Monday, December 27, 2010

Fake Codec Malware Sites: tv-world-online, etc.

I recently viewed an old YouTube video produced by SophosLabs back in January 2010 (nearly a year ago). I took note of the domain where this malware was found, and out of curiosity I checked to see whether the site was still online. To my surprise, it was. Here are some of my findings:

Every page of the site (tv-world-online .net) was linking to fake codec malware in very deceptive ways. The domain hosting the malware changed at least once or twice per day, and the malware hosted on these servers was modified to have a different MD5 checksum about as often. In each case the file name was "install_ActiveX.45171.exe". I collected as many samples as possible, submitting each variant to major antivirus companies that were not yet detecting it, and rating each page on Web of Trust to help protect other WOT users (WOT is a browser add-on for major browsers that helps protect users from potentially harmful sites, and it uses a community rating system that is usually very reliable).

Variants of this fake codec malware are known by many different names. The last sample I obtained is detected under the following names (currently 35/42 detection rate according to VirusTotal):
FakeAV.GPF, Generic.dx!vgs, Heuristic.BehavesLike.Win32.Downloader.H, Mal/EncPk-NS, MalCrypt.Indus!, Malware-Cryptor.Limpopo, Packed.Katusha.ase, Packed.Win32.Katusha, Packed.Win32.Katusha.o, Packed/Win32.Katusha.gen, Suspicious file, TR/Shakat.O.333, Trojan.Agent/Gen-Fraudera, Trojan.DL.Renos!al/DlyrO68M, Trojan.DownLoad2.19095, Trojan.FakeAV, Trojan.FakeAV!gen29, Trojan.Generic.KD.90926, Trojan.Katusha.o, Trojan.Win32.Generic.52530514, Trojan/W32.Agent.212992.JV, TrojanDownloader:Win32/Renos.MJ, VirTool.Win32.Obfuscator.hg!b1 (v), Virus, W32/Codecpack.700D!tr, W32/Obfuscated.M, W32/Renos.A!Generic, Win-Trojan/Agent.212992.VL, Win32:MalOb-EA, Win32/Renos.D!generic, Win32/TrojanDownloader.FakeAlert.BBT
Here are WOT reports for several affiliated domains:
Although the tv-world-online domain does not currently appear to be online, it appears that the domain has not actually been shut down, so it may become active again eventually.

On a different subject, I want to let my readers know that I recently updated a couple pages on this site: the Bindaas spam site listing and the page on how to manually preview shortened URLs.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Monday, November 15, 2010

"DHL Services" Scam E-mail with Oficla Malware Attachment

Scammers are once again trying to trick innocent victims into opening an attachment containing malware. I first told you about fake DHL e-mails containing evil attachments in October 2009, a similar scam claiming to be from UPS a year ago, and within the past month I've reported on two more malware-laden scam e-mails claiming to be from UPS/USPS and FedEx.

My regular readers know the drill by now.  DHL and other shipping companies won't send you attachments containing information, tracking numbers, or shipping/mailing labels. If you get an e-mail claiming to be from such a company that invites you to download an attachment, delete the e-mail; it's a fake, and its attachment could harm your computer. So far these attachments have all been Windows malware, so if you're a Mac user, you're more likely to be immune, but don't get all cavalier and act like Macs are impenetrable fortresses of security; they're not (skim my previous articles about Mac security).

Here's a sample e-mail:
From: "DHL Services" {donotreply.s.nr6999 @} [forged From address]
Subject: DHL service. Get your parcel S.NR5944 [number may vary]
Date: November 15, 2010

The company could not deliver your package to your address.
The package was returned to DHL office.
Information about your package is attached to the letter.
Look through the information about your package thoroughly.

Thank you for using our services.
DHL Customer Services.

[Note: The rest of the e-mail contained white text on a white background, intended to fool spam filters while being hidden from the e-mail recipient. This portion of the e-mail is usually different in each sample, so I've omitted it.]
Attachment: [file name may vary]
The malicious attachment is currently only detected by 12 out of 43 major antivirus engines, with detection coming soon from at least one vendor. Most of the following information is courtesy of VirusTotal:
File name: DHL_Information.exe
MD5   : 70da9f26213bfa1b947fcc58dd854cad
SHA1  : 57cad53f527fc97ac3e88a22ce295dcd7b2a882f
SHA256: ac068ce7055505ec0e501ea816959936f5d9221651715a93d37f99b631dbaf58
File size : 74240 bytes

12/43 detection rate as of 2010-11-15 23:11:32 (UTC)

Variously identified as: Gen:Variant.Oficla.10, Generic BackDoor.u, Troj/Oficla-BA, Trojan.Agent.AQWD, Trojan.Oficla-17, Trojan.Oficla.83, Trojan.Sasfis, Trojan.Win32.Generic.pak!cobra, Trojan.Win32.Oficla.chq, W32/Trojan2.NLPW, Win32.Outbreak!IK, etc.
As I've said before, antivirus software won't keep you 100% protected—especially against new malware, as these detection rates show—so it's always important to be cautious about downloading files or clicking on links.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Thursday, November 11, 2010

"FedEx Services" Malware, Boonana/Koobface Update, Sophos for Mac, and Firesheep

There's been plenty going on in the realm of computer security lately.  Here's a brief update.

First, the breaking news: there's a new Oficla malware attachment spreading via fake FedEx e-mails, not unlike the UPS/USPS scam e-mail I told you about recently.  Here's a sample:
From: "FedEx Services" { @} [forged From address]
Subject: Track your shipment No445272 [number may vary]
Date: November 11, 2010

This is a post notification.

Your package has been returned to the FedEx office.
The reason of the return is - Incorrect delivery address of the package

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the FedEx office in order to receive the packages.

Thank you for your attention.
FedEx Customer Services.

[Note: The rest of this was white text on a white background, intended to fool e-mail spam filters while being hidden from the e-mail recipient. This portion of the e-mail is usually different in each sample.]
-- Wo mag mein Vater, meine Mutter sein?JULIA So waschen sie die Wunden ihm mit Tränen? Ich spare meine für ein bängres Sehnen. Nimm diese Seile auf. --Ach, armer Strick, Getäuscht wie ich! Wer bringt ihn uns zurück? Zum Steg der Liebe knüpft er deine Bande, Ich aber sterb als Braut im Witwenstande. Komm, Amme, komm! Ich will ins Brautbett! Fort! Nicht Romeo, den Tod umarm ich dort. WÄRTERIN Geht nur ins Schlafgemach! Zum Troste find ich Euch Romeo: ich weiß wohl, wo er steckt. Hört, Romeo soll Euch zur Nacht erfreuen; Ich geh zu ihm; beim Pater wartet er. LORENZO Komm, Romeo! Hervor, du Mann der Furcht! Bekümmernis hängt sich mit Lieb an dich, Und mit dem Mißgeschick bist du vermählt. ROMEO Vater, was gibts? Wie heißt des Prinzen Spruch? Wie heißt der Kummer, der sich zu mir drängt Und noch mir fremd ist? LORENZO Zu vertraut, mein Sohn, Bist du mit solchen widrigen Gefährten. Ich bring dir Nachricht von des Prinzen Spruch. ROMEO Verbannung? Sei ba rmherzig! Sage: Tod!
Attachment: [file name may vary]
As a reminder, companies like FedEx, UPS, DHL, and the U.S. Postal Service never send attachments containing mailing labels or tracking numbers—and they especially won't send Windows .exe programs.

