Microsoft researchers recently discovered a piece of Mac OS X malware that exploits a three-year-old flaw in old versions of Office for Mac. The threat uses a multi-stage attack, just like a Windows virus would. While Microsoft did fix the problem in 2009, the software giant notes that not every machine is up-to-date. The company’s data indicates, however, that the malware is not widespread. “No operating system that exists outside a laboratory is entirely immune to malware,” Microsoft stated on its blog. “As different operating systems continue to gain in popularity they attract more attention from would-be attackers – especially since, as we see in the example analysis above, the techniques and understanding needed to do so may be much the same as those used against other platforms. And even though an operating system may include many risk-reducing mitigation technologies, any machine’s defenses against vulnerabilities are directly related to how current its security updates for applications are kept.” Microsoft concludes by warning users of Office 2004 for Mac, Office 2008 for Mac or Open XML File Format Converter for Mac to update their software in order to protect themselves from possible threats.

Read

The “Flashback” virus that originated on a series of WordPress blogs and went on to infected more than 600,000 Mac computers last month may have generated its creators thousands of dollars each day. According to antivirus software firm Symantec, the Flashback malware has been generating revenue for its authors by hijacking users’ ad clicks, and due to the widespread nature of the infection, the authors could have been generating up to $10,000 per day. “Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” the firm explained, adding that Google never receives the intended ad click. Symantec notes that ad-clicking Trojans are nothing new and a botnet of 25,000 infections could generate an author up to $450 per day.

Read

Apple may be the most valuable company in the world, but when it comes to security, the Cupertino-based company doesn’t hold a candle to Microsoft. Kaspersky Lab co-founder and chief executive Eugene Kaspersky on Wednesday told CBR that Apple is a decade behind Microsoft in terms of computer security. ”I think they are ten years behind Microsoft in terms of security,” Kaspersky said. “For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but [Flashback] was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms.” More than 600,000 Macs were infected by the Flashback trojan virus before it was discovered earlier this month and the exploit it used to infect OS X PCs was patched. “Apple will understand very soon that they have the same problems Microsoft had ten or 12 years ago,” Kaspersky said. ”They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software.”

Read

Security firm Intego on Monday announced that it had discovered a new variant of the Flashback malware called Flashback.S that continues to use a Java vulnerability Apple has already patched. This variant requires no password to install, and it places its files into the user’s home folder in “~/Library/LaunchAgents/com. java.update.plist” and “~/.jupdate.” Once Fashback.S is installed, it will then delete all files and folders in “~/Library/Caches/Java/cache” in order to delete the applet from the infected Mac, and avoid detection. The virus is actively being distributed, although it will not install if it finds Intego VirusBarrier X6, Xcode or Little Snitch installed on the Mac it tries to attack.

Read

The “Flashback” virus discovered to have infected more than 600,000 Mac computers earlier this month originated on a series of WordPress blogs, security experts have determined. According to Alexander Gostev, head of the global research and analysis team at Kaspersky, the virus began as a trojan hidden within a fake Adobe software update. In March, however, the malware’s creators repackaged the virus in a “drive-by attack” that infected users’ Apple computers when they visited one of thousands of compromised WordPress blogs. ”Tens of thousands of sites powered by WordPress were compromised,” Gostev wrote on Kaspersky’s SecureList blog. “How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in.” Apple released a system update earlier this month that patched a Java vulnerability and removed most common iterations of the Flashback virus. As of the middle of last week, however, more than 140,000 Mac computers were still infected with the virus, which is capable of intercepting private data and transmitting it without a user’s knowledge.

Read

Apple responded fairly quickly to news that more than 600,000 Mac computers were infected with a trojan virus called “Flashback.” One week after the massive botnet was discovered, Apple issued an update fixing the Java vulnerability that allowed Flashback to infect the machines, as well as a removal tool for affected machines. Despite the company’s efforts, Symantec stated on Tuesday evening that approximately 140,000 OS X PCs were still infected with the virus at that time. “The statistics from our sinkhole are showing declining numbers on a daily basis,” the company wrote on its blog. “However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case. Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.” Symantec offers its own Flashback removal tool separate from the one Apple made available in a system update on April 12th.

