Mac OS X viruses take cue from Windows malware: admin password not required any more

Mac OS X malware community is advancing fast and taking many cues from the Windows malware scene, says security firm, Sophos.

Just like in the Windows versions, the latest variants seen today (OSX/FakeAvDl-A) no longer require administrative credentials. “They now install into areas of the system that only require standard user privilege. In other words, the attacks no longer ask for an admin password. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases,” Chester Wisniewski, Senior Security Advisor at Sophos Canada explained.

Apple has stated:

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.

Some key considerations for Mac users to be aware of are:

1. The name and user interface displayed by this malware will change, so don’t rely on the name.
2. The nature of the enticing message, however, will remain a variant of the “viruses (or Trojans, or spyware, etc) have been detected on your computer” message, followed by a request to install the cleanup software, which of course is only available for a fee.

Mac users can defend themselves from variants of this attack by:

1. Going to Safari->Preferences->General and deselecting the “Open “Safe” files after downloading” option
2. Installing a reputable  antivirus software from a trusted source

Finally, users of any system should be aware there is currently no legitimate antivirus or security software that alerts you through a browser that malware of any type has been detected and that security software must be installed to remove it. A modern browser may block a suspect site, but it won’t behave in this manner. This is a sure-fire attempt to scare a user into installing a malicious program. In general, if you see a suspicious warning that asks you to install software, simply close the browser, or Force Quit if you need to. NEVER click “OK,” “Cancel” or any other button or links in the window alerting you to fake infections, as that is often what starts the actual download or installation of the malware.

When Apple introduced XProtect with OS X 10.6 Snow Leopard, they added rudimentary detection of malware. In the nearly two years since its introduction, they have only updated it a few times.

Are they going to develop their own anti-virus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to.

Apple provides MacDefender removal tips: will offer software update to automatically remove similar malware

A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender “anti-virus” software to solve the issue.

This “anti-virus” software is a malware (i.e. malicious software).  Its ultimate goal is to get the user’s credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity.

In the coming days, Apple is expected to deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.  The update will also help protect users by providing an explicit warning if they download this malware.

In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.

If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.

In some cases, your browser may automatically download and launch the installer for this malicious software.  If this happens, cancel the installation process; do not enter your administrator password.  Delete the installer immediately using the steps below.

1. Go into the Downloads folder or your preferred download location.
2. Drag the installer to the Trash.
3. Empty the Trash.

How to remove this malware

If the malware has been installed, we recommend the following actions:

• Do not provide your credit card information under any circumstances.
• Use the Removal Steps below.

Removal steps

• Move or close the Scan Window
• Go to the Utilities folder in the Applications folder and launch Activity Monitor
• Choose All Processes from the pop up menu in the upper right corner of the window
• Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
• Click the Quit Process button in the upper left corner of the window and select Quit
• Quit Activity Monitor application
• Open the Applications folder
• Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
• Drag to Trash, and empty Trash

Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.

• Open System Preferences, select Accounts, then Login Items
• Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
• Click the minus button

Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.

Mac rogue security software uses search engine poisoning ahead of Mother’s Day

Researchers at SophosLabs Canada have alerted to the world’s first JavaScript fake scanner trying to convince Mac users that their computers are infected by a virus.

This step is extra important on OS X as users will have to install the malware and enter in their administrative credentials for the privilege of infecting themselves.

Even worse, the attackers are poisoning search terms and images related to Mother’s Day. Simply searching Google for seemingly innocent content to honor your mum could end up with a malware infection.

Mac users who happen upon a poisoned search result it will pop up a fake anti-virus scanner written in JavaScript that looks just like the OS X Finder application.

Windows users aren’t left out… They get their own fake popup, which we have seen all too often.

“The criminals behind these attacks seem to be using Google’s search auto-complete technology to determine the most popular search terms to poison,” explained Chester Wisniewski, Senior Security Advisor at Sophos Canada.

Apple puts the blame for iPhone tracking file on a bug

After triggering privacy concerns across the word over a hidden iPhone feature that was discovered that tracks user data, Apple has finally responded to the queries through an “Apple Q&A on Location Data”.

