Monday, July 30, 2012

Windows and Snow Leopard: No More Safari Security Updates

To coincide with the release of Mac OS X v10.8 Mountain Lion, Apple also released the new Safari 6 Web browser (which comes with Mountain Lion) for OS X v10.7 Lion.

Not surprisingly, Apple did not release the new browser for Mac OS X v10.6 Snow Leopard, which was released 3 years prior to Mountain Lion and is now two major OS versions old.

However, what is surprising is that Apple did not release the Safari update for Windows, either. Nor did Apple release a security-only patch for the Windows or Snow Leopard versions of Safari 5.1 to close the 121 security vulnerabilities fixed in Safari 6.0.

This means that anyone still using Safari on Windows or Snow Leopard is unknowingly leaving their system vulnerable to exploitation and infection.

Read the detailed article I wrote for Sophos Naked Security for more information:

Where are the Safari security updates for Windows and Snow Leopard? Users left exposed

UPDATE, 7 Jan 2013: Apple has since released Safari 6.0.1 and 6.0.2, patching an additional 63 vulnerabilities. No corresponding security updates have been released for the Windows or Snow Leopard versions of Safari.

See also Is Apple Still Releasing Snow Leopard Updates?


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Wednesday, July 25, 2012

Windows Malware Found in iOS App Store

Yes, you read that headline correctly.

Yesterday it was discovered that a Windows worm was embedded inside an iOS application. The app, called "Instaquotes-Quotes Cards for Instagram," was available in the iOS App Store from July 19 through July 24. It contained two infected files:

Instaqoutes 1.0.ipa:Payload:Instaqoutes.app:FBDialog.bundle:FBDialog.bundle.exe
Instaqoutes 1.0.ipa:Payload:Instaqoutes.app:FBDialog.bundle:images:images.exe

This is unlikely to have caused any actual harm to anyone's systems given that iPhones and iPads can't run Windows programs, and any Windows user who may have downloaded the infected iOS app would have had to manually extract an .exe file and consciously decide to run it on his or her PC.

The most interesting part of this discovery is that it seems to indicate that Apple may not be scanning apps for viruses as part of its vetting process. Let's hope Apple adds this to the app approval checklist right away.

Please see my article at Sophos Naked Security for more details.

Meanwhile, Mac antivirus firm Intego reported yesterday that it had discovered new Mac malware, which the company dubbed OSX/Crisis (Sophos identifies it as OSX/Morcut-A). Intego said that as of yesterday, the malware had not yet been found in the wild.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Friday, July 13, 2012

Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam

A recent hack/spam/fraud campaign has recently been flooding the Internet with weight loss spam. I began investigating this on Tuesday night when a close relative's e-mail account was hacked.

On Wednesday, Sophos' Fraser Howard wrote up lots of details about this campaign on Naked Security. The article has lots of screenshots so you can see exactly what the e-mails, hacked sites, and spam sites look like.

If your e-mail account or Web site has been compromised, please read that article.

One side note before I continue: if you're using AOL Mail for your personal e-mail and you ever want to check it via the Web when connected to a public Wi-Fi network, don't. The current mobile version of the AOL Mail site does offer any option for securing the connection, and the non-mobile version isn't completely secure either. If you must use AOL for some reason, set up an e-mail application to connect to AOL's IMAP and SMTP servers over SSL/TLS using these instructions (it's even easier for iPhone, iPad, and iPod touch users).

In my opinion, though, you're better off switching to Gmail, arguably the most security-conscious personal e-mail provider, and enable two-factor authentication (and preferably configure it to text you at a different phone number than that of the device you're using to check your mail).

And no matter which e-mail provider you use, never check your e-mail or type any passwords at a public kiosk (such as those you might find at a library or hotel).

Anyway, back to the hack/spam/fraud campaign...

I collected information from a few different e-mails sent from my relative's hacked e-mail account and used this to begin my search. Google searches were immensely helpful in finding hacked Web sites.

In total I discovered 366 hacked sites that are currently hosting pages that usually redirect to fake Fox News sites with "articles" advertising an "HCG Ultra Drops" weight loss drug. The hacked domains hosted various files with any of 76 file names, and these files linked to about 30 fake news domains.

Those numbers are just the tip of the iceberg.

Every time I searched Google for another of the file names, I found more file names and more fake news domains. I only did comprehensive searching of Google for 11 out of the 76 file names before I had to force myself to call it quits (I do have a life, you know).