If you extract the .zip file and run the .exe application (FedEx_mailing_label.exe) on a Windows PC, it will attempt to download more malicious software onto your PC, including fake antivirus software.

The malicious attachment is currently only detected by 12 out of 43 major antivirus engines, which should tell you to always be cautious of what you download and open, because your antivirus program won't stop everything. Most of the following information is courtesy of VirusTotal:
File name: FedEx_mailing_label.exe
MD5   : b7e6a7f9f527acaac54d0dfb1b4d7d87
SHA1  : 05af292c42a2e20d45dbbc919762d3a0c2158aa2
SHA256: 0e434c9a0740ba104ef8320af39c12c599ef3a1de527ea1779d1f59e1c50a806
File size : 74752 bytes

12/43 detection rate as of 2010-11-11 22:57:27 (UTC)

33/43 detection rate as of 2010-11-13 18:30:57 (UTC)

Variously identified as: Artemis!B7E6A7F9F527, Bck/Qbot.AO, Dropper.Generic2.BTTI, Generic.dx!uqm, High Risk Cloaked Malware, TR/Bamital.H, TR/Spy.ZBot.MY, TROJ_BAMITAL.AH, Troj/Agent-PHW, Trojan:W32/Bamital.D, Trojan:Win32/Oficla.AD, Trojan.Bamital, Trojan.Bamital!gen1, Trojan.Bredolab-1027, Trojan.Generic.5074337, Trojan.Oficla.80, Trojan.Oficla.CPS, Trojan.Win32.Generic.pak!cobra, Trojan.Win32.Oficla, Trojan.Win32.Oficla!IK, Trojan.Win32.Oficla.azk, Trojan/Oficla.azk, Trojan/Win32.Oficla, TrojWare.Win32.Trojan.Oficla.~D, W32/Agent.PHW!tr, W32/Oficla.R.gen!Eldorado, W32/Pinkslipbot.gen.t, W32/Sasfis.Z!tr, Win-Trojan/Oficla.74752, Win32:Oficla-AX, Win32/Bamital.BD, Win32/Oficla.JF, etc.
Here's VirusTotal's analysis of the fake antivirus software (with a measly 7 out of 43 detection rate) that FedEx_mailing_label.exe downloads from 109.196.143 .136:
File name: avpsoft_fgdhdflgkhjkf.exe
MD5   : 7db84663de821b00423fbf3838a0030f
SHA1  : b925ffe7cb695eda324dce99a2a1f482f1b16271
SHA256: 59085adc7a91f4fc4a424ee8de925f6efcf90c7e453fdc18c26d37e6c7ed8732
File size : 987648 bytes

7/43 detection rate as of 2010-11-12 00:10:34 (UTC)

24/43 detection rate as of 2010-11-13 18:31:16 (UTC)

Variously identified as: FraudTool.Win32.RogueSecurity (v), Gen:Variant.Kazy.3155, Generic.dx!uqn, Heur.Suspicious, Mal/FakeAV-DO, Medium Risk Malware Dropper, Rogue:Win32/Winwebsec, TR/Kazy.3155, Trj/CI.A, TROJ_FAKEAV.SMES, Trojan.Agent/Gen-Backdoor, Trojan.Fakealert.19447, Trojan.Win32.FakeAV.rnh, W32/FakeAV.ABDX, W32/FakeAV.DO!tr, W32/Kryptik.ZZ!tr, Win-Trojan/Fakeav.987648.DU, Win32:FakeAlert-ST, Win32/Adware.SecurityTool.AD, etc.
See the Web of Trust report for showtimeru .ru and a couple of Russian IPs to which the e-mail attachment phones home and attempts to download additional malware:
Since a lot of people asked about this last time, I'd like to remind readers that Windows .exe files can only infect Microsoft Windows operating systems.  If you're using a Mac, Linux, or other operating system (and assuming you haven't installed Parallels, VMware, CrossOver, Wine, etc. to enable you to run Windows apps on your Mac) you can't be harmed by accidentally downloading a malicious Windows .exe application.

Second, an update about the Boonana/Koobface malware, which I recently mentioned. A new variant is circulating according to reports from ESET and SecureMac, and even Microsoft's Windows-only antivirus product is detecting the Mac version of this malware. (Components of this malware are variously detected as Boonana, JAVA_JNANA.A, Java/Boonana.A, OSX/Koobface.A, Troj/Boonana-A, Trojan-Downloader.Java.Alboto.a, Trojan:Java/Boonana, Trojan:MacOS_X/Boonana, Trojan.Jnana.1, Trojan.Jnanabot, trojan.osx.boonana.a, trojan.osx.boonana.b, Win32/Boonana.A, etc.)

As I mentioned previously, disabling Java and being careful to not click on suspicious links on Facebook, Twitter, other social networks, and unexpected e-mails should help you avoid malware of this type.  If you're on Windows, I recommend uninstalling Java, and if you're on a Mac, I've posted instructions for disabling Java on Macs and a link to get SecureMac's free removal tool (which has been updated to remove the new "b" variant). Of course, it would also be wise to install antivirus software, which brings me to...

Third, commercial antivirus vendor Sophos recently released their antivirus software for free to all Mac users (for personal home use only).  You can download it at

Fourth, I thought I should at least briefly mention Firesheep, since it's been in the news a lot recently. Firesheep is an add-on for Firefox that makes it incredibly easy for anyone to hijack someone else's unencrypted Web browser sessions, allowing wannabe hackers and script kiddies to, for example, break into the Facebook or Twitter account of someone who's sharing the same public Wi-Fi hotspot at the local coffee shop.  It doesn't just allow bad guys to break into social networking sites, though; also affected are Amazon, Google (except Gmail), Bing, Windows Live, Dropbox,, Flickr, The New York Times, and other sites. Firesheep has already been widely distributed, with more than 721,000 downloads in under 3 weeks.

The best way to avoid getting hacked by Firesheep users is to use a VPN (a secure remote connection to a private network, for example securely logging into your home computer and using the browser on that computer rather than browsing directly from your laptop, iPad, or other device on an unencrypted Wi-Fi network). Using the EFF's "HTTPS-Everywhere" Firefox add-on (whose name is actually a misnomer, since it can't enable https:// for all sites) can help force secure connections for only a handful of specific sites, while sessions on other sites will remain vulnerable. Public Wi-Fi providers (Starbucks, McDonald's, hotels, etc.) can help protect users by enabling WPA/WPA2 encryption and giving out the password to guests, rather than providing unencrypted wireless networks (see the links hereafter for details on how this works). However, perhaps the best way to fix the problem is for every Web service provider to encrypt the full browser session, not just login pages. Start encouraging the sites you use to enforce https:// access to all pages of their site to protect their customers/users from Firesheep session hijacking. For further analysis of Firesheep, see Steve Gibson's blog and audio podcasts (with searchable text transcripts) here and here.

