A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

The Mac malware builder in action.

KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.

The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.

The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.

ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.

Fans of the movie series “Alien” will recognize the name Weyland-Yutani as the fictional corporation that was sent ahead to establish habitable bases and dwellings on extrasolar planets in advance of the arrival of new human colonies. If this crimekit takes hold, or is an indicator of a broader interest in attacking Mac users, we could soon witness cyber crooks starting to colonize the Mac user community as well. The author of this Mac crimekit said he knows of several other independent coders who are working on Mac malcode projects that aren’t quite ready for prime-time, although he declined to elaborate on that claim.

Each time this subject comes up, I am struck by how fervently the Mac community denies that Mac users might ever have to deal with anywhere near the level of malware that currently besieges the Windows world. The Mac, these apologists explain, is far more secure than Windows, and that is why we have not seen malware writers attack the platform with the same vigor and interest. As one commenter on this blog reasoned, OS X simply doesn’t allow programs to be installed without user permission. My response is, assuming for the moment that the above statement about the Mac’s superior security is true, the operating system does nothing to stop the user from being tricked or cajoled into installing malware. What’s more, social engineering attacks are one of the primary ways that Windows users get infected today, so why would it be any different for Mac users?

Consider the scourge of rogue anti-virus attacks: Each day, thousands of Windows users are tricked into running and installing a bogus security “scanner” foisted on them by some hacked Web site. The attackers’ goal with these “scareware” muggings is to not only trick the user into installing malicious software, but also paying for it with their credit cards!

Image courtesy Intego.com

Earlier today, MacRumors.com carried a story about a new threat discovered by Mac security software vendor Intego that uses social engineering in a bid to install scareware known as “MACDefender.”

The nice thing about social engineering attacks is that defending against them doesn’t require buying or installing some type of security software. As I noted in a column last week, it merely requires the user to accept the notion that “security-by-obscurity is no substitute for good security practices and common sense: If you’ve installed a program, update it regularly; if you didn’t go looking for a program, add-on or download, don’t install it; if you no longer need a program, remove it.”

Researchers have discovered that dozens of Web sites are using simple Javascript tricks to snoop into visitors’ Web browsing history. While these tricks are nothing new, they are in the news again, so it’s a good time to remind readers about ways to combat this sneaky behavior.

The news is based on a study released by University of California, San Diego researchers who found that a number of sites were “sniffing” the browsing history of visitors to record where they’d been.

This reconnaissance works because browsers display links to sites you’ve visited differently than ones you haven’t: By default, visited links are purple and unvisited links are blue. History-sniffing code running on a Web page simply checks to see if your browser displays links to specific URLs as purple or blue.

These are not new discoveries, but the fact that sites are using this technique to gather information from visitors seems to have caught many by surprise: A lawyer for two California residents said they filed suit against one of the sites named in the report — YouPorn — alleging that it violated consumer-protection laws by using the method.

As has been broadly reported for months, Web analytics companies are starting to market products that directly take advantage of this hack.  Eric Peterson reported on an Israeli firm named Beencounter that openly sells a tool to Web  site developers to query whether site visitors had previously visited up to 50 specific URLs.

The Center for Democracy & Technology noted in March that another company called Tealium has been marketing a product taking advantage of this exploit for nearly two years.  “Tealium’s “Social Media” service runs daily searches of a customer’s name for news and blog postings mentioning the customers, and then runs a JavaScript application on the customer’s site to determine whether visitors had previously read any of those stories,” CDT wrote. “The service allows Tealium customers a unique insight into what sites visitors had previously read about the company that may have driven them to the company’s Web site.”

If you’d like see this history sniffing technique in action, check out this blog post (from 2008) and click the “Start Analyzing My Browsing History” button about halfway down the page. That site also will try to guess whether you’re a man or a woman by indexing the sites it finds against the Quantcast Top 10,000 sites. It guessed that there was a 99 percent likelihood I was male (phew!), but your mileage may vary.

Fortunately, the browser makers (most of them) have responded. These sniffing attacks — such as the proof-of-concept I linked to above — do not appear to work against the latest versions of Chrome and Safari.  Within Mozilla Firefox, these script attacks can be blocked quite easily using a script-blocking browser plugin, such as the Noscript add-on.

Mozilla addressed this history-sniffing weakness in a bug report that persisted for eight years and was only recently corrected, but the changes won’t be rolled into Firefox until version 4 is released. As a result, current Firefox users still need to rely on script blocking to stop this. Internet Explorer currently does not have a simple way to block scripts from within the browser (yes, users can block Javascript across the board and add sites to a whitelist, but that whitelist lives several clicks inside of the IE options panel).

In its largest patch push so far this year, Microsoft today released 10 security updates to fix at least 34 security vulnerabilities in its Windows operating system and software designed to run on top of it. Separately, Apple has shipped another version of Safari for both Mac and Windows PCs that plugs some four dozen security holes in the Web browser.

Microsoft assigned three of the updates covering seven vulnerabilities a “critical” rating, meaning they can be exploited to help attackers break into vulnerable systems with no help from users. At least 14 of the flaws fixed in this month’s patch batch are in Microsoft Excel, and another eight relate to Windows and Internet Explorer.

