no-image

Update to “DNSChanger – Cleaning Up 4 Million Infected Hosts”

The Fbi’s “Operation Ghost Click” announcement in Nov 2011, involving the Rove Digital botnet delayed cleanup efforts that we previously discussed, continues to haunt both the internet networks and the mass media. A Forbes article and a Times article yesterday brought the apparition back to the front, with some claiming that the site offered by the DNSChanger Working Group is a new one, which it is not. The 2011 Operation being described, and the temporarily outsourced DNS server replacements and delayed cleanup, is the same. This phantom is nothing supernatural, so why all the discussion? The federal judge’s extension allowing the Fbi to run these replacement DNS servers still cuts off access in early July. When those replacement servers are removed in early July, the infected systems resolving DNS queries at these previously-owned Rove Digital servers will simply not be able to resolve DNS requests. July 9th will arrive soon, and notifications continue to go out related to the hundreds of thousands of systems in the US alone that are still infected.

In the simplest terms, connectivity will not be severed for DNSChanger-infected systems, but internet communications will not function for infected systems that have not been cleaned up. In the US, government agencies, home users, and other organizations still infected with the malware will have systems that effectively can’t get online, can’t send email, etc. It will look like they are connected to their network, but they just won’t communicate with anything.

Read Full Article

no-image

OS X Mass Exploitation – Why Now?

Market share! It’s an easy answer, but not the only one. In 2011, Apple was estimated to account for over 5% of worldwide desktop/laptop market share. This barrier was a significant one to break – Linux maintains under 2% market share and Google ChromeOS even less. This 15 year peak coincided with the first exploration by the aggressive FakeAv/Rogueware market targeting Apple computers, which we discovered and posted in April 2012 and later in May 2011, which no longer seem to be such an odd coincidence. Also, the delay in Apple malware until now most likely was not because Apple exploits were unavailable, or because the Mac OS X system is especially hardened. Read Full Article

no-image

SOURCE Boston Security Conference and Training 2012 Day 2 – Dan Geer Keynote, Android Modding and Cloud Security

Dan Geer’s Keynote Speech kicked off Day 2 of SOURCE Conference Boston this morning. The talk itself was heady and complex, something to keep up with. Notable talks were Jeremey Westerman’s “Covering *aaS – Cloud Security Case Studies for SaaS, PaaS and IaaS”, and Dan Rosenberg’s “Android Modding for the Security Practitioner”.

Read Full Article

no-image

New Version of OSX.SabPub & Confirmed Mac APT attacks

Late last week, we found evidence of a possible link between a Mac OS X backdoor trojan and an APT attack known as LuckyCat. The IP address of the C&C to which this bot connects (199.192.152.*) was also used in other Windows malware samples during 2011, which made us believe we were looking at the same entity behind these attacks. For the past two days, we have been monitoring a “fake” infected system – which is a typical procedure we do for APT bots. We were extremely surprised when during the weekend, the APT controllers took over our “goat” infected machine and started exploring it. Read Full Article

no-image

SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link

we can confirm yet another Mac malware in the wild – Backdoor.OSX.SabPub.a being spread through Java exploits. This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine. Read Full Article

no-image

Patch Tuesday April 2012 – Patching Multiple Web Based Client Side and Spearphishing Exposures

This month’s patch Tuesday fixes a small set of critical vulnerabilities in a variety of client side software. Six bulletins have been created to address eleven exploitable flaws. Two of the bulletins are top priority and should be addressed ASAP. These are the MS12-023 bulletin, patching a set of five Internet Explorer vulnerabilities leading to remote code execution, and the MS12-027 bulletin, patching the MSCOMCTL ActiveX Control. Read Full Article