UPDATE, 13 Nov 2010 @ 10:50 PST: Added additional malware names and current detection rates.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Thursday, October 28, 2010

Koobface Malware for Mac, and How to Disable Java

Intego recently blogged about their investigation into a Mac-infecting variant of the Koobface malware (which Intego explains "propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements") that's actively being tested in the wild. Koobface infections often come via links on Facebook (hence the name, which is an anagram of Facebook), but can come via other sites as well. I've previously blogged about Koobface here and also mentioned it here.

According to Intego, the Mac variant tries to install itself via a Java applet, which prompts the user with a dialog box saying:
/!\  An applet from "[domain]" is requesting access to your computer.

The digital signature could not be verified.

[ ] Allow all applets from "[domain]" with this signature
(Show Details...)               (Deny) (Allow)
If presented with such a dialog box, users should click the "Deny" button to prevent infection. If instead they allow the applet to run, it will attempt to download files into /Users/[username]/.jnana/ (a hidden folder; you can use my freeware app Invisibility Toggler to see if it's there on your system). So far Intego has only seen the malware get to this point because the servers it tries to contact have not been online and actively serving the requested malicious files at the time of Intego's testing. The Java applet is detected as OSX/Koobface.A by Intego's VirusBarrier and trojan.osx.boonana.a by SecureMac's MacScan. SecureMac also offers a free removal tool.

Users can avoid infection altogether by disabling Java in their browsers. Other security researchers including Brian Krebs have recently been recommending this anyway, since Java has quickly become one of the most exploited Web technologies, and most users probably don't actually need or use Java.

Unfortunately, Apple doesn't provide an uninstaller for its implementation of Java (which Apple has recently deprecated). Here's how to disable it in your browser instead:
  • To disable Java in Safari, first open the Preferences dialog box (on the Mac, click on the Safari menu next to the Apple menu, then select Preferences...). Click on Security, then click on the check box next to "Enable Java" to remove the check and disable Java.
  • To disable Java in Firefox, first open the Add-ons dialog box by clicking on the Tools menu and then selecting Add-ons. Click on the Plugins tab at the top of the window, and look for "Java Embedding Plugin" and "Java Plug-In 2 for NPAPI Browsers." Click on each one of those and click the Disable button for each one. (Note: Whenever Apple releases a Java update, you may need to quit Firefox and reopen it, and then verify that both are still disabled.)
  • To disable Java in Chrome, go to chrome://plugins/ (you may need to copy and paste or type this into the address bar) and click on the "Disable" link below the word Java.
  • To disable Java in Opera,  go to opera:config#Java and click on the check box next to "Enabled" to remove the check from the box, then click Save. You will be prompted to restart the browser in order for the setting to take effect.
  • To disable Java in Camino, click on the Camino menu next to the Apple menu, then select Preferences..., then click on Web Features, and finally click on the check box next to "Enable Java" to remove the check and disable Java.
  • To disable Java in OmniWeb, click on the OmniWeb menu next to the Apple menu, then select Preferences..., then click on Show All, then click on Security, and finally click on the check box next to "Enable Java" to remove the check and disable Java.

UPDATE, 18 Nov 2010 @ 9:47 PST: Added instructions for disabling Java in OmniWeb.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Friday, October 15, 2010

UPS/USPS Scam E-mail with Oficla Trojan Attachment

One year ago (almost to the day, actually) I warned of malicious e-mails that claimed to be from DHL that used social engineering to trick users into opening an attachment. Well, bad guys are still pulling the same trick, this time with e-mails purporting to be from UPS (United Parcel Service of America) or USPS (United States Postal Service).

Here's a sample e-mail:
From: "United States Postal" {donotreply @} [forged From address]
Subject: UPS Tracking number N224002 [a random number]
Date: October 15, 2010

Good afternoon.

The parcel was sent to your home address. And it will arrive within 3 business days.
More information and the tracking number are attached in document below.

Thank you.
UPS Global Services.

[Note: The rest of this was white text on a white background, intended to fool e-mail spam filters while being hidden from the e-mail recipient. This portion of the e-mail is vastly different in each of the samples I've seen.]
Hes in his fit now and does not talk after the wisest.He shall taste of my bottle: if he have never drunk wine afore, it will go near to remove his fit. If I can recover him, and keep him tame, I will not take too much for him: he shall pay for him that hath him, and that soundly. STEPHANO. Come on your ways: open your mouth; here is that which will give language to you, cat. Open your mouth: this will shake your shaking, I can tell you, and that soundly [gives CALIBAN a drink]: you cannot tell whos your friend: open your chaps again. STEPHANO. Four legs and two voices; a most delicate monster! His forward voice now is to speak well of his friend; his backward voice is to utter foul speeches, and to detract. If all the wine in my bottle will recover him, I will help his ague. Come. Amen! I will pour some in thy other mouth. STEPHANO. Doth thy other mouth call me? Mercy! mercy! This is a devil, and no monster: I will leave him: I have no long spoon. TRINCULO. Stephano!
Attachment: [a random number in the file name]
Before I talk about the attachment, let's briefly examine the non-hidden portion of the e-mail.  How many suspicious things can you find?  For starters, the From name is "United States Postal," not "United States Postal Service."  Second, the subject line says "UPS," not "USPS"—the company doesn't even match!  Third, companies like the U.S. Postal Service, UPS, and DHL never send attachments containing tracking numbers.  If the real company was going to send a tracking number, it would be in plain sight in the e-mail, not buried inside some attachment, and certainly not inside a Windows executable.

Not surprisingly, the .zip archive contains a malicious .exe program.  At present, the malware is detected by 23 out of 43 major antivirus engines, with detection in the works from at least one additional vendor.  Most of the following information is courtesy of VirusTotal:
File name: UPS_Document_NR*.exe [* = random number]
MD5   : 0964957611527841a83906bd68e248c7
SHA1  : 2497d1be1a4b49808171f388dd3ae1c59956075f
SHA256: 0bb27e6dba7e60c46cf8d829ddea604f1772ccf52885a84f5f07d3bd6953b0f0
File size : 41472 bytes

23/43 detection rate as of 2010-10-16 02:22:52 (UTC)

30/43 detection rate as of 2010-10-16 18:51:09 (UTC)

Variously identified as: a variant of Win32/Kryptik.HHI, Artemis!096495761152, Generic.dx!uhx, HeurEngine.MaliciousPacker, Heuristic.Trojan.SusPacked.TMS, High Risk System Back Door, Mal/Oficla-A, Packed.Generic.308, Packed/Win32.Generic, Riskware, SHeur3.BIXD, Suspicious file, TR/Crypt.XPACK.Gen, Trj/Downloader.WBX, TROJ_BREDLAB.TX (reminiscent of the "Bredolab" name of last year's DHL malware), Trojan.Oficla.73, Trojan.Oficla.AO, Trojan.Win32.Downloader.41472.EC, Trojan.Win32.Generic!BT, Trojan.Win32.Oficla.apb, Trojan/Win32.Oficla, TrojanDownloader:Win32/Mafchek.C, UnclassifiedMalware, W32/Oficla.AIY!tr, W32/Oficla.P.gen!Eldorado, W32/Trojan3.CGE, Win32:Trojan-gen, Win32.Outbreak!IK, etc.
See the behavioral analyses of this file from ThreatExpert, Anubis, and Panda Xandora/Autovin, and the Web of Trust report for webauc .ru, a domain to which this malware phones home:
See also ThreatExpert's analysis of a related mass-mailer program which sends spam like the sample above, and an additional domain and an IP to which the malware phones home or tries to download executable content:
Be sure to remind your friends and loved ones to avoid downloading attachments from e-mails like this one.

