Update to “DNSChanger – Cleaning Up 4 Million Infected Hosts”

The Fbi’s “Operation Ghost Click” announcement in Nov 2011, involving the Rove Digital botnet delayed cleanup efforts that we previously discussed, continues to haunt both the internet networks and the mass media. A Forbes article and a Times article yesterday brought the apparition back to the front, with some claiming that the site offered by the DNSChanger Working Group is a new one, which it is not. The 2011 Operation being described, and the temporarily outsourced DNS server replacements and delayed cleanup, is the same. This phantom is nothing supernatural, so why all the discussion? The federal judge’s extension allowing the Fbi to run these replacement DNS servers still cuts off access in early July. When those replacement servers are removed in early July, the infected systems resolving DNS queries at these previously-owned Rove Digital servers will simply not be able to resolve DNS requests. July 9th will arrive soon, and notifications continue to go out related to the hundreds of thousands of systems in the US alone that are still infected.

In the simplest terms, connectivity will not be severed for DNSChanger-infected systems, but internet communications will not function for infected systems that have not been cleaned up. In the US, government agencies, home users, and other organizations still infected with the malware will have systems that effectively can’t get online, can’t send email, etc. It will look like they are connected to their network, but they just won’t communicate with anything.

Read Full Article

OS X Mass Exploitation – Why Now?

Market share! It’s an easy answer, but not the only one. In 2011, Apple was estimated to account for over 5% of worldwide desktop/laptop market share. This barrier was a significant one to break – Linux maintains under 2% market share and Google ChromeOS even less. This 15 year peak coincided with the first exploration by the aggressive FakeAv/Rogueware market targeting Apple computers, which we discovered and posted in April 2012 and later in May 2011, which no longer seem to be such an odd coincidence. Also, the delay in Apple malware until now most likely was not because Apple exploits were unavailable, or because the Mac OS X system is especially hardened. Read Full Article

New Version of OSX.SabPub & Confirmed Mac APT attacks

Late last week, we found evidence of a possible link between a Mac OS X backdoor trojan and an APT attack known as LuckyCat. The IP address of the C&C to which this bot connects (199.192.152.*) was also used in other Windows malware samples during 2011, which made us believe we were looking at the same entity behind these attacks. For the past two days, we have been monitoring a “fake” infected system – which is a typical procedure we do for APT bots. We were extremely surprised when during the weekend, the APT controllers took over our “goat” infected machine and started exploring it. Read Full Article

SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link

we can confirm yet another Mac malware in the wild – Backdoor.OSX.SabPub.a being spread through Java exploits. This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine. Read Full Article

DNSChanger – Cleaning Up 4 Million Infected Hosts

The internet is full of infected hosts. Let’s just make a conservative guesstimate that there are more than 40 million infected and malware serving “hosts” connected to the internet at any one time, including both traditional computing devices, network devices and smartphones. That’s a lot of resources churning out cybercrime, viruses, worms, exploits, spyware. There have been many suggestions about how to go about cleaning up the mess, the challenges are complex, and current cleanups taking longer than expected.

Mass exploitation continues to be an ongoing effort for cybercriminals and a major problem – it’s partly a numbers game for them. Although exploiting and infecting millions of machines may attract LE attention at some point, it’s a risk some are willing to take in pursuit of millions of dollars that could probably be better made elsewhere with the same effort. So take, for example, the current DNSChanger cleanup. Here is a traditional profit motivated 4 million PC and Mac node malware case worked by the Fbi, finishing with a successful set of arrests and server takedown.

Read Full Article

Are Mobile Advertisers Getting Too Aggressive?

Many of the apps we enjoy are free. Well, to call them free is a bit misleading. You pay for the apps by looking at advertisements. This is a platform we should all recognize from the sidebar of Facebook, or Google, or almost any service that doesn’t charge a premium to use it. Advertising has paved the way for many services to gather a huge audience audience and still profit. Read Full Article

The Top 10 Security Stories of 2011

As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011. What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012. Read Full Article

What to Do About Carrier IQ

There’s been a lot of talk about a piece of software installed on many mobile devices called Carrier IQ. The intended purpose of the software according to the manufacturer is to collect metrics to improve many functions of the device on which it’s installed. The uproar has been that this software has access to so much private user data. Read Full Article