Read

The “Flashback” trojan virus affecting at least 600,000 Macs was discovered last week that is capable of intercepting passwords and other private data. The discovery prompted Apple to release a Java update for OS X users that removed a number of common variants of the virus. Securelist on Saturday found another Mac trojan that is also spread through Java exploits, however. The malware, called Backdoor.OSX.SabPub, can take screenshots of a user’s current session, execute commands on an infected machine and connect to a remote website to transmit the data. It is not clear how users get infected with the trojan, but because of the low number of instances and the trojan’s backdoor functionality, Securelist speculates that it is most likely used in targeted attacks, possibly launched through emails containing a URL pointing to two one of websites hosting the exploit.

Read

Apple on Thursday released Java update for OS X that removes a number of common variants of the Flashback trojan virus. Discovered last week to have infected more than 600,000 Mac computers, Flashback is a trojan that is capable of intercepting sensitive data and transmitting it back to an attacker. Security experts at F-Secure published instructions on how to manually detect and remove the malware, but Apple’s new Java update will handle the process automatically. The update, Java for OS X Lion 2012-003, is available for download immediately from within Apple’s integrated OS X software update utility.

Apple on Friday issued a second software update to address a security flaw on its OS X operating system that has allowed a massive botnet to form. The update, “Java for OS X 2012-002,” is only available for desktop and laptop PCs running OS X Lion 10.7; Apple issued a similar update last week for both Lion and Snow Leopard, and the exploit was seemingly addressed properly the first time on the Snow Leopard OS. Russian anti-virus experts revealed earlier this week that the “Flashback” trojan virus had utilized a Java vulnerability to infect more than 600,000 Mac computers worldwide. The trojan is capable of intercepting sensitive data such as passwords and other personal information, and transmitting the data back to a host. A separate firm later published instructions detailing how to detect and remove the virus, and Apple’s new update should be the last step in protecting its systems from further attacks. Apple had not yet published details surrounding the new update on its website at the time of this writing.

Lookout Mobile Security on Tuesday published a report stating that a known malicious Android program has been updated with the ability to harm a device without depending on a user’s interaction. The new version of the “Legacy Native” (LeNa) app utilizes an exploit called GingerBreak to gain root permission on Android phones. The new variant of LeNa hides its payload just past the End of Image marker of an otherwise fully-functional JPEG. The malware is then able to communicate with a command and control server to install and launch packages unbeknown to the phone’s user. According to the report, this new version of LeNa is currently being distributed in a fake version of Angry Birds Space, but the malicious program is not believed to have made its way into the Google Play marketplace at this time.

[Via Threatpost]

Read

The idea that Macs don’t get viruses is now officially a thing of the past. Of course Mac malware has been around for years, but now a massive botnet has been discovered that takes this relatively small issue and makes it a widespread problem. While hackers indeed target Windows PCs far more frequently, a trojan horse virus discovered earlier this year has reportedly now been found to affect more that half a million Mac computers worldwide. Russian anti-virus vendor Dr. Web has discovered that malware called “BackDoor.Flashback.39″ is currently present on at least 600,000 Macs. The trojan has the capability to use a java vulnerability to intercept passwords and other private data, and then transmit the information back to the person or group that deployed it. Apple has since patched the vulnerability, but security experts at F-Secure have published a simple guide to help Mac users determine whether or not they are infected, and then remove any malicious files from their computers that are tied to the Flashback trojan. A link to F-Secure’s guide can be found below.

[Via Ars Technica]

Read [Dr. Web] Read [Removal guide]

Are pornographic images invading your Facebook news feed? We have yet to see it here at BGR, but ZDNET recently reported that “gory, violent pictures” and “hardcore pornography” are spreading across the social network. Facebook says it is getting to the bottom of the problem, but hasn’t yet revealed a solution or how the fiasco started. “Protecting the people who use Facebook from spam and malicious content is a top priority for us and we are always working to improve our systems to isolate and remove material that violates our terms,” Facebook spokesperson Andrew Noyes said. “We have recently experienced an increase in reports and we are investigating and addressing the issue.” It is unclear who is behind the attack. As The Washington Post points out, the flood could be a trick played by the now infamous hacker group Anonymous, in celebration of Guy Fawkes Day, which occurred on November 5th, but the group typically stakes its claim on major attacks. The images, which are apparently spreading like a wild fire, could also be the result of unsuspecting users having been tricked into clicking malicious links. Updated with statement from Facebook. 

Facebook’s official statement on the matter is as follows:

“Recently, we experienced a coordinated spam attack that exploited a browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible. During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.”

Read [ZDNET] Read [The Washington Post]

A new report recently issued by the security firm McAfee suggests that the number of malware applications targeting Android devices jumped 76% during the second quarter of this year, making Android the “most attacked” mobile operating system. “This year we’ve seen record-breaking numbers of malware, especially on mobile devices, where the uptick is in direct correlation to popularity,” senior vice president of McAfee labs Vincent Weafer said. Android users typically install the malware accidentally and assume the app is from a safe and legitimate developer. The most prevalent malware-infected modified applications were:

• Android/Jmsonez.A -  a calendar app that sends SMS texts to a premium rate number.
• Android/Smsmecap.A – a fake comedy app that sends SMS texts to everyone in the user’s address book.
• Android/DroidKungFu – malware that is capable of installing its own software and updates.
• Android/DrdDreamLite – capable of sending data back to the attacker.

McAfee also noted a number of popular Android Trojans that have been making their way through devices. In addition, the company released compelling figures for how much a hacker can sell stolen email addresses for. In the United States, for example, 10,000,000 addresses can be sold to spammers for roughly $300. Read on for McAffee’s full press release, which includes several data points for PCs, too.

McAfee Q2 2011 Threats Report Shows Significant Growth for Malware on Mobile Platforms

Report Shows Record Growth for Malware and Rootkits; Major Hacktivist Activity

SANTA CLARA, Calif.–(BUSINESS WIRE)–McAfee today released the McAfee Threats Report: Second Quarter 2011, showing that the amount of malware targeted at Android devices jumped 76 percent since last quarter, to become the most attacked mobile operating system. 2011 has also resulted in the busiest ever first half-year in malware history, including a first-ever appearance of Mac fake AV and a significant uptick in rootkits, suggesting that McAfee’s comprehensive malware “zoo” collection will reach a record 75 million samples by the year’s end.

“This year we’ve seen record-breaking numbers of malware, especially on mobile devices, where the uptick is in direct correlation to popularity”

“This year we’ve seen record-breaking numbers of malware, especially on mobile devices, where the uptick is in direct correlation to popularity,” said Vincent Weafer, senior vice president of McAfee Labs. “Overall attacks are becoming more stealth and more sophisticated, suggesting that we could see attacks that remain unnoticed for longer periods of time. High-profile hacktivist groups have also changed the landscape by drawing a line between attacks for personal gain and attacks meant to send a message.”

The report also details specific activity shaping the way cybercriminals operate, such as cybercrime “pricebooks” that determine the going rate for large email address lists, and acts of hacktivism and cyberwar.

2011 On Track to Reach Record “Malware Zoo”

With an approximate 12 million unique samples for the first half of 2011, a 22 percent increase over 2010, this has been the busiest first half-year in malware history. With the addition of Q2’s numbers, the grand total of total malware samples in McAfee’s database has reached approximately 65 million, and McAfee researchers estimate that this “Malware Zoo” will reach at least 75 million samples by the year’s end.

Android Nabs Top Spot for Most Mobile Malware

With the vast amount of personal and business data now found on user’s mobile phones, mobile malware is steadily increasing, often mimicking the same code as PC-based threats. In the second quarter of 2011, Android OS-based malware surpassed Symbian OS for the most popular target for mobile malware developers. While Symbian OS and Java ME remain the most targeted to date, the rapid rise in Android malware in Q2 indicates that the platform could become an increasing target for cybercriminals – affecting everything from calendar apps, to comedy apps to SMS messages to a fake Angry Birds updates.

Fake Anti-Virus for Apple, Rootkits and Stealth Malware Reach New Terrain

There are more Mac users than ever before, and as organizations increasingly adopt Macs for business use, Apple now has become more a target for malware authors. Though historically the Apple platform has been unaffected by fake anti-virus (fake AV) software, activity in Q2 indicates that it is now being affected. Although this type of fake AV is the first of its kind, McAfee Labs does expect fake AV in general will drop off over time.

Another malware category that is demonstrating recent steady growth is stealth malware. The tactic of hiding malware in a rootkit is used by cybercriminals to make malware stealthier and more persistent, and has seen this type of attack gain in prominence over the past year, with high-profile attacks such as Stuxnet. Stealth malware has increased more rapidly in the last six months than in any previous period, up almost 38 percent over 2010.

Acts of Hacktivism and Cyberwar Make Their Mark

Acts of hacktivism, primarily from the groups Anonymous and LulzSec, were among some of the most prominent cyber news generators for Q2. The report details hacktivist activity from Q2, with at least 20 global attacks reported in Q2 alone, and with the majority allegedly at the hands of LulzSec. The report also outlines acts of cyberwar that occurred in Q2, including attacks on United States’ Oak Ridge National Laboratory, and an attack on South Korea’s National Agricultural Cooperative Federation.