UPDATE, 16 Oct 2010 @ 12:00 PDT: Added some additional names of the malware.  Currently detected by 30 antivirus engines with at least one more detection coming soon.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Thursday, September 30, 2010

MacScan 2.7 Product Review

Since early 2002 (about a year after the initial release of Mac OS X), SecureMac has made an anti-spyware application for Mac called MacScan.  I've been curious about the product ever since I became interested in computer security several years ago, and I finally had the opportunity to try MacScan recently.

Earlier this month, on September 20th, SecureMac tweeted from their @macscan Twitter account that the software was being released for free for one day only in celebration of Pirate Day (hopefully a few of you saw my retweet). I took the opportunity to grab a copy of MacScan so I could finally test it myself.

MacScan is marketed as a product that "detects, isolates, and removes spyware" for the Macintosh platform.  Mac users often believe (no doubt encouraged by Apple's marketing) that there isn't any malicious software for the Mac, or that the Mac is not susceptible to hacker exploits, but unfortunately, such is not the case.  (I've discussed this occasionally, Graham Cluley from antivirus vendor Sophos has reiterated this several times recently, and Mac antivirus maker Intego frequently blogs about Apple and third-party security vulnerabilities and Mac malware.)

MacScan detects a number of different types of potentially harmful Mac OS X and Mac Classic software such as Trojan horses, keystroke loggers, tracking cookies, and remote administration programs—mainly things that could be considered "spyware," or software used to spy on user behavior.  However, it is not a full-fledged antivirus product; for example, it is not designed to detect things such as viruses (e.g. Microsoft Office macro viruses, classic Mac OS viruses, etc.) or any malicious software that isn't Mac-native (e.g. UNIX or Windows malware), etc.

Another feature found in commercial antivirus software that's not present in MacScan 2.7 is automatic on-download or on-access scanning of files.  You can manually scan files or folders, or you can schedule scans, but the current version of MacScan doesn't run in the background and automatically scan files as soon as you download them.  Thus, if you unknowingly download something malicious, by the next time you scan your system it may already have become infected.  Also, based on my testing, there doesn't seem to be any heuristic detection of unknown malware, which commercial antivirus software usually provides.  These issues could potentially be problematic for users who rely solely on MacScan for protecting their systems rather than using MacScan along with antivirus software.

But I digress; MacScan is not—and does not claim to be—a complete antivirus suite.  So how well does it detect the things it's designed to?

Since I had a copy of Lose/Lose on hand (see my article about it), I tested to make sure MacScan could detect it, and it did.  I also tested whether MacScan could detect Vine Server 3.0 (the latest version of the VNC server software formerly known as OSXvnc, which MacScan is supposed to detect), and it did.  On a hunch, I tested whether MacScan would detect a number of previous versions of Vine Server and OSXvnc (which are freely available on SourceForge), and I got mixed results.  Of the 17 different versions of the software to date, only 6 versions were detected by MacScan, and the other 11 versions were not detected at all.  I reported this to SecureMac, and to their credit MacScan's definitions were updated in less than 36 hours (the advisory about the new detections is currently visible on their spyware list).  I retested this morning with the latest definitions, and I confirmed that all 17 versions of OSXvnc and VineServer were detected.

What about tracking cookies?  The MacScan site says that the software detects "over 8800 blacklisted tracking cookies."  Since I nearly always browse with third-party cookies disabled (which theoretically should prevent a lot of tracking cookies from being saved), I didn't expect MacScan to find much, and it didn't.  MacScan only detected a single cookie, from  Out of curiosity, I opened the database where this cookie was found (~/Library/Cookies/Cookies.plist) and looked through it myself.  I found 360 tracking and advertising cookies.  Of those, 267 were from Google Analytics (a very popular service for tracking the number of visitors to a site and other non-personally identifiable information; apparently Google Analytics works by having sites set first-party instead of third-party cookies).  Since MacScan had detected a cookie from Google Ad Services, one might expect it to detect cookies from Google Analytics as well, but that didn't happen in this case.  The remaining 93 ad/tracking cookies were from a number of other sites and services, many of which are listed on hpHosts, Web of Trust, and other databases.  SecureMac doesn't specify which 8800 sites' cookies are blacklisted, but based on my very limited testing, their list has some room for improvement.

I also discovered a much more serious detection issue that SecureMac is planning to fix in the next release of the software, MacScan 3.0.  At a later date (after giving SecureMac a reasonable amount of time to fix the issue) I will disclose the details here on this site, so stay tuned for that.

Although the foregoing may not sound extremely positive, I wouldn't rule out MacScan entirely.  No antivirus or anti-spyware suite has perfect detection; I'm often disappointed by detection rates of new malware, even in commercial antivirus suites from companies with millions of dollars to spend on research and development.

For another thing, MacScan is less expensive than most antivirus suites and doesn't require a yearly subscription. When used in combination with a free antivirus such as ClamXav (donationware; detects Mac and non-Mac viruses) or PC Tools iAntiVirus (free for personal use; only detects Mac viruses), MacScan may help suit your needs at a better price.  Of course, MacScan can also be used alongside commercial antivirus suites, which don't usually detect things like tracking cookies.

Furthermore, MacScan is undergoing a major overhaul for the upcoming version 3 which will address several of the issues I've mentioned above.  Expect the main scanning engine to be improved, new features including drag-and-drop scanning, and perhaps most importantly the addition of a background scanning engine.  This complete redesign should make MacScan much more robust and better capable of defending Macs against Trojans and privacy invasions.  If you would like to volunteer to help SecureMac test the upcoming release, you can sign up to become a beta tester for MacScan 3.

MacScan can be purchased for $29.99 for a single user license, or $49.99 for a three-user family pack (enter a quantity of 3 or more and use the coupon code FAMILYPACK).

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Tuesday, September 7, 2010

Save $100 Instantly on MacTech Conference Registration

I'm going to be attending MacTech Conference from November 3-5, 2010 in Los Angeles. It's not specifically a security-oriented event—MacTech Conference is for all IT professionals and developers, and it's a great way to meet and learn from peers and experts in the field. There will be lots of fun times as well, including private access to the Griffith Observatory one night and another night at Jillian's (including bowling, billiards, Guitar Hero, and more). Meals are included!

My friends and readers can get $100 off MacTech Conference registration by signing up through this link:

You can also read this article from my personal blog or browse the conference site to learn more, but be sure to use the exact link above to register to make sure to get your $100 off. Register by October 29, 2010 to get the discount.

I hope to see you there! Also, feel free to share the discount link with anyone else who might be interested in attending the conference.