According to Microsoft, the most serious of the bugs involves a weakness in the way Windows handles certain media formats, and is present in all supported versions of Windows. Another critical update nixes six different insecure ActiveX controls (plug-ins for Internet Explorer), while the third critical update corrects at least a half dozen vulnerabilities in IE.

Microsoft notes that Office XP users may not be able to install one of the needed updates; Rather, Redmond is releasing what it calls a “shim,” or essentially and point-and-click “FixIt” tool that apparently does the job. If you use Office XP, go ahead and click the “FixIt” icon at this link when you’re done installing the rest of the updates.

The Microsoft patches are available through Windows Update or via Automatic Update. As usual, please drop a note in the comments below if you experience any problems as a result of installing these updates.

Apple’s Safari 5.0 update fixes at least four-dozen security vulnerabilities in Safari on Mac OS X and Windows versions. Updates are available for Mac OS X v 10.4.11, Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, and XP. Mac users can grab the update from Software Update or Apple Downloads; Safari users on Windows will need to update using the bundled Apple Software Update utility.

Not long after I launched this blog, I wrote about the damage wrought by the Eleonore Exploit Kit, an increasingly prevalent commercial hacking tool that makes it easy for criminals to booby-trap Web sites with malicious software. That post generated tremendous public interest because it offered a peek at the statistics page that normally only the criminals operating these kits get to see. I’m revisiting this topic again because I managed to have a look at another live Eleonore exploit pack panel, and the data seem to reinforce a previous observation: Today’s attackers care less about the browser you use and more about whether your third-party browser add-ons and plugins are out-of-date and exploitable.

Hacked and malicious sites retrofitted with kits like Eleonore have become more common of late: In a report issued this week, Web security firm Zscaler found that roughly 5 percent of the browser exploits they identified during the first quarter of this year were tied to hacked or malicious sites that criminals had outfitted with some version of Eleonore.

Like most exploit kits, Eleonore is designed to invisibly probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software. The hacker’s end of the kit is a Web-based interface that features detailed stats on the percentage of visitors to the booby-trapped site(s) that are successfully attacked, and which software vulnerabilities were most successful in leading to the installation of the hacker’s malware.

This particular Eleonore kit — which is currently stitched into several live adult Web sites — comes with at least a half-dozen browser exploits, including three that target Internet Explorer flaws, two that attack Java bugs, and one that targets a range of Adobe PDF Reader vulnerabilities. According to this kit’s stats page, the malicious adult sites manage to infect roughly every one in ten visitors.

As we can see from the landing page pictured above, Windows XP users represent by far the largest group of users hitting these poisoned porn sites.

Once again, Eleonore shows just how heavily Java flaws are now being used to infect computers (the above graphic shows the number of successful malware installations or “loads” per exploit). The last time I reviewed a working Eleonore admin panel, we saw that Java flaws were the second most reliable exploits. This time around, Java was the biggest source infections. In the Eleonore kit I wrote about earlier this year, some 34 percent of the systems that were successfully exploited were attacked via a Java flaw. In this installation, four out of every ten victims who were hacked were compromised because of they were running an outdated version of Java.

Nearly one-third of all successful attacks from this Eleonore kit leveraged flaws in older versions of Adobe’s PDF Reader. People often scoff when I recommend an alternative to Adobe for displaying PDFs, saying that criminals can just as easily target security vulnerabilities in those applications, which ship far fewer security updates than Adobe. That may be true, but I haven’t seen much evidence that hackers are going after flaws in non-Adobe PDF readers at any appreciable or comparable level. Incidentally, if you use the free PDF reader from Foxit, an Adobe alternative I’ve often recommended, you should know that Foxit recently shipped a new version — v. 3.31 — that includes security improvements.

I also found this time around similar percentages of exploit victims among those surfing with different versions of Internet Explorer. With this Eleonore kit, more than one-third of those who visited the exploit site with IE6 were loaded with malicious software. The Eleonore admin panel reported that more than 12 percent of IE7 users and 20 percent of IE8 surfers visited and subsequently were infected with malware. The prevalence of IE users among the victims may be due in part to the fact that half of the exploits used by this particular kit target IE security holes.

Annoyingly, this Eleonore admin page doesn’t resolve one of the open questions I heard most frequently after my last story on Eleonore: Where are all the Firefox victims? I still don’t have a decent answer to that puzzle, but I do have a couple of guesses. For one thing, unlike the last Eleonore kit I examined, this one does not include an exploit specifically for Firefox. It’s also possible that these kits are detecting Firefox visitors as users of some other browser (the report indicates, for example, that 15 percent of Google Chrome users browsing with version 4.1 were successfully attacked). Whatever the reason, it seems highly unlikely that all of the nearly 5,600 Firefox users who visited the exploit sites detailed here escaped unscathed.

Anyway, below are the stats, which start with those of Chrome and Firefox visitors:

…more Firefox stats and then IE, Opera and Safari…

Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.

This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.

Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.

In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.