Email “Black Market” for Spammers

Though spam is still at historic low levels, due in part to the Rustock takedown, McAfee Labs still expects to see a sharp rise in activity over the coming months. A common method for cybercriminals to increase their volume of spam activity is to purchase a bulk list of emails in order to flood as much spam as possible to a widespread group of people. Whether it’s a botnet or a rental service, prices vary for such enterprises, often by location. For instance, in the United States, the going rate for 1 million emails is $25, whereas in England 1.5 million emails are worth $100.

For more information on trends related to hacktivism, cyberwar, web threats and malware, please download a full copy of the McAfee Threats Report: Second Quarter 2011 at http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2011.pdf

AT&T announced on Thursday that it has teamed up with Juniper Networks to offer improved mobile security options for its customers. AT&T said that it expects the first “phase” of its security roll-out to be available to businesses, organizations and customers later this year when it launches the AT&T Mobile Security application. It can help businesses enforce security policies, manage enterprise and personal devices, and enable anti-virus protection with monitoring and control tools. In addition, the application can protect consumers from viruses and malware. “Mobile security is the ‘next frontier’ for our continued effort to mitigate cyber-threats and to help protect our customers’ information,” said Ed Amoroso, chief security officer, AT&T. Read on for the full press release.

AT&T Invests in Mobile Device Security Platform

Agreement with Juniper Networks Helps Build Innovative Service Portfolio to Protect Devices from Security Threats

Recognizing the need to protect consumer and enterprise mobile devices from the increasing number of cyber attacks, AT&T* is investing in a new mobile security platform. It will allow customers to better protect their devices against security threats.

AT&T has executed an agreement with Juniper Networks to deliver this security capability and additional services based on the platform in the future. This new agreement is part of AT&T’s mobile security strategy to manage and protect smartphones and customer information.

AT&T’s strategy – which is distinguished from other approaches to mobile security – is to provide a comprehensive security solution that will integrate wireline and wireless security policies for consumer, enterprise and government customers.

The first phase of the platform – the AT&T Mobile Security application – is expected to be available later this year and is based on the Juniper Networks® Junos® Pulse solution.

The AT&T Mobile Security application will help:

• Businesses and Organizations
  • Maintain compliance with government regulations
  • Enforce security policies
  • Manage personal or enterprise-owned devices
  • Enable anti-virus, anti-malware, and application monitoring and control

• Consumers
  • Protect mobile devices with anti-virus, anti-malware, and application monitoring and control

“Enterprises drive employee productivity by anytime access to network resources, but the implications of data loss and malware proliferation creates real concerns for enterprise IT security. AT&T’s vision and approach to mobile security is the right one at the right time”, said Christine Liebert, senior analyst for Security Services at IDC. “AT&T is offering enterprises the ability to remotely remove or encrypt data on mobile devices and to have this function centrally administered. This should help businesses control what type of data can be downloaded to a smartphone or tablet, one of the biggest enterprise security risks.”

“Mobile security is the ‘next frontier’ for our continued effort to mitigate cyber-threats and to help protect our customers’ information,” said Ed Amoroso, chief security officer, AT&T. “With the help of Juniper Networks and the power of AT&T Labs and the AT&T Mobility Security Research Center behind us, we’ll be able to deliver new security capabilities to provide peace of mind to companies and consumers alike.”

“We are proud to work with AT&T to help them protect their most important asset, their customers,” said Mark Bauhaus, executive vice president and general manager of the Device and Network Services business group at Juniper Networks. “Teaming with AT&T to bring this unique and comprehensive mobile security solution to market will enable a vast number of consumers and enterprises to have state-of-art security features in their mobile life and be better protected from malicious threats.”

Adobe has issued a security bulletin about a critical security flaw found in Adobe Flash Player affecting the Windows, Macintosh, Linux, Solaris, and Android operating systems. The vulnerability, labeled CVE-2011-0609, “could cause a crash and potentially allow an attacker to take control of the affected system.” The company reports that exploits are already in the wild — most prevalently attached to Flash (.swf) and Excel (.xls) files. Adobe notes that it is “aware” of exploits for Adobe Reader and Acrobat, but explains that “Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.” The company has stated that it will issue a patch for its Flash Player sometime during the week of March 21st. Curiously, the company writes, “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.” June? Wow. Now might be a good time to enable Protected Mode on Adobe’s PDF reader.

Read