UPDATE, 27 Oct 2010 @ 01:19 PDT: The discount deadline has been extended to October 29th.

Tuesday, August 31, 2010

"Bindaas Spaces" Spam from India

For years I have been tracking an India-based spam operation which I'll call "Bindaas Spaces" (based on one of its primary domains).  Very little information about this spam ring has been published online to date; most of the information you'll find comes from my reports on McAfee SiteAdvisor and Web of Trust.  The organization has been spamming since October 2007 if not earlier.  Their unsubscribe request pages are not functional, meaning once you've been added to their list, there's no way to opt out.  Their primary domain registrar, Net 4 India, has completely ignored all spam and abuse reports that I have submitted.

I intend to update this blog post in the future whenever I discover new domains related to this spam ring.  If you have been spammed by this group, please see the "How to Report Spam from This Organization" section below.

Affiliated Domains

Following is a list of all the domains I'm aware of that this organization has linked or advertised in their spam.  I've included some relevant links to McAfee SiteAdvisor, Web of Trust, DNS-BH, Threat Log, and/or URLVoid reports for these domains.  Many of the domains listed below are (or have previously been) classified as "Red" or "Yellow" by McAfee due to "suspicious behavior," potential security risks, spam, and/or excessive popups:
  • Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow because "[McAfee's] analysis found that this site may be promoted through spammy e-mail." - listed on DNS-BH as "malspam" - currently listed as a Spam threat on Threat Log - also listed on SpamCop:
    • Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow for pop-ups - listed on DNS-BH as "malspam" - currently listed as a Spam threat on Threat Log - also on Joe Wein's spam blacklist:
      • Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow for pop-ups - listed on DNS-BH as "malspam" - also currently listed as a Spam threat on Threat Log:
        • mysnapfish .info (McAfee SiteAdvisor, Web of Trust, DNS-BH, Threat Log, URLVoid; note the unethical and deceptive use of HP trademark "Snapfish"; I reported this trademark violation and the domain was shut down, but it has since been registered by a different person/organization who now operates the site)
        • Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - listed on DNS-BH as "malspam" - also currently listed as a Spam threat on Threat Log:
          • Currently listed as Yellow by McAfee: "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution." - also currently listed as a Spam threat on Threat Log:
            • Currently listed as Yellow by McAfee: "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":
              • bombaytimes .info (McAfee SiteAdvisor; domain expired 27 Aug 2010 and is no longer registered as of 12 Oct 2010)
              • Currently listed as a Spam threat on Threat Log - currently listed as Yellow by McAfee: "When we browsed this site we received several pop-ups." - also previously listed as Yellow because "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":
                  • Currently listed as a Spam threat on Threat Log - also formerly listed as Red by McAfee: "extremely high number of pop-ups": 
                        • Currently listed as Yellow by McAfee: "When we browsed this site we received several pop-ups." - also previously listed as Yellow because "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":
                            • Formerly listed as Yellow by McAfee: "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":
                                  • Other domains (no known record of poor ratings or user reports aside from my own):
                                    • abhinavinst .com (Web of Trust; advertised via bindaasspaces affiliate spam on 22 June 2012)
                                    • click4offers (Web of Trust; advertised via bindaasspaces affiliate spam on 22 June 2012)
                                    • go4fun (McAfee SiteAdvisor; advertised via bindaasspaces affiliate spam on 24 March 2011)
                                    • ckick2join (McAfee SiteAdvisor; advertised via bindaasspaces affiliate spam on 24 February and 5 March 2011)
                                    • bestforyou (McAfee SiteAdvisor; advertised via bindaasspaces affiliate spam on 16 February 2011)
                                    • foodconnect (McAfee SiteAdvisor; advertised via bindaasspaces affiliate spam on 7 February 2011)
                                    • fashnvia .com (McAfee SiteAdvisor; advertised via bindaasworld affiliate spam on 20 January 2011)
                                    • fashionnglamour .com (McAfee SiteAdvisor; advertised via bindaasplanet affiliate spam on 7 January 2011)
                                    • taamjhaam (McAfee SiteAdvisor; advertised via bindaasworld affiliate spam on 15 December 2010)
                                    • fropper .com (McAfee SiteAdvisor, URLVoid; advertised via bindaaspoll affiliate spam on 12 October 2010)
                                    • clubmahindra .com (McAfee SiteAdvisor, URLVoid; note that this domain currently has a Light Green rating on the community-operated Web of Trust site, which may indicate that a few people might feel that the site is legitimate in spite of having been affiliated with a spam ring)
                                    • bindaasindya .com (McAfee SiteAdvisor)
                                    • experiencechange (McAfee SiteAdvisor; domain was pending deletion as of 31 Aug 2010 and is no longer registered as of 12 Oct 2010)
                                    • pehechankaun .com (McAfee SiteAdvisor; domain expired 19 Jul 2010)
                                    • chouwmouw .com (McAfee SiteAdvisor; domain expired 3 Jul 2010)
                                    • meragang .org (McAfee SiteAdvisor; domain is no longer registered)
                                  How to Report Spam from This Organization

                                  Please report this spam to the domain registrar by forwarding unsolicited e-mails that either contain links to or are sent from these domains (or redirect to/through one of these domains) to the registrar's abuse address. The most common registrar for these domains is Net 4 India Limited, whose abuse addresses are [email protected], [email protected], and [email protected].  So far all of my reports to Net 4 India have been ignored.  I have also begun including CERT-In (the Indian Computer Emergency Response Team, [email protected]) in the recipients list to inform them about the spam problem and Net 4 India's lack of response, providing a link to this article for reference.

                                  These spammers violate CAN-SPAM by sending unsolicited commercial e-mail that does not contain functional opt-out instructions, does not clearly state that it's an advertisement, and never contains a postal mailing address. United States residents who receive any junk mail in violation of the CAN-SPAM Act should forward the e-mail to [email protected].

                                  Please report spam to the anti-spam site KnujOn by forwarding the spam to [email protected].

                                  If you receive spam that links to one of these domains through a redirect URL, please forward the spam to [email protected].  Thankfully, takes spam reports seriously and will often put up an interstitial warning page when users click on a spammed URL.  However, so far hasn't shut down the spam group's account; their account page with a list of several of their links can be found here: — note that a couple of their spammed links have gotten more than 100,000 clicks, and several others have had tens of thousands of clicks.

                                  If you receive spam that links to one of these domains through a redirect URL, please e-mail [email protected] and be sure to paste the offending links and a description of the spam in question.  Be aware that since uses Gmail, forwarding spam to their address may result in your e-mail being delivered to their spam folder and automatically deleted after 1 month; previously I assumed that reports to were being ignored, but the site owner finally made contact with me on 11 January 2011 and removed all of the previously reported URLs.

                                  Also, please add a comment to this post if you have been spammed by the Bindaas Spaces operation, and share any affiliated domains you've seen linked in their spam (don't link to them, just paste the domain in plain text).

