code execution in BOM (CVE-ID: CVE-2008-4217)
Heap buffer overflow in CoreGraphics' handling of color spaces (CVE-ID: CVE-2008-3623)
Possible user credential disclosure in Safari (CVE-ID: CVE-2008-3170)
Enhanced download validation capability, previously warnings were not displayed for all unsafe download content types, this allowed for arbitrary code/command execution (CVE-ID: CVE-2008-4234)
Multiple vulnerabilities in the Adobe Flash player plugin (CVE-IDs: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823, CVE-2008-4824)
Local privilege escalation issue due to integer overflows in the kernel's i386_get_ldt and i386_get_ldt system calls (affects Intel based machines only) (CVE-ID: CVE-2008-4218)
Infinite loop when an exception occurs in a program (or dylib) which resides on an NFS share (CVE-ID: CVE-2008-4219)
Integer overflow in the LibSystem inet_net_pton function -> this could affect any program which uses that function (CVE-ID: CVE-2008-4220)
Memory corruption issue in the strptime function of LibSystem (CVE-ID: CVE-2008-4221)
Multiple integer overflows in the strfmon function of LibSystem (CVE-ID: CVE-2008-1391)
Per host configuration in managed client system installs sometimes incorrectly identifies the system (CVE-ID: CVE-2008-4237)
natd infinite loop due to a maliciously crafted TCP packet -> only affects systems with the Internet Sharing service enabled (CVE-ID: CVE-2008-4222)
Authentication bypass in Podcast Producer (OS X server only) (CVE-ID: CVE-2008-4223)
Input validation issue when handling malformed UDF volumes, ISO files. Opening a malformed volume may cause an unexpected syustem shutdown. (CVE-ID: CVE-2008-4224)

Information from Apple here .

Note: All CVE IDs will be linked to their respective pages once they become available.

Snow Leopard

2008-12-10T16:31:00.001-08:00

Just a quick note to let you all know that we're testing iAntiVirus on Snow Leopard, and apart from a minor installer issue there have been no problems so far! :)

iAntiVirus v1.3 - in testing

2008-12-10T16:22:00.001-08:00

Hi everyone,

It's been quite a while since I've posted on this blog, but that's because I've been busy working on the next version of iAntVirus! The upcoming version has interface improvements, a smaller footprint, and a number of under-the-hood enhancements which will allow really cool additions and new features further down the line...

Here are some screenshots:

iAntiVirus 1.2 available

2008-11-02T21:16:00.000-08:00

We've just released iAntiVirus v1.2 on Smart Update and on the website.

v1.2 contains the following:

- Addressed time machine incompatibility issue

- Enhanced quarantine functionality (now much faster)

- Various other enhancements

Please get the update and leave your comments on the forum, thanks!

iAntiVirus v1.1 is now available!

2008-10-10T03:18:00.000-07:00

iAntiVirus v1.1 was released recently. Please run a Smart Update or download the package from iantivirus.com

More information available on the forum.

iAntiVirus 1.1 is coming!

2008-10-02T01:09:00.000-07:00

iAntiVirus v1.1 is currently undergoing internal testing.

Some changes in v1.1:

- New scheduled scan type - allows you to specify a scheduled normal or quick scan.

- Updated scan engine which should improve scan speed (it was already fast! :)) and resolves an issue reported on the forum.

- New database with updated signatures and new signatures for 3 exploits .

- Scan progress now displays more information about child objects being scanned (e.g in v1.0 status might say "Scanning /Users/pctools/Downloads/huge_file.zip" for a long time, in v1.1 it will be displayed as "Scanning /Users/pctools/Downloads/huge_file.zip//(updates for every filename in the archive)".

- Scan complete alert - if you've kept the dock icon hidden, a slideup will alert you once a scan has completed (if the dock icon is visible then it will simply bounce, as previously).

We'll make an announcement here once v1.1 has been confirmed ok by our QA team, so please check back shortly!

iAntiVirus 1.0

2008-09-24T22:18:00.001-07:00

Hi everyone,

iAntiVirus 1.0 has passed internal testing and is now available on Smart Update.

Please run Smart Update to get this release!

Thanks to everyone who helped test beta 3.

iAntiVirus 1.0 (non-beta!)

2008-09-23T17:40:00.000-07:00

iAntiVirus 1.0 - not a beta, but the full release is currently in internal testing and should be confirmed ok for public use shortly.

Thanks to everyone who gave comments, suggestions and reported issues ( well 1 issue! :) ) with iAntiVirus 1.0 beta 3.

Once the full 1.0 release has been confirmed ok, it will be announced here first so please check back shortly.