To any budding security researchers who may want to continue my work, here are the 76 file names I'm aware of, with Google links for each one. I thoroughly searched the first 11 (the ones with an asterisk):

jjllrt.html*, rehrt.html*, oelas.html*, dofpla.html*, efkcnsd.html*, lkdndrb.html*, mdnnka.html*, golrua.html*, dfgseg.html*, nvlauty.html*, rumyn.html*, xxxxt.html, xxklfd.html, cnmasd.html, llkdr.html, ttfbm.html, ggtero.html, owgle.html, uibjrq.html, tstx.html, dfgqp.html, rtvea.html, weelk.html, gjrhbd.html, pagnrk.html, upmfks.html, polmtn.html, xntsb.html, ollsn.html, jtosag.html, olgrus.html, olgruss.html, ghehgs.html, klang.html, lgkssa.html, ptmase.html, nsdlls.html, tyusa.html, sorrbn.html, fhgre.html, tttt.html, therpo.html, wpxml.html, eadfs.html, toshy.html, csndra.html, dfpois.html, uimnf.html, ollfje.html, doremj.html, mlllka.html, wrehge.html, jhglpd.html, llxsa.html, ppuds.html, otldcv.html, pscda.html, chopa.html, hslkgs.html, kmbre.php, oosdn.php, pprds.php, phnll.html, ssddl.html, xclrp.html, etropk.html, resus.html, pgflls.html, rldka.html, trifr.html, vbepo.html, gmolad.html, lgkesa.html, tjgey.html, toepr.html, vvert.html

If you manage any Web servers, be sure to check your servers for any file names like the ones above. If you find any evidence that your server has been compromised, don't merely delete the files. Assume the worst. Restore your server from a clean backup if possible, scan for rootkits and other malware (and get a second opinion, for example from Windows Defender Offline or another antivirus boot disc), change all passwords on the server (and be sure to use good, strong, long, and unique passwords; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages), disable any services you don't use, and make sure all the software on the server is up-to-date and has all the latest security patches.

Many of these files have at most a 14 out of 42 detection rate on VirusTotal (see the scan results for chopa.html, csndra sample 2, dfgseg.html, nvlauty.html, resus.html, rumyn.html, trifr.html, tstx.html sample 1, tstx.html sample 2). Avast, BitDefender, F-Secure, GData, Kaspersky, Norman, nProtect, and Sophos seem to offer pretty consistent detection of most files, and Antiy-ATL, Avira AntiVir, Comodo, Emsisoft, Fortinet, Ikarus, TrendMicro-HouseCall, and ViRobot have hit-or-miss detection, for these files under the following malware names:

HTML:Refresher-A, HTML:Refresher-A [Trj], HTML.A.Redirector.174, HTML.A.Redirector.176.D, HTML.A.Redirector.176.E, HTML.Refresher, HTML.Refresher!IK, HTML/Redirect.EM, HTML/Redirector.AM!tr, Redirector.FL, TROJ_GEN.RCBH1GD, TROJ_GEN.RFFH1G4, TROJ_GEN.RFFH1G5, Troj/Redir-O, Trojan.HTML.Redirector, Trojan.HTML.Redirector!IK, Trojan.HTML.Redirector.AI, Trojan.HTML.Redirector.am, Trojan/HTML.Redirector, UnclassifiedMalware, W32/Redir.O!tr

Note that many popular anti-virus vendors, including but not limited to AVG, ClamAV, Dr.WEB, McAfee, Microsoft (Security Essentials, Forefront), Symantec (Norton), and Panda (Cloud Antivirus), do not currently detect the redirection files as malicious.

If a victim browses to one of these pages, it will briefly display a message before redirecting, usually "You are here because one of your friends have invited you. Page loading, please wait...."

I came across one file (trifr.html) with a different message: "You are here because one of your friends have invited you to try our FREE TRIAL!!! Page loading, please wait...." This page redirected to a site advertising the weight loss drug, but this time it wasn't a fake Fox News site (see the last domain in the list below).