                                  UPDATE, 13 Oct 2010: Added fropper .com, Threat Log and DNS-BH listings, updated McAfee classifications, etc.
                                  UPDATE, 18 Oct 2010: Added timesjobs .com.
                                  UPDATE, 15 Dec 2010: Added taamjhaam and updated McAfee classification for eazeejob .com.
                                  UPDATE, 10 Jan 2011: Added fashionnglamour .com and changed all SiteAdvisor, WOT, and URLs to HTTPS.
                                  UPDATE, 31 Mar 2011: Added fashnvia .com, foodconnect, bestforyou, ckick2join, and go4fun, and clarified how to properly report spammed links.
                                  UPDATE, 1 Jul 2012: Added click4offers and abhinavinst .com. Fixed Threat Log URLs.

                                  For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

                                  Saturday, July 31, 2010

                                  Favicon Security Issue Fixed in Safari 5.0

                                  Earlier this month, Apple released Safari version 5.0 for Mac OS X v10.5 Leopard and v10.6 Snow Leopard as well as Windows XP, Vista, and 7 (in addition to Safari version 4.1 for Mac OS X v10.4 Tiger). Apple listed 49 separate security-related bug fixes in their "About the security content of Safari 5.0 and Safari 4.1" Knowledge Base article.

                                  Apple fixed at least one other security-related issue that was not included in the list. I initially observed and reported this issue in June 2007 and again reported it on 15 June 2009. The following is based on my 2009 bug report submission to Apple:

                                  Safari has a checkbox for "Display images when the page opens" in the Appearance section of the Preferences dialog. When unchecked, this supposedly allows a user to disable the display of all images when a page opens. However, a Web page's favicon still loads even with this option unchecked. In the past, there have been numerous exploits in Safari where maliciously crafted images can lead to remote code execution, so it is very important that when people explicitly disable images, *ALL* images should be disabled.

                                  Steps to Reproduce:
                                  1) On any Mac or Windows PC, open Safari, go to the Preferences, go to the Appearance section, and uncheck "Display images when the page opens".
                                  2) Go to any Web site that has a favicon and which you have not already visited (to ensure that the favicon isn't just being loaded from the cache). You will see that the favicon loads in the address bar even though the rest of the images on the page do not load.

                                  Expected Results:
                                  Safari should not load favicon images when "Display images when the page opens" is unchecked, so as to avoid exploitation and potential remote code execution via a maliciously crafted image.

                                  Actual Results:
                                  Safari loads favicon images regardless of whether "Display images when the page opens" is unchecked.

                                  This vulnerability has existed in Safari for many versions, including the latest version for Mac OS X and Windows. This bug has been verified to exist in the recently released Safari Version 4.0 (5530.17).

                                  I originally submitted this security bug report sometime after the original version of Safari for Windows was released (Safari 3.0). I will give Apple a reasonable period of time to fix this security problem before going public with this information.

                                  I would appreciate Apple's acknowledgment of this issue and a time frame in which I can expect it to be fixed. Please reply ASAP. Thank you.

                                  I discovered this issue because after the initial release of Safari for Windows I began using the Web browser as a sandbox for loading potentially harmful sites, disabling all active content (including JavaScript, Java, Flash and other plug-ins) as well as images.

                                  Apple representatives e-mailed me after the release of Safari 5.0 and Safari 4.1 to inform me that this issue had finally been resolved.

                                  Apple still has yet to resolve an arguably more serious issue: Safari 5.0.1 still hides the Status Bar by default, making it impossible to know a link's destination before clicking on it. The average user will not be security conscious enough to enable the Status Bar on his or her own. The workaround is simple (just select "Show Status Bar" in the "View" menu) but the point is that Apple should make it easier for its millions of Safari users to identify suspicious links with the default settings.

                                  For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

                                  Friday, June 25, 2010

                                  Deposit Scam: Malaysian Oil Company Manager

                                  Deposit scams (also called 419 scams, advance-fee fraud schemes, etc.) are a common e-mail phenomenon. The sender typically purports to have some money that they need someone else to handle, claiming that if the e-mail recipient accepts the invitation to help, he or she will get to keep some of the money. Although many such scams have originated in Nigeria, there are numerous examples of this type of fraud from around the world.

                                  Take for example this latest scam from someone who claims to be an oil company manager in Malaysia:
                                  From: "Farouk Mohanla" {faroukmohanla @ gmail . com}
                                  Reply-To: {faroukmohanla @ gmail . com}
                                  Subject: Please read this message carefully.
                                  Date: June 25, 2010
                                  My name is Farouk Mohanla, I work as a manager for oil company here in Malaysia. I write to solicit your assistance and cooperative supports to enable us retrieve the balance of $10,000,000 which is for a contractor who executed a supply of Hi-Tec Crude Oil mini-refinery CDU Unit to my company, he passed on few months ago after completing his contract and left no beneficiary to his contract balance benefits upon completion. I need to know if you will stand as his beneficiary to receive his contract benefits.
                                  I sincerely assure you this is absolutely risk-free and shall follow legal procedures in confirmation that there is no risk involved and with trust and understanding we would be able to collect these funds to our own mutual benefits. If you are interested reply me back.

                                  Farouk Mohanla..
                                  If someone you don't even know randomly e-mails you and offers you a share of $10 million, hopefully you'll recognize it as a scam and report it to the authorities and the e-mail provider of the Reply-To address (in this case Gmail).  For several major e-mail providers such as Gmail, Yahoo!, and Hotmail, the address for reporting fraudulent account activity is abuse@[provider's domain].com.  Reputable e-mail providers will suspend the offending account to ensure that nobody else can send replies to it. I also recommend forwarding such messages to [email protected], operated by the anti-spam and anti-fraud organization KnujOn.

                                  Further reading about deposit scams:

                                  If you believe you have been defrauded, you can file a complaint with the Internet Crime Complaint Center (IC3):

                                  Speaking of online scams, Microsoft released a video earlier this month that supposedly shows what happened when they set up a fake bank in New York and asked real customers for their sensitive personal information. The video is an advertisement for Internet Explorer (which I don't necessarily recommend), and I should point out that all other major browsers (Firefox, Safari, Chrome, and Opera) also have built-in anti-phishing protection.

                                  For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

                                  Monday, May 31, 2010

                                  9 Easy Steps to Increase Adobe Reader Security

                                  I've been meaning to write an article about Adobe security for some time.  Adobe Flash Player and Adobe Acrobat/Reader are considered by some to be necessarily evils; Flash and PDF content is widely distributed on the Internet, but Adobe has a poor reputation when it comes to product security.

                                  I recently worked on a PC that had become infected, and I determined through forensic analysis that the infection vector was a PDF exploit hosted on a malicious domain (see details at the end of this article).  I decided that it was time to write an article on how to improve Adobe Reader's security by tweaking some settings.  Note that these instructions are based on version 9.3.2, the latest version available as of when I'm writing this, but will likely apply to future versions as well.  UPDATE: I have tested and regularly use the first 6 of these steps with 9.4.x.  Most readers should probably update to Adobe Reader X so that they can use its new Protected Mode which can help stop certain exploits.  Unfortunately some users are stuck having to use 9.x due to software incompatibilities.  However, most (or perhaps all) of these steps should apply to securing Adobe Reader X as well.

