Published: November 23 2008, 10:03 PM | no comments
by Methusela Cebrian Ferrer

Zlob’s OSX DNSChanger (also known as "RSPlug") struck last year in November, and thereafter became prevalent for several months. Last week, we discovered two new OSX backdoor trojans on the loose, both capable of infecting Macintosh users’ machines.

The first, OSX/Jahlav.A, is the work of the RSPlug author and it carries the installer name "MacAccess". This threat pretends to be a fix for ‘Video ActiveX Object Error’ and arrives as a disk image file (.dmg) which, when downloaded, automatically mounts and displays a pop-up message to start the installation process:

Affected OS X users should immediately notice the appearance of an icon for the disk image “install.pkg” on the desktop:

and looking in “install.pkg/Contents/Info.plist”, the user should be able to find the following strings:

Brief Description: Microsoft Company Evil Bill
Application Name: MacAcess
Release/Build Version: 3.0
Authorization Action: RootAuthorization
Default Location: /Library/Internet Plug-Ins/
Installed Size: 376 KB

The malicious installer contains three files, highlighted in the screenshot above:

• Archive.pax.gz
• preinstall
• preupgrade  

Inside “Archive.pax.gz” are two files:

• AdobeFlash
• Mozillaplug.plugin

which the trojan installs to “/Library/Internet Plug-Ins”.

The files “preinstall” and “preupgrade” contain exactly the same code. The malicious shell script uses the instructions “begin 777 withlove” to drop the file “~/i386”, along with a temporary file called “\crons.inst”, whose purpose is to execute a cron (or scheduling) job:

* */5 * * * \"$path/$EVIL\" 1>/dev/null 2>&1

where $path is "/Library/Internet Plug-Ins/" and $EVIL is filename “AdobeFlash” or “applemac”.

Via the instruction “begin 666 jah” contained in the file “/i386”, OSX/Jahlav.A executes a malicious Perl script that attempts to connect to a remote server through TCP port 80. Using this connection, the trojan also sends back sensitive information about the compromised user’s system, such as its operating system, processor type and IP address.

On appearance, this trojan has similar installation characteristics as variants of the OSX/RSPlug Family; however, the behavior has changed since RSPlug, and it is no longer targeting users’ DNS settings. Instead, the backdoor component is now designed to remotely download and install files. Our customers are protected from OSX/Jahlav.A using update 31.6.6219 and later.

Another Mac-targeting malware that we recently added is OSX/Lamzev.A. This trojan, pictured below, is currently published and downloadable from a known security website as a proof-of-concept application.

The author describes their application in “readme.txt” as follows:

Attaches persistent bindshell to OS X applications. Not all applications are supported. If your application isn't supported, you should get an error after running the 'hack' command. Application must be in the current working directory.

Future features:
Advertisement of backdoored accounts over Bonjour.

Obviously, it was purposely created for educational purposes and it requires users to manually set a target application in the terminal to execute its payload. Our customers are protected from OSX/Lamsev.A using update 31.6.6225 and later.

Mac OS X threats are still incomparable to Windows threats, but with the growing popularity of Mac systems we are unfortunately seeing attackers taking more interest.

Stay informed, stay safe!

Share this post:  Email

Share

Published: November 21 2008, 11:56 AM | 3 Comment(s)
by Benjamin Googins

Background
Earlier this week the Federal Trade Commission issued a temporary restraining order against CyberSpy Software, LLC to stop the sale of RemoteSpy keylogger.  In the vendor’s own words: ‘RemoteSpy can easily record websites visited, keystrokes typed, internet comversations[sic], email logging, documents opened, and so much more.’  The FTC’s stated reasons for issuing the order include: (1) deployed remotely by someone other than the owner or authorized user of a computer; (2) installed without the knowledge and consent of the owner or authorized user; and (3) used to surreptitiously collect and disclose personal information.*

In my own previous analysis, RemoteSpy acts(ed) as both a service and software provider.  CyberSpy hosts servers that the keylogging software routinely connects with to upload covertly collected data.  The attacker can remotely login to an account where all the data will be stored and viewable.  RemoteSpy can be installed remotely by the attacker -- silently and unbeknownst to the victim.  The software runs quietly in the background making no obvious appearance to the victim, collecting user data like passwords and the data stated by the author, above.  This type of software has been detected by anti-spyware products, like CA Anti-Spyware, for well over 10 years.

