Posts Tagged: f-secure


28
Sep 11

Inside a Modern Mac Trojan

Mac malware is back in theĀ  news again. Last week, security firm F-Secure warned that it had discovered a Trojan built for OS X that was disguised as a PDF document. It’s not clear whether this malware is a present threat — it was apparently created earlier this year — but the mechanics of how it works are worth a closer look because it challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.

Image courtesy F-Secure.

F-Secure said the Mac malware, Trojan-Dropper: OSX/Revir.A, may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. F-Secure was careful to note that the payload installed by the dropper, Backdoor:OSX/Imuler.A, phones home to a placeholder page on the Web that does not appear to be capable of communicating back to the Trojan at the moment.

I wanted to understand a bit more about how this Trojan does its dirty work, so I contacted Broderick Aquilino, the F-Secure researcher who analyzed it. Aquilino said the sample is a plain Mach-O binary — which we’ll call “Binary 1”, that contains PDF file and another Mach-O binary (Binary2). Mach-O, short for Mach object, is a file format for executable files on OS X.

According to Aquilino, when you run Binary1, it will extract the PDF file from its body, drop it in the Mac’s temporary or “tmp” directory, and then open it. This is merely a decoy, as Binary1 continues to extract Binary2 from itself — also into the “tmp” directory — and then runs the file.

Upon execution, Binary2 downloads another binary from [omitted malware download site] and saves it as /tmp/updtdata. For the sake of continuity, we’ll call this latest file “Binary3.” Binary2 then executes and downloads the third binary, which opens up a backdoor on the OS X host designed to allow attackers to administer the machine from afar.

“All of this happens without the user needing to input their password,” Aquilino said.

Continue reading →


8
Aug 10

Foxit Fix for “Jailbreak” PDF Flaw

One of the more interesting developments over the past week has been the debut of jailbreakme.com, a Web site that allows Apple customers to jailbreak their devices merely by visiting the site with their iPhone, iPad or iTouch. Researchers soon learned that the page leverages two previously unknown security vulnerabilities in the PDF reader functionality built into Apple’s iOS4.

Adobe was quick to issue a statement saying that the flaws were in Apple’s software and did not exist in its products. Interestingly, though, this same attack does appear to affect Foxit Reader, a free PDF reader that I often recommend as an alternative to Adobe.

According to an advisory Foxit issued last week, Foxit Reader version 4.1.1.0805 “fixes the crash issue caused by the new iPhone/iPad jailbreak program which can be exploited to inject arbitrary code into a system and execute it there.” If you use Foxit, you grab the update from within the application (“Help,” then “Check for Updates Now”) or from this link.

Obviously, from a security perspective the intriguing aspect of a drive-by type jailbreak is that such an attack could easily be used for more nefarious purposes, such as seeding your iPhone with unwanted software. To be clear, nobody has yet seen any attacks like this, but it’s certainly an area to watch closely. F-Secure has a nice Q&A about the pair of PDF reader flaws that allow this attack, and what they might mean going forward. Apple says it plans to release an update to quash the bugs.

I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike. It’s not quite a “featureability,” which describes an intentional software component that opens up customers to attack even as the vendor insists the feature is a useful, by-design ability rather than a liability.

I came up with a few ideas.

– “Apptack”

– “Jailbait” (I know, I know, but it’s catchy)

– “Freedoom”

Maybe KrebsOnSecurity readers can devise a better term? Sound off in the comments below if you come up with any good ones.

Finally, I should note that while Adobe’s products may not be affected by the above-mentioned flaws, the company said last week that it expects to ship an emergency update on Tuesday to fix at least one critical security hole present in the latest version of Adobe Reader for Windows, Mac and Linux systems.

Adobe said the update will fix a flaw that researcher Charlie Miller revealed (PDF!) at last month’s Black Hat security conference in Las Vegas, but it hinted that the update may also include fixes for other flaws. I’ll have more on those updates when they’re released, which should coincide with one of the largest Microsoft Patch Tuesdays ever: Redmond said last week that it expects to issue at least 14 updates on Tuesday. Update, Aug. 10, 5:06 p.m. ET:Adobe won’t be releasing the Reader update until the week of Aug. 16.


3
Aug 10

Anti-virus Products Mostly Ignore Windows Security Features

I recently highlighted a study which showed that most of the top software applications failed to take advantage of two major lines of defense built into Microsoft Windows that can help block attacks from hackers and viruses. As it turns out, a majority of anti-virus and security products made for Windows users also forgo these useful security protections.

Continue reading →


20
Jul 10

Adobe: ‘Sandbox’ Will Stave Off Reader Attacks

Adobe Systems Inc. said today the next release of its free PDF Reader application will include new “sandbox” technology aimed at blocking the exploitation of previously unidentified security holes in its software.

Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

“The idea is to run Reader in a lower-privilege mode so that even if an attacker finds an exploit or vulnerability in Reader, it runs in lower rights mode, which should block the installation of [malware], deleting things on the system, or tampering with the [Windows] registry,” said Brad Arkin, director of product security and privacy at Adobe.

Even if only somewhat effective, the new protections would be a major advancement for one of the computing world’s most ubiquitous and oft-targeted software applications. The company is constantly shipping updates to block new attacks: Less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. Security vendor McAfee found that roughly 28 percent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to anti-virus maker F-Secure, Reader is now the most-exploited application for Windows.

Continue reading →


29
Mar 10

Removing Viruses from a PC That Won’t Boot

One of the more common questions I hear from readers with computer virus infections is, “How do I get rid of a virus if I can’t even boot up into Windows to run an anti-virus scan?” Fortunately, there are a number of free, relatively easy-to-use tools that can help on this front.

The tools in this review are known as a “rescue CDs.” These are all free, Linux-based operating systems that one can download and burn to a CD-Rom. Once you’ve configured your PC to boot from the CD you’ve just burned, you can use the CD to scan your hard drive, and — depending on the type of rescue CD you choose — even copy files to a removable drive.

Continue reading →


17
Jan 10

Tough Talk from Those Who Hide

It is said that you can judge the mettle of a man by the quality of his enemies. So I guess it should be flattering when a group of individuals who appear dedicated to making misery for countless Internet users express glee at what they perceive as my misfortune.

Since my final posting on The Washington Post‘s Security Fix blog last year, I’ve been made aware of several discussions among different shadowy online groups who were apparently celebrating the end of that blog.

Some of those conversations I am not at liberty to point to here, but at least one of them is public: A thread on crutop.nu, a 8,000 member Russian language forum dedicated to Webmasters who specialize in high-risk Web sites, including rogue anti-virus software sales, pharmacy sites, and all manner of extreme porn (including beastiality and rape).

Continue reading →