                                  9 Easy Steps to Increase Adobe Reader Security
                                  1. Download and install the latest version of Adobe Reader from (be sure to uncheck any toolbar options first).  After installation, open Adobe Reader and check for updates by clicking on the Help menu and selecting "Check for Updates...".  (You may be asking yourself why this is necessary when you just downloaded the latest version straight from Adobe's site.  Sadly, Adobe is notorious for distributing old versions of Reader that are not fully patched and leaving it up to the user to figure this out and patch it on their own.)  Install any updates as prompted.
                                  2. Disable JavaScript.  This rarely used feature of Adobe Reader is much more likely to do harm than good—in fact, lots of PDF malware uses it—so it's best to turn it off.  To do so, open Adobe Reader and click on the Edit menu and select "Preferences...".  (Note that in the Mac version of Adobe Reader, you'll find Preferences under the "Adobe Reader" menu directly to the right of the Apple menu.)  In the left side of the window, select JavaScript.  Now on the right side of the window you'll see a checkbox labeled "Enable Acrobat JavaScript".  Uncheck that box to disable JavaScript in Adobe Reader, then click OK.
                                  3. Disable "non-PDF file attachments".  This is another rarely used and potentially dangerous feature that Adobe currently enables by default.  To disable it, open Adobe Reader and click on the Edit menu and select "Preferences...".  In the left side of the window, select Trust Manager.  Now on the right side of the window in the "PDF File Attachments" section you'll see a checkbox labeled "Allow opening of non-PDF file attachments with external applications".  Uncheck that box to disable the feature, then click OK.  (For more information on why this feature is dangerous and should be disabled, see this blog post by Didier Stevens.)
                                  4. Enable "Automatically install updates".  Make sure that Adobe Reader is configured to update itself automatically.  Open Adobe Reader, click on the Edit menu, and select "Preferences...".  In the left side of the window, select Updater.  Now on the right side of the window in the "Check for updates" section you'll see a radio button labeled "Automatically install updates".  Click on that button to allow Adobe Reader to update itself automatically, then click OK.  (Note that this option is not available in the Mac version. The next best choice is "Automatically download updates, but let me choose when to install them".)
                                  5. Delete the AuthPlay library after each update.  This file is another commonly exploited component of Adobe Reader because it enables embedded Flash content inside PDFs, and new Flash exploits are being discovered and used in the wild on a regular basis.  Nearly all users of Adobe Reader have no need for active, animated Flash content inside their static, printable PDFs, and it's safe to delete this file.  Deleting the AuthPlay file may be a bit tricky because the file does not have a consistent name or location across all operating systems and versions of Reader. has a guide that explains how to find and delete the AuthPlay library for Adobe Reader 9 on Windows, Mac, Linux, and Solaris, and if you have Adobe Reader X those instructions may lead you in the right direction to locate the file on your system.  For Adobe Reader 9.x for Windows, the file is located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll.  Unfortunately, the AuthPlay library will be reinstalled during every Adobe Reader update, so you will have to remember to delete it each time.
                                  6. Enable "Use only certified plug-ins".  Although I'm not currently aware of any exploits that take advantage of non-certified plug-ins, it shouldn't hurt to enable this option.  Open Adobe Reader, click on the Edit menu, and select "Preferences...".  In the left side of the window, select General.  Now on the right side of the window in the "Application Startup" section you'll see a checkbox labeled "Use only certified plug-ins".  Click on that checkbox to enable the setting, then click OK.
                                  7. Disable inline PDF display in your Web browsers.  This is a bit more extreme and may not be right for everyone since some legitimate sites require the ability to view embedded PDFs, but remember that accidentally browsing to a malicious or infected site with an embedded PDF can trigger an exploit and compromise your system; you'll have to weigh the pros and cons and decide for yourself whether this step is worth it for you.  The easiest way to disable PDF support for most Windows browsers is to open Adobe Reader, click on the Edit menu, select "Preferences...", then in the left side of the window select Internet, then on the right side of the window under "Web Browser Options" uncheck "Display PDF in browser", then click OK.
                                    The United States Computer Emergency Readiness Team (US-CERT) also recommends configuring Internet Explorer to not open PDF files without user interaction.  To do so, open the Notepad application (look in the Start menu under Programs, Accessories), paste the following text, and save it as a file with .REG at the end of the file name (e.g. DisableIEPDF.REG):
                                    Windows Registry Editor Version 5.00


                                    After saving the .REG file, double-click on it to add the above to the Windows Registry.
                                    In the Mac version of Adobe Reader, the option you'll need to disable is "Display PDF in browser using:".  You will also need to disable Safari's built-in PDF reader functionality as well.  To do so, first open the Terminal application (in the /Applications/Utilities folder; if you can't find it, click on the magnifying glass in the top-right corner of the screen and type the word Terminal, then click on the application when it appears in the list).  Then type or paste the following command and then press Return or Enter:  

                                    defaults write WebKitOmitPDFSupport -bool YES
                                  8. Disable PDF preview in your file browser (i.e. Windows Explorer or the Mac OS X Finder).  This will prevent accidentally reading data from a malicious PDF file by merely opening the folder that contains that file.  On Windows, click on Start, Run (if you don't see Run, search for cmd and open it instead) and type or paste the following command and then press Enter:
                                    regsvr32 /u "%CommonProgramFiles%\Adobe\Acrobat\ActiveX\pdfshell.dll"
                                    You'll also want to make sure that the Windows Indexing service doesn't accidentally access a malicious PDF file.  The easiest way to do this is to disable the Indexing Service altogether.  If you're unfamiliar with how to disable Windows services, here's a tutorial that details how to disable the Indexing Service in Windows XP, Vista, and 7.  If you don't want to disable the Indexing Service entirely, US-CERT has some vague instructions for specifically disabling PDF integration with the service (note that the instructions are vague because each version of Adobe Acrobat and Adobe Reader puts its files in a different folder based on the version number, rather than sticking to something consistent like C:\Program Files\Adobe\Acrobat\ or C:\Program Files\Adobe\Reader\).
                                    On the Mac, PDF integration is a major part of the operating system, so disabling it entirely would be extremely difficult.  One way to potentially help prevent the OS (Leopard, Snow Leopard, or later) from accidentally previewing a malicious PDF is to change the Downloads folder in the Dock to display as a Folder in List view (as opposed to a Stack in Fan or Grid view, all of which show previews automatically).  To do so, right-click on Downloads (or hold down the Control key and click, if you're using a one-button mouse), and under "Display as" select Folder, then right-click on Downloads again and under "View content as" select List.  Now when new files are downloaded to the Downloads folder, a preview of the file won't appear in the Dock.  You can also disable previews in specific folders in the Finder, for example the desktop or the Downloads folder.  To disable file previews on the desktop or for a specific folder, click on the desktop or open the folder, then click on the View menu and select "Show View Options", then uncheck "Show icon preview".
                                  9. Install good antivirus software.  As an additional line of defense, antivirus software from a reputable company may catch some malicious PDFs when downloaded onto your system.  I list this step last because it is unwise to rely solely on antivirus software to catch malicious PDFs; there are lots of PDF vulnerabilities, many of which are yet undiscovered, and even the best antivirus won't prevent against every undiscovered PDF exploit.
                                  Note that these steps won't make your computer 100% safe from PDF exploits.  You will still need to make sure that Adobe Reader is properly updating itself.  Even if you keep Adobe Reader up-to-date, there's still the problem of zero-day vulnerabilities (security flaws that Adobe hasn't patched yet).  As demonstrated in my previous post, it's possible for a determined individual to find PDF vulnerabilities through fuzzing, which could lead to the creation of maliciously crafted PDF files.  Nevertheless, following the steps above will help mitigate the threat of malicious PDF documents infecting your computer.