Following are the 30 fake news domains. The five with an asterisk are actually fake "7 Money News" sites with the headline "Work At Home Mum Makes $10,397/Month Part-Time" rather than fake Fox News sites with a headline of "HCG Ultra Drops to Help Your Weight Drop" like the first 25. The 31st domain listed below just advertises the weight loss drug without a fake news motif, but it was also linked from one of the files listed above. Note that these links lead to the Web of Trust reports, not the spamvertised domains themselves:

cbns24.com, cnm-story.com, e-nbcnews.com, estory24.com, fxhtm.com, fxnwsw.com, hcg-news-html.com, health-news24.com, istory24.com, msb-article.com, msbcn-story.com, msnbc-html.com, nbcws24.com, nbsn24.com, nbsw24.com, new-article24.com, new-story24.com, news-article24.com, news-story24.com, news861.com, news981.com, newsfxhtml.com, nmbs24.com, online-article24.com, online-story24.com, blognewsguide.ru*, weeknewssite.ru*, allhotinfo.net*, goodnewschannels.com*, jobnewssite.org*, nopfo.ru

Here are the 366 hacked domains that are currently hosting one or more of the files listed above. Again, these are links to Web of Trust reports, not the hacked domains themselves:

00host.com.ar, 1in0.com.hk, 2lava.com, 904.gr, acetocaustin.bg, adagma.cz, adcv.co.za, adultblogfriend.com, adventureparts.pl, advimp.clanteam.com, agenziaideaimmobiliare.com, agitadf.com, aidafrozen.com, aietnrt.in, aikidomurskasobota.com, airjamaicacheaptickets.com.jm, akssas.com, aladenise-demezicq.fr, alfader.es, alians-chemicals.rs, ancos.es, aoleitechocolateria.com.br, archlabs.net, argentinetangousa.com, arimaheena.com, artemfurniture.com, artfarce.co.uk, arunmathews.com, assignmentmanager.com, ayurvediclife.in, bag-iw.com, barcello.xf.cz, batanghari.net, baz.cl, bestplugs.com, betterpractice.athost.net, bfab.writerbin.com, bickmart.com, bid4hunting.com, bigmoemedia.com, bizgramonline.com, bizsuccess.co.za, bkmlsz.hu, blue-raincoat.com, bootvets.co.uk, bosch.opole.pl, bukat.pl, bumireksa.com, bworldnepal.com, caodangnghekg.edu.vn, car.galaxyconnections.com, carey.cl, cas.co.id, cbspevc.com, centrum-narzedziowe.pl, ceynet.com, chanfainita.com, chicas-con-cam.com, chinnies.nl, cipa.uem.br, cityspots.ro, ciudadcamiseta.com, cmi7.fr, coamalaga.es, columbus-i.com, coracyt.gob.mx, corsaracingteam.com.ar, cosmeticsurgery-thailand.com, csivietnam.com, customcar.fr, cztorrent.tym.cz, d155415.si32.rehost.co.il, da-marcello.eu, darzgrzyb.nazwa.pl, daser.gr, dav14gurgaon.org, dawidadesign.cba.pl, dazzle-fashion.nl, deepikainfratech.com, demo.aragorn.in, dfvisions.com, dialogv.coeus-solutions.de, diplomat-c.com, diyanetvanegitim.gov.tr (a Turkey government domain... whoops), dmn.rs, donaueinkaufszentrum.com, dottystylecreative.com, drevovyrobafiala.ic.cz, dropyourtalent.com, dsconsulting.cba.pl, dtc.com.kw, dual-sport-gaming.com, dulachotel.gr, dulichquoctehanoi.com, edicionescuevacarrionabogados.com, educareseguros.com.br, efesertekstil.com, eicorp.rs, ela2006.com, elpais.co.cr, embassyinnbd.com, emka.xaa.pl, en.bakai.kg, endamhotels.com, espera2000.de, estalagemdonpablo.com, estudiopuntocaiman.com, etaton.com, exemplar.it, extuned.com, falcon07.com, fan.org.ec, fcdl-rs.com.br, ferrysirait.web.ugm.ac.id, figarobuilders.com, files.karamellasa.gr, firmaquick.com, fittedkitchens-rotherham.co.uk, furnituremerchants.co.za, galaxyconnections.com, galeriehk.cz, genwest.com.cn, glenwoodmicro.com, goldcoastmarine.com, gourmetservicesinc.com, gtoil.com.br, guerrillapro.com, gulfmatesolutions.com, gym-sprossenwand.de, hafidabdeddaim.eu, hamidashirakuen.web.fc2.com, hazipvc.com, hearthpatio.com, heatexinfotech.com, helicopeter.at, hi-tektraining.com, holpnet.com, hostsecureserver.com, hotelinkingstonjamaica.com.jm, hulibuli.com, ic-argentina.com.ar, id7ak.com, idesign-london.co.uk, ids.co.id, ifldubai.com, ikatdoo.com, image.athanael.com, indiapropertyratings.com, infoardis.com, inmotion.com.mx, insearchofwealth.com, institutoresearch.com.ar, investors-europe.com, ishanusa.com, islamlecture.com, itwfinishing.com.cn, jandsarchitects.com, janhaviconstructions.com, jannuslive.tv, jeanpaul.ca, jeanveer.pl, jedynka.zgora.pl, jeugdennatuurmaasbree.nl, jlinox.com.br, josmutsaers.nl, jponcet.net, junjun4416.web.fc2.com, kassor.com, kekavasprojekts.lv, kenyarad.com, kikkoman.com.cn, kmdcompany.com, kobesweetsfarm.ciao.jp, kpoli.com, kpp-test.xf.cz, krystynagoss.pl, laboratoriosantalucia.com, laboratoriowasser.com.ar, lackliebhaber.de, ladycroft-tuning.webzdarma.cz, lammasrl.com, larecredescavaliers.fr, lasal.com, link-scotland.co.uk, ljhproperty.com, lordelmusique.com, loreal.cat, ltamarketing.com, lyricgroup.com.bd, maapro.it, macafe.com.mx, magazynboom.com, magzimpel.com, makscafe.com, mal.ba, malteseclock.com, maquettes.alteo.fr, marhefka.najlepsza.pl, markaolustur.com, mbhsband.com, mdpighana.org, mediamodedesign.com, medikumokymai.lt, medioscomunitarios.org, mejores-webcams.com, meljin.co.za, merapublications.com, meremichele.com, metrostartech.com, mfaraj57.dreamoem.net, mgttransport.com, minauto.com.br, miroloinmobiliaria.com.ar, mixman.wifiwork.net, mobo.cn, modular-infotech.com, montmartreartstudio.com, morepix.de, muhibbah.com, multiintegra.co.id, munjiza.com, mvch.co.uk, mybandar.com, myreclinershop.com, naphthachem.com, naszsochaczew.pl, nationalinjuryadviceline.co.uk, navitrolla.ee, neoproyectos.com.ar, networkingquotient.com, newdigm.com, nicolassiah.com, night-skies.fr, norfaiz.com, nuovo.fiadic.it, offshoregamedevelopment.com, oknomax.home.pl, okutanmaden.com, omr.co.in, omshantiinfotech.in, onoil.cn, orixe.org, oudeboeken.be, ourgreen.co.th, ozbekhacimalzemeleri.com, pandaro3.web.fc2.com, paweldrag.cba.pl, pedronassif.com.br, peet.pl, pennystockmania.com, per-modum.home.pl, percsizoltan.hu, photographie-der-sinnlichkeit.de, phototopoparts.com, pneumatica.com.pl, polart.asso.fr, portalsolucoeste.com.br, practicumecheyde.comlu.com, promo-bon.be, promo-mailing.com, propaganda.civ.pl, propetrol.com.do, prosystem.home.pl, pslcnp.pl, putricinta.com, quickfix.uuuq.com, quintaalemar.com, redesistemas.com, redlayerproduction.com, resalahnet.com, revistaxalapan.com, ristorantezummohren.de, rizjayasejati.com, robbertschipper.nl, rockinchiado.com, rojam2u.biz, rotexmalhas.com, rotinagroup.com, rowerychrzanow.pl, rsdeltasurya.com, rus.ctn.com.kg, sacramentotherapy.com, saintbernadettechurch.com, saintfrancisfoundation.org, saudi-dev.com, savak.com.tr, saykus.info, schyzosoft.net, sengteck.com, senioridependencia.com, sfterezaiasi.cnet.ro, sg-instruments.com, sgshow.com.br, shoutcamp.com, showbit.info, shreeguruvision.com, shuqunsec.demellows.com, simonjarvis.customer.netspace.net.au, simrad.es, sipafilm.com, sitecr.com, skynetplus.it, smitche858.startlogic.com, sniglobal.net, sommeiller.it, sosamazon.org, sotb-orlando.com, spanishbarfinders.com, spc.lt, spniedrzwicad.h2.pl, spp2007.com, starcraft2guidetowin.com, stcogroup.net, steakhouse-amigos.nl, steeltrademart.com, studiorancangimaji.com, subaa.com, sugb.sakura.ne.jp, sutbirligi.org, svf.net.in, swat.belasanet.sk, swolfgang.de, tafa2004.com, tamsat.org.tr, teday.org, templocalvario.com.uy, terapiadebiomagnetismo.com, theinformedpatient.in, thependulumgrp.com, thet.com.ar, thetouchband.com, tompix.se, totalguestlist.com, travestiscam.net, tresena.x-br.com, triathletevolution.com, trimasonline.com, trylonhotel.com, tus-favoritos.com.ar, twotart.com, uniteck.net, universaltours.in, v002470.home.net.pl, v046809.home.net.pl, v093272.home.net.pl, valquiriavisual.com, vandeghen.be, vertex.mc, virtuasolution.com, vistacooperative.org.np, viziteazasitu.ro, vnkhomeshopping.com, vosbelastingadvies.nl, vresinskastrz.ic.cz, vyapin.com, vyapin.com.cnchost.com, wellsite.altervista.org, windowcare.org, windsor.co.th, woolcloth.com, worldchem.com.ec, worldwinnerz.com, wreeec2011bali.com, xploreseo.com, yercaudhotels.com, zccom.com.cn