Too little.  Too late?
Does this mean the end of commercial spyware?  Hardly.  When I first read the subject line to the FTC’s press release, ‘Court Orders Halt to Sale of Spyware’, I was pretty excited.  Unfortunately, this restraining order is only temporary and limited to one particular piece of software -- the RemoteSpy keylogger.  I would guess CyberSpy is working with their lawyers to launch an appeal. 

Even if this restraining order sticks and is made permanent, there is a plethora of other keyloggers available on the market, many for free -- will the FTC expand this restraining order?  CA Anti-Spyware detects well over 1000 different keyloggers including Invisible Keylogger, Activity Monitor, and EBlaster.  Take a look at this screenshot of a webpage for Realtime-Spy keylogger: 
 

Some of the features include ‘remote installation’, ‘logging multiple machines’, and ‘log all keystrokes’.  Sound much different than the criteria the FTC lists as reason for the restraining order against CyberSpy? 

The FTC listed remote installation as the first criteria for issuing the restraining order.  RemoteSpy may have used particularly aggressive techniques for installation, but based on my own experience, many keyloggers allow for remote installation. To get a sense of this for yourself, conduct a web search with the keywords keylogger+remote+installation.  I did this with Google and over 100,000 results were returned (obviously, not all these links are download pages for keyloggers with remote installation capabilities, but it reflects the availability).  Furthermore, remote installation is a moot point when keyloggers can be installed manually on publicly available computers, say in libraries and coffee shops.

The FTC lists surreptitious data collection as the third criteria for the restraining order.  Keyloggers exist primarily for the purpose of surreptitious data collection (searching “keylogger” returns close to 1 million webpages, many offering free keyloggers and trial versions).  Are these keyloggers next on the list?  In my analysis, RemoteSpy is not substantively different.

In the FTC’s press release, they indicate that one of the problem’s with CyberSpy was how they advertised and presented RemoteSpy, as if CyberSpy was encouraging consumers to spy.  What about keyloggers that are advertised slightly differently, say, as a means to keep tabs on a child?  Will these be targeted by the FTC? 

What now?
My intention with this blog is not to show approval or disapproval of the FTC’s decision to issue a restraining order against CyberSpy’s sale of RemoteSpy.  I just think it is very narrow in scope, relative to the much broader problem.  I am curious what is next on the agenda and where the line will be drawn?  The line between good and bad software is a messy one and strict criteria need to be published and publicly available.  Most of all, these criteria need to be evenly applied.  CA Anti-Spyware systematically analyzes commercial software against the CA Anti-Spyware Scorecard, found here.  I believe that if the FTC evenly applies the criteria they state as reasons for restraining the sale of RemoteSpy, hundreds, possibly thousands of other readily available keyloggers will need to be targeted and restrained from sale and distribution.  The anti-spyware industry has been detecting and removing keyloggers for over ten years and will continue to do so.  Is RemoteSpy the first step, for the FTC, on a long road of catching up with private industry? 

Reference:
* http://ftc.gov/opa/2008/11/cyberspy.shtm
** http://epic.org/

Share this post:  Email

Share

Published: November 10 2008, 10:24 PM | no comments
by Methusela Cebrian Ferrer

As mentioned in my previous post Prevalence of Exploited PDFs, over the past months CA ISBU has seen consistent, recurring attacks on malware explicitly designed to exploit PDF vulnerabilities – this mainly involves the 'Collab.collectEmailInfo()' function and misusing the URI 'mailto'. Today, another strain joins the group.

Adobe Security Bulletin released an update last week, fixing the critical vulnerability CVE-2008-2992 found in Adobe PDF Reader’s JavaScript engine. The flaw was specifically found in a weak implementation of JavaScript’s 'util.printf()' function, where an attacker can send a series of strings long enough to cause a stacked-based buffer overflow. An attacker can then execute arbitrary code on the system; unfortunately with the same level privileges as the user who’s running the vulnerable version of Adobe Reader.