Apple admits that users are confused, partly because the creators of this new technology (including Apple) have not provided enough education about these issues to date.

Answering a question, ‘Why does my iPhone need so much data in order to assist it in finding my location today?’, Apple says that this data is not the iPhone’s location data but a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location. The reason the iPhone stores so much data is a ‘bug’ we uncovered and plan to fix shortly. Apple says that it doesn’t think the iPhone needs to store more than seven days of this data.

But why does Apple store this data at all? According to the iPhone vendor, the iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

Apple also says that when you turn off Location Services, your iPhone might still continue updating its Wi-Fi and cell tower data from Apple’s crowd-sourced database as this a part of the bug in the software, which the company plans to fix shortly.

Apple also admits that its iAds advertising system can use location as a factor in targeting ads. However, it insists that location is not shared with any third party or ad unless the user explicitly approves giving the current location to the current ad (for example, to request the ad locate the Target store nearest them).

Without giving a specific date for the fix to this bug, Apple says it’ll release a free iOS software update that:

reduces the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,

• ceases backing up this cache, and
• deletes this cache entirely when Location Services is turned off.

In the next major iOS software release the cache will also be encrypted on the iPhone.

Samsung strikes back: lawsuits against Apple in South Korea, Japan and Germany

A week after Apple’s intellectual property infringement suit against Samsung in the US, the South Korean electronics giant has fired back. Samsung Electronics said it is suing Apple Inc. for patent rights violations.

AP has reported that Samsung is accusing Apple of violating its rights to 10 smartphone and computer patents. The company filed lawsuits in Seoul, Tokyo and Mannheim, Germany.

The lawsuits come only days after Apple sued Samsung in a California court. Apple alleges Samsung’s Galaxy line of smartphones and tablet computers copy Apple’s popular iPad and iPhone.

Samsung is a major patent holder. Post Apple’s allegations against Samsung, Bloomberg last week quoted a Samsung spokesman as saying that “Samsung will respond actively to this legal action taken against the Korean company”. The Malaysian National News Agency (Bernama) reported that another Samsung spokesman said over the phone that they believe “Apple has violated [Samsung] patents in communications standards” and that Samsung is “considering a counterclaim.” Instead of playing defensive, Samsung is using Apple’s own arsenal to fight back.

The lawsuits are the latest in a long string of patent disputes among phone makers. In recent years Apple, Microsoft Corp., Nokia Corp., HTC Corp. and others have taken legal action to protect their intellectual property rights.

Hidden iPhone feature secretly tracks location

Security researchers have discovered a hidden iPhone feature that secretly tracks and saves the meanderings of the phone – and presumably its owner.

The tracking feature was described in a presentation at the Where 2.0 Conference in San Francisco.

According to the researchers, Pete Warden, founder of Data Science Toolkit and Alasdair Allan, a researcher at Exeter University in the UK, the tracking feature, they started poking around in the backups on the Mac and stumbled on a director called LocationD.

Inside that the researchers found something called “consolidated.db,” an SQL log file containing latitudes, longitudes and cell IDs. Backup data isn’t stored in clear text, but can be parsed using a so-called manifest file.

After the researchers unpacked the data, they found it contained an year’s worth of data showing every cell tower the phone connected to since the phone was upgraded to iOS 4.

The file appears to have been stored locally, only, not shared back to Apple’s servers. However, it is retained even when the iPhone hardware is upgraded.

“My original iOS device was a 3GS and since then I’ve been through two iPhone 4, and this data set persists, Allan noted.

The data was significant: on average 100 data points a day.

The researchers also found that the file contained 220,000 wireless data points with time stamps, the Wifi Mac address and approximate latitude and longitudes of the Wifi access points – those readings are notoriously unreliable for access points.

It is unclear what Apple intended to do with the file, but other data is being tracked as well, including a log on when the user activated the phone’s GPS or compass applications. Recording, for example, every time the phone’s user was “lost,” Warden hypothesized. The phones are also storing geofencing data, a feature that allows phones to receive alerts and notifications when entering or leaving defined geographic areas.

The researchers have also created an open source application that anyone can download and use to examine this data.