It's clear looking through this list that very few locales and types of organizations have been spared from attacks by this hack-and-spam campaign. Churches, porn sites, government sites, and more have been compromised. You'll notice a surprising number of TLDs in there as well, representing a huge variety of countries and cultures (for example: .ar, .au, .ba, .bd, .be, .bg, .br, .ca, .cl, .cn, .cr, .cz, .de, .ec, .ee, .es, .eu, .fr, .gr, .hk, .hu, .il, .in, .it, .jm, .jp, .lt, .lv, .kg, .kw, .mc, .mx, .nl, .np, .pl, .ro, .rs, .sk, .th, .tr, .uk, .uy, .vn, .za, and even .cat).

Again, I recommend reading the Sophos article about this hack/spam/fraud campaign for additional tips on how to protect your e-mail accounts and Web servers.

UPDATE, 14 July 2012: I've added anti-virus detection information for some of the redirect files. I also added details about the messages displayed momentarily before a page redirection occurs.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Sunday, July 1, 2012

On Mac and iOS Security, a Twitter Hack Epidemic, and Bindaas Spaces Spam

Here are links to a few articles I wrote recently for Sophos' award-winning blog, Naked Security, that I haven't mentioned yet on the JoshMeister on Security.

After the Sophos article links and descriptions, keep reading for some tidbits about the Bindaas Spaces spam group and more.
  • How secure are Apple's iPhone and iPad from malware, really? (29 June 2012)
    In the five years since the first iPhone was released, there has never been a serious known case of iOS malware on an non-jailbroken device.
    But should users really be congratulating Apple for iOS devices' apparent security?

      
    I wrote this article in response to a recent tweet from F-Secure's CRO, Mikko Hypponen:
      

  • Do the Mac App Store and Gatekeeper provide sufficient protection? (21 June 2012)
    Apple is pushing its users more and more to download apps from the Mac App Store. But what happens if the software on the Mac App Store is less secure than non-App Store versions?
      
    The article mentions (among many other things) that Apple is dragging its feet at approving the recent security update for Opera. The browser has now been outdated in the Mac App Store for over 2 weeks and counting; Apple has yet to approve 11.65.
      

  • Twitter account hack epidemic - Don't fall for "CNBC" spam! (20 June 2012)
    Throughout the month of June, Twitter accounts have been getting hacked and have subsequently been sending spam that links to fake CNBC news articles. Be cautious about links in direct messages or tweets, even if they're sent from a friend's account!
Bindaas Spaces spam still persists
I just updated my article about the Bindaas Spaces spam group based in India. Yep, they're still in operation after no less than 5 years of sending spam and refusing to let people opt out. Unfortunately, their operation doesn't seem to be big enough to get much attention, so I've been one of very few people trying to bring their activities into the public spotlight.

Here are the Web of Trust reports for the two domains I just added:
The company being advertised calls itself "Abhinav Institute of Technology & Management," and it claims to offer degrees and certificates. However, the site does not say anything about its accreditation status, which implies it is not accredited.

Oddly, the site's only contact information is a Gmail address. There's nothing wrong with Gmail; I strongly recommend it for personal e-mail accounts because its focus on security is unrivaled. However, companies should really have e-mail at their own domain in order to look professional. (If nothing else, they can use Google Apps for Business which gives them all the benefits of Gmail and more, but with their own domain in their e-mail addresses.)

Between engaging in blatant unsolicited spam, lack of accreditation acknowledgement, and unprofessional contact information, this supposedly degree-granting "institute" and its site are devoid of credibility.

How to Preview Shortened URLs: More interesting than LOST, apparently
On a more personal and lighthearted note, I just discovered that my popular article on How to Preview Shortened URLs (which I originally wrote in 2009 and updated again in June) has nearly as many pageviews as my entire LOST blog, which I thought was fairly popular back when the TV show was on the air.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .