Research and musings on malware and other facets of computer and online security
Saturday, October 29, 2011
More Mac Malware, DroidSheep, and Opera
Mac malware is on the rise.
On September 23rd, an incomplete Trojan horse for Mac that disguises itself as a PDF was submitted to VirusTotal (possibly to test which vendors if any would detect it), and VirusTotal in turn redistributed it to antivirus vendors (see the F-Secure and Sophos blog posts).
Just three days later, on September 26th, Mac anvirus vendor Intego released a report about a new piece of malware that had been discovered in the wild by a single user, this time an actually functional Trojan purporting to be an Adobe Flash Player installer. This Trojan is fairly believable, in part because new Macs no longer ship with Flash preinstalled. Sophos later reported that the malware "could allow a remote hacker to gain access to your computer or download further malicious code to your Mac."
A few weeks later on October 19th, F-Secure discovered a new version of this so-called "Flashback" Trojan that destroys Apple's XProtect.plist updating mechanism, preventing Mac OS X's built-in malicious download definitions file from being able to update automatically by deleting the actual updater app from the hard drive.
As Sophos pointed out, Apple's CoreTypes/XProtect system provides only rudimentary protection against malicious downloads, and does not provide most of the functionality or protection offered by actual antivirus software. In my experience it always seems to be woefully outdated, and even if it were up-to-date it would still only provide extremely limited protection against files downloaded with certain applications like Mail and Safari. Unfortunately most home Mac users don't run any antivirus software, believing that it's unnecessary because "Macs don't get PC viruses" as Apple's marketing campaign hammered into TV viewers' heads a handful of years ago—and as Apple still ambiguously claims on its "Why you'll love a Mac" page.
Four days ago, this past Tuesday, October 25th (merely six days after the XProtectUpdater-deleting Flashback variant was discovered), ESET and Sophos reported that the Linux backdoor Trojan "Kaiten" had been ported to the Mac. Dubbed "Tsunami," it can be used by remote attackers to initiate a flood of traffic (a distributed denial of service or DDoS attack) to any target host on the Internet. Two days ago, ESET and Sophos reported on the discovery of an updated version of Tsunami.
After all that, you'd think there couldn't possibly be more Mac malware news this month, right? Sorry, no such luck.
This morning Sophos blogged about a new piece of Mac malware being distributed through BitTorrent (bundled with the legitimate Mac app GraphicConverter). This malware is called OSX/Miner-D or "DevilRobber," and much like various types of Windows spyware it slows down your machine, takes screenshots of what you're doing, steals your usernames, passwords, browsing history, and Bitcoin wallet if you have one, and more. Part of the reason it slows down your Mac is that it uses your processor cycles to try to generate new Bitcoins (if your unfamiliar with Bitcoins, you can refer to Security Now! episode 287 - video, audio, transcript - for more info).
If you had any lingering notion that Macs don't need antivirus software, I hope at this point you'll be convinced that additional protection is a good idea. I strongly recommend to my clients and friends who use Macs to install antivirus software, whether a commercial product like Intego VirusBarrier or a free product like Sophos Anti-Virus for Mac Home Edition (which I reviewed in the January 2011 issue of MacTech Magazine). I prefer Sophos because it's free for home use and there's no yearly cost to keep your definitions up-to-date, but if cost is not a concern for you (or you need antivirus protection for small business Macs), Intego may also be a good choice because the company specializes in Mac malware research. For Macs in enterprise, there are various remotely manageable antivirus solutions as well.
Firesheep is still out there. And now so is DroidSheep.
Hey, remember Firesheep? I'vementioned it before a couple of times. Well, it's still around, it's been downloaded roughly 2 million times, and many companies still don't seem to be too concerned about how easy Firesheep makes it for anyone to hijack user sessions and gain access to accounts of anyone on the same public Wi-Fi network (or private, WEP-"secured" network). When it was originally released, Firesheep sparked a firestorm of controversy and forced several major sites including Twitter and Facebook to improve their implementations of SSL/TLS. Although Firesheep has been available for just over a year now, many sites—including some major ones that deal with sensitive personal information—have done little or nothing to improve their security.