A proof-of-concept code was immediately published on various channels displaying a good number of hits; almost immediately after this, attackers took advantage of the vulnerability, as shown in the latest exploited or trojanized PDF sample we received:

Adobe Reader 9 and Acrobat 9 are not affected by this vulnerability. However, users running Adobe Reader 8.1.2 and earlier versions should immediately update. Please see the relevant Adobe security bulletin:
http://www.adobe.com/support/security/bulletins/apsb08-19.htm

Furthermore, CA’s Anti-Virus solutions detect these malicious PDF files as PDF/Utilf and PDF/CVE-2008-2992!exploit.

Share this post:  Email

Share

Published: November 10 2008, 02:40 PM | 1 Comment(s)
by Benjamin Googins

Background
We first started seeing copies of “AntiVirus 2009” in June of this year, but about two weeks ago the number of infections our Support team was seeing took a big jump.  At that time, our Support team reported it was the top infection customers were dealing with.  AntiVirus 2009 is part of a long lineage of rogue antispware applications that purport to be a security solution, but actually have no security functionality or value and are used as a criminal tool for extorting money from victims.  Its predecessor was AntiVirus 2008, which had a high infection rate and was a topper on our prevalence charts for over a month.

Infection Indicators
The primary process showing up in Task Manager is “av2009.exe” located at C:\Program Files\Antivirus2009.  The infection aggressively opens popup windows when the computer is restarted and on regular time intervals that are supposed to look like a legitimate anti-virus product and indicate it is scanning the user’s computer for viruses (labeled “B” in the image above).  The infection also places an AntiVirus 2009 icon in the system tray (usually located on the bottom of the computer screen in the lower right corner) and opens small windows, titled “Warning: AntiVirus 2009 Alert!” from this location-repeatedly warning the user of system infections (labeled “C” in the image above).  The infection drops a shortcut on the infected computer’s desktop (labeled “A” in the image above. 

Preventing Antivirus 2009 (and other infections) from infecting your system

• Install a stand-alone firewall or activate the basic firewall included in Windows SP2 and Windows Vista. 
• Practice safe browsing techniques. 
• Exercise caution when opening email attachments.
• Set up “automatic updates” for your operating system.
• Keep your anti-malware product up to date.
• Be sure the “active protection” feature is enabled on anti-malware product.

Remove Antivirus 2009 using your anti-malware product:

1. Open the primary interface for your anti-malware product.
2. Update the signature files for your anti-malware product.
3. Run a comprehensive computer scan (“full”, “complete”, “all drives”, etc).
4. Remove threat using your anti-malware product.
5. Reboot the computer.

Tips related to Antivirus 2009

• Do not pay any money to Antivirus 2009 to “activate” the product.  If you pay the $40.00 requested, the threat will not go away, but they will happily take your money and the cycle of extortion will continue.
• It is possible you can use System Restore to restore your computer to a previous, uninfected state.  To learn more about System Restore, go here.
• If you do not see any of the visual aspects of this threat, but your anti-malware product tells you it was detected and can’t remove it, the problem could be with System Restore archiving a copy of threat, see my previous blog entry here.

Share this post:  Email

Share

Published: November 06 2008, 12:52 PM | no comments
by Rossano Ferraris

It was just a question of hours -after the election of the new President of the United States of America Barack Obama- and cyber criminals very quickly implemented another malicious activity on the web.
Anti cyber-crime community research has witnessed a huge spamming activity on the net. The spam messages invite the readers to see a video-speech by Barack Obama after his election.

The spam email looks like this:

The email contains a link to a malicious host dropping a file called BarackObama.exe. Hmm, a video with an .exe extension, weird!
In truth the file is a trojan banker stealer and upon its launch other malware is dropped on the victim machine of the user and installed in the %System% folder.
The malware is detected and blocked by CA Security products so our customers are protected by this threat.

Suggestions:

• Immediately remove these kind of messages from your inbox
• Update your security product to the latest malware definitions

Share this post:  Email

Share