Thursday, October 28, 2010

Koobface Malware for Mac, and How to Disable Java

Intego recently blogged about their investigation into a Mac-infecting variant of the Koobface malware (which Intego explains "propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements") that's actively being tested in the wild. Koobface infections often come via links on Facebook (hence the name, which is an anagram of Facebook), but can come via other sites as well. I've previously blogged about Koobface here and also mentioned it here.

According to Intego, the Mac variant tries to install itself via a Java applet, which prompts the user with a dialog box saying:
/!\  An applet from "[domain]" is requesting access to your computer.

The digital signature could not be verified.

[ ] Allow all applets from "[domain]" with this signature
(Show Details...)               (Deny) (Allow)
If presented with such a dialog box, users should click the "Deny" button to prevent infection. If instead they allow the applet to run, it will attempt to download files into /Users/[username]/.jnana/ (a hidden folder; you can use my freeware app Invisibility Toggler to see if it's there on your system). So far Intego has only seen the malware get to this point because the servers it tries to contact have not been online and actively serving the requested malicious files at the time of Intego's testing. The Java applet is detected as OSX/Koobface.A by Intego's VirusBarrier and trojan.osx.boonana.a by SecureMac's MacScan. SecureMac also offers a free removal tool.

Users can avoid infection altogether by disabling Java in their browsers. Other security researchers including Brian Krebs have recently been recommending this anyway, since Java has quickly become one of the most exploited Web technologies, and most users probably don't actually need or use Java.

Unfortunately, Apple doesn't provide an uninstaller for its implementation of Java (which Apple has recently deprecated). Here's how to disable it in your browser instead:
  • To disable Java in Safari, first open the Preferences dialog box (on the Mac, click on the Safari menu next to the Apple menu, then select Preferences...). Click on Security, then click on the check box next to "Enable Java" to remove the check and disable Java.
  • To disable Java in Firefox, first open the Add-ons dialog box by clicking on the Tools menu and then selecting Add-ons. Click on the Plugins tab at the top of the window, and look for "Java Embedding Plugin" and "Java Plug-In 2 for NPAPI Browsers." Click on each one of those and click the Disable button for each one. (Note: Whenever Apple releases a Java update, you may need to quit Firefox and reopen it, and then verify that both are still disabled.)
  • To disable Java in Chrome, go to chrome://plugins/ (you may need to copy and paste or type this into the address bar) and click on the "Disable" link below the word Java.
  • To disable Java in Opera,  go to opera:config#Java and click on the check box next to "Enabled" to remove the check from the box, then click Save. You will be prompted to restart the browser in order for the setting to take effect.
  • To disable Java in Camino, click on the Camino menu next to the Apple menu, then select Preferences..., then click on Web Features, and finally click on the check box next to "Enable Java" to remove the check and disable Java.
  • To disable Java in OmniWeb, click on the OmniWeb menu next to the Apple menu, then select Preferences..., then click on Show All, then click on Security, and finally click on the check box next to "Enable Java" to remove the check and disable Java.

UPDATE, 18 Nov 2010 @ 9:47 PST: Added instructions for disabling Java in OmniWeb.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Friday, October 15, 2010

UPS/USPS Scam E-mail with Oficla Trojan Attachment

One year ago (almost to the day, actually) I warned of malicious e-mails that claimed to be from DHL that used social engineering to trick users into opening an attachment. Well, bad guys are still pulling the same trick, this time with e-mails purporting to be from UPS (United Parcel Service of America) or USPS (United States Postal Service).

Here's a sample e-mail:
From: "United States Postal" {donotreply @} [forged From address]
Subject: UPS Tracking number N224002 [a random number]
Date: October 15, 2010

Good afternoon.

The parcel was sent to your home address. And it will arrive within 3 business days.
More information and the tracking number are attached in document below.

Thank you.
UPS Global Services.