Last month, Kaspersky Lab reported on its Threatpost blog that Firesheep has a new portable cousin for Android. Known as DroidSheep, the app takes Firesheep a couple steps further than its original incarnation. First, it attempts to use DNS spoofing to make it work on WPA and WPA2 Wi-Fi networks. Second, it has a "generic mode" which allows an attacker to "see all cookies and capture more accounts" rather than being limited to recognizing a list of sites with handlers written specifically for each one.
In some cases, the worst an attacker can do after hijacking an account via Firesheep is to mess around with settings. Alltop, a news aggregation site, recently launched MyAlltop, a simple service that allows users to share their favorite news sites with others. I pointed out to Alltop co-founder Guy Kawasaki that the site's implementation lacked SSL/TLS encryption and I verified that it was vulnerable to Firesheep hijacking. I further explained that this meant an attacker could add or delete the news sites in a victim's public listing, either as a prank or an attempt at character assassination, for example to make it appear that an Alltop user supports political or social issues that they may be totally against. The biggest targets would be Alltop's list of Internet celebrities who regularly attend conferences where there's public Wi-Fi. Guy responded that "it's probably not a big problem" because people probably won't edit their MyAlltop settings very often, but I would argue that they may still have a browser tab from alltop.com open and may have never logged out, which would leave them vulnerable. Guy may be right that the attack scenario is too limited for most would-be hackers to be interested in messing around with other people's Alltop accounts at conferences. As for me, I would still prefer the peace of mind of having all the sites I use—even the less-critical ones—encrypted end-to-end whenever I'm logged in.
Certainly, potential Firesheep attacks on Alltop users are at the "mostly harmless" end of the attack spectrum. What about sites at the other end of the spectrum?
I'm currently working with a major company everyone knows—a past Fortune 500 company—that has been completely negligent about handling the Firesheep problem even though it seriously impacts the privacy, security, and personal safety of millions of people. As of right now I'm still in private discussions with the company trying to get them to fix their site security, but I may share more about this specific case in the future.
Opera is outdated in the Mac App Store. Again.
I don't know whether I should find this more amusing or disappointing, but once again Apple's Mac App Store is distributing an outdated and insecure version of the Opera browser. The pastseveraltimes that Opera Software has released security updates for its browser, the new version hasn't made it to the Mac App Store until after I have personally contacted Apple and Opera to report the issue. (I'm not quite sure why it's incumbent upon me to remind them to do their jobs.) You might think that by now they'd have the process figured out and would start releasing the Mac App Store version simultaneously with the version on Opera's site, but sadly such has not been the case.
This time, on October 19th—ten days ago—Opera 11.52 was released, yet again fixing a vulnerability that Opera Software says is of "Critical" severity. I've been extremely busy with my Ph.D. program the past few weeks, so I haven't had the opportunity to remind Apple and Opera to update the version in the Mac App Store, and as of today, 11.51 is still the latest version available for download. I'm kind of curious how long it will take them to discover the problem on their own. UPDATE: Version 11.52 was added to the Mac App Store in the early hours of November 1st. Given the timing in relation to when this article was published (just over 48 hours apart), I suspect that either a reader tipped off Apple and/or Opera about this or an employee from one of the companies took notice.
As always, I advise users of Opera for Mac to download it directly from the Opera site at http://www.opera.com/download/ — and make sure you download other free applications directly from their respective developers' sites, too.
the JoshMeister (Joshua Long) is a computer security researcher from Southern California. He has a Master of Information Technology degree concentrating in Internet Security, and he has also taken doctorate-level coursework studying Business Administration and Computer and Information Security.
For more than a decade, Josh has been reporting spam, phishing scams, malicious or infected sites, and undetected malware samples to help protect others online.
To contact Josh, simply leave a comment on this site; all comments are moderated, so you can leave a private message this way. For confidentiality, you may encrypt your message with Josh's PGP key.