                                  UPDATE, 1 Jun 2010 @ 13:28 PDT: Steven Burn from Ur I.T. Mate Group, maintainer of the excellent hpHosts site, e-mailed me to suggest a Windows alternative to Adobe Reader called Sumatra PDF.  According to the developer's site, Sumatra is "a slim, free, open-source PDF viewer for Windows. Portable out of the box."  It does not support JavaScript or launching external applications like cmd.exe from within PDF files, making it inherently safer out of the box than Adobe Reader or Foxit Reader.  I'm very interested to know how well Sumatra handles other types of vulnerabilities and fuzzed PDFs; readers, if you're aware of any research on this, please post a comment.

                                  UPDATE, 28 May 2011 @ 00:33 PDT: I changed the article from 7 Easy Steps to 9 Easy Steps (specifically, I added a new step 5 and 6, and bumped the other steps down in the list).  I added these steps in the middle because I feel the first 6 steps listed above go together best, and I regularly use these 6 steps when configuring Adobe Reader.  I also added a note about Adobe Reader 9.4.x and Adobe Reader X at the top of the article.

                                  Following are some details about the malicious domain that I mentioned earlier, and an affiliated domain:



                                  For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

                                  Friday, April 9, 2010

                                  Charlie Miller on Pwn2Own, Mac Security, and Fuzzing

                                  I recently interviewed Charlie Miller about Mac security for MacTech Magazine's podcast, MacTech Live. Charlie talked about fuzzing, a technique that can be used to find vulnerabilities in software. Using 5 lines of Python code, Charlie recently fuzzed PDFs for testing Adobe Reader and Apple Preview, and fuzzed PPTs for testing Microsoft PowerPoint and Impress, and found dozens of exploitable bugs (approximately 20 of which he was prepared to use at CanSecWest to remotely exploit Safari).

                                  Charlie recently won the Mac prize at CanSecWest's Pwn2Own contest for the third year in a row by successfully executing a remote code exploit against Safari on a fully patched Mac.

                                  Listen to or download the interview (19 minutes): MP3

                                  If you enjoy the interview, you may also be interested in checking out:

                                  For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

                                  Thursday, April 8, 2010

                                  Google Analytics Typosquatters Hosting Malicious JavaScript Files

                                  Typosquatting has been around practically since the dawn of the Web. Often if you're typing a site address whose domain ends in .gov or .org and you mistakenly type .com or .net instead, you'll end up somewhere you didn't expect. There are also countless domains based on various misspellings of,, and numerous other sites.

                                  I recently noticed when browsing through MalwareURL's database that some malefactors are actively using typosquatted Google Analytics domains for nefarious purposes. Google Analytics is a service that allows webmasters to keep track of anonymized statistics about visits to their site. The recently discovered typosquatted Google Analytics domains contain a JavaScript file named urchin.js or ga.js in the root directory—the same filenames and locations of the scripts on the real Google Analytics domain (

                                  The operators of the typosquatter domains probably have one of the following scenarios in mind. The first is that they're banking on the idea that some webmasters might have mistyped the Google Analytics code (very unlikely since virtually everyone would have copied and pasted the code directly from Google's site), and if they mistyped the domain just so, they could end up inadvertently injecting malicious JavaScript code into their Web pages. The second scenario is that the typosquatters plan to put this code into their own pages, and they're hoping that individuals or companies that maintain their own URL blacklists might have made the mistake of whitelisting */urchin.js or */ga.js instead of whitelisting the full URL of those scripts on the official Google domain. Either way, it seems like there's an extremely remote chance that it would actually make a difference to go to the trouble of trying to emulate Google Analytics' JavaScript URLs, but someone did it anyway.

                                  To mitigate the threat of malicious JavaScript code, you can do your casual Web browsing or searching in a separate browser with JavaScript disabled. More advanced users may prefer to use the NoScript add-on for Firefox.

                                  Following are additional details that may be of interest to fellow security researchers, including reports for the domains that have been actively hosting malicious urchin.js files in their root directories within the past week and domains to which the obfuscated JavaScript code attempted to redirect:

                                  google-abalytics .info

                                  google-nalytics .info

                                  google-aqalytics .info

                                  94.102.52 .27
                         (mentioned at hxxp://94.102.52 .27)

                                  google-acalytics .info

                                  Following are VirusTotal analyses for each of 11 variants of this JavaScript (note that these are current scans, not the original scans prior to when I submitted samples to AV vendors):


                                  These variants have been variously detected as JS:Downloader-LP, JS.Crypt.CSA, JS.Siggen.84, JS/Agent.LP!tr.dldr, JS/Crypted.CP.gen, JS/Downloader, JS/Pakes, JS/Psyme.PP!tr.dldr, JS/Redir.AG.gen, JS/Redirector, JS/Redirector.AM!tr, TR/Click.Agent.NG, TR/Click.Agent.NI, TR/Dldr.Agent.fei.2, TR/Dldr.Agent.fej, TR/Dldr.Agent.fek, TR/Dldr.Agent.fel, TR/Dldr.Agent.fem, TR/Redirector.BU, TR/Redirector.BU.1, TR/Redirector.BU.2,,, Trojan-Downloader.JS.Agent.fei, Trojan-Downloader.JS.Agent.fej, Trojan-Downloader.JS.Agent.fek, Trojan-Downloader.JS.Agent.fel, Trojan-Downloader.JS.Agent.fem, Trojan.Click.Agent.NG, Trojan.Click.Agent.NI, Trojan.Clicker.JS, Trojan.Dldr.Agent.fei.2, Trojan.Dldr.Agent.fej, Trojan.Dldr.Agent.fek, Trojan.Dldr.Agent.fel, Trojan.Dldr.Agent.fem, Trojan.JS.Redirector, Trojan.JS.Redirector!IK, Trojan.JS.Redirector.bu, Trojan.Redirector.BU, Trojan.Redirector.BU.1, Trojan.Redirector.BU.2, Trojan.Script.397828, Trojan/JS.Redirector, Virus.JS.Downloader.LP, Virus.JS.Downloader.LP!IK, etc.

                                  Additional domains that were actively hosting malicious urchin.js files in January or February according to MalwareURL:

                                  gogle-analitics .info

                                  google-amalytics .info

                                  google-anaiytics .info

                                  Here's another that apparently hosted a malicious ga.js file last month:

                                  91.213.174 .101

                                  Strangely enough, most (if not all) of the domains to which the JavaScript code tries to redirect are offline. The Wepawet reports indicate that the sites were also offline when they conducted their initial scans.

                                  See MalwareURL's lists of sites hosting urchin.js or ga.js files:

                                  For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.