[Note: The rest of this was white text on a white background, intended to fool e-mail spam filters while being hidden from the e-mail recipient. This portion of the e-mail is vastly different in each of the samples I've seen.]
Hes in his fit now and does not talk after the wisest.He shall taste of my bottle: if he have never drunk wine afore, it will go near to remove his fit. If I can recover him, and keep him tame, I will not take too much for him: he shall pay for him that hath him, and that soundly. STEPHANO. Come on your ways: open your mouth; here is that which will give language to you, cat. Open your mouth: this will shake your shaking, I can tell you, and that soundly [gives CALIBAN a drink]: you cannot tell whos your friend: open your chaps again. STEPHANO. Four legs and two voices; a most delicate monster! His forward voice now is to speak well of his friend; his backward voice is to utter foul speeches, and to detract. If all the wine in my bottle will recover him, I will help his ague. Come. Amen! I will pour some in thy other mouth. STEPHANO. Doth thy other mouth call me? Mercy! mercy! This is a devil, and no monster: I will leave him: I have no long spoon. TRINCULO. Stephano!
Attachment: [a random number in the file name]
Before I talk about the attachment, let's briefly examine the non-hidden portion of the e-mail.  How many suspicious things can you find?  For starters, the From name is "United States Postal," not "United States Postal Service."  Second, the subject line says "UPS," not "USPS"—the company doesn't even match!  Third, companies like the U.S. Postal Service, UPS, and DHL never send attachments containing tracking numbers.  If the real company was going to send a tracking number, it would be in plain sight in the e-mail, not buried inside some attachment, and certainly not inside a Windows executable.

Not surprisingly, the .zip archive contains a malicious .exe program.  At present, the malware is detected by 23 out of 43 major antivirus engines, with detection in the works from at least one additional vendor.  Most of the following information is courtesy of VirusTotal:
File name: UPS_Document_NR*.exe [* = random number]
MD5   : 0964957611527841a83906bd68e248c7
SHA1  : 2497d1be1a4b49808171f388dd3ae1c59956075f
SHA256: 0bb27e6dba7e60c46cf8d829ddea604f1772ccf52885a84f5f07d3bd6953b0f0
File size : 41472 bytes

23/43 detection rate as of 2010-10-16 02:22:52 (UTC)

30/43 detection rate as of 2010-10-16 18:51:09 (UTC)

Variously identified as: a variant of Win32/Kryptik.HHI, Artemis!096495761152, Generic.dx!uhx, HeurEngine.MaliciousPacker, Heuristic.Trojan.SusPacked.TMS, High Risk System Back Door, Mal/Oficla-A, Packed.Generic.308, Packed/Win32.Generic, Riskware, SHeur3.BIXD, Suspicious file, TR/Crypt.XPACK.Gen, Trj/Downloader.WBX, TROJ_BREDLAB.TX (reminiscent of the "Bredolab" name of last year's DHL malware), Trojan.Oficla.73, Trojan.Oficla.AO, Trojan.Win32.Downloader.41472.EC, Trojan.Win32.Generic!BT, Trojan.Win32.Oficla.apb, Trojan/Win32.Oficla, TrojanDownloader:Win32/Mafchek.C, UnclassifiedMalware, W32/Oficla.AIY!tr, W32/Oficla.P.gen!Eldorado, W32/Trojan3.CGE, Win32:Trojan-gen, Win32.Outbreak!IK, etc.
See the behavioral analyses of this file from ThreatExpert, Anubis, and Panda Xandora/Autovin, and the Web of Trust report for webauc .ru, a domain to which this malware phones home:
See also ThreatExpert's analysis of a related mass-mailer program which sends spam like the sample above, and an additional domain and an IP to which the malware phones home or tries to download executable content:
Be sure to remind your friends and loved ones to avoid downloading attachments from e-mails like this one.

UPDATE, 16 Oct 2010 @ 12:00 PDT: Added some additional names of the malware.  Currently detected by 30 antivirus engines with at least one more detection coming soon.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.