Old Mac trojan returns

For the past few days I’ve been keeping an eye on reports stating an old Mac trojan, OpinionSpy, is back. Intego has indeed confirmed the old trojan has found it’s way back to the Mac platform. This time through downloads from download.cnet.com. The application “Free Video Cutter Joiner” will install additional contents if you allow it to. With most people just clicking through installers as fast as they can to get to the good stuff, additional content like this can easily be overlooked.

I have obtained all the samples associated with the above mentioned file and a few others, they will be included in the antivirus test during the next update. In the mean time, watch out for any content from cnet.com and download.com and the following names:
– Free Video Cutter Joiner
– Free MP3 Cutter Joiner
– Audio Converter Mac
– Video Converter Mac
– PremierOpinion
– DVDVideoMedia
See any of these names in a file or website, stay clear for now.

If you use Little Snitch, and you should, look out for any connection attempts to:
– securestudies.com
– premieropinion.com
or any of their subdomains.

More info here.

Posted in Security Tagged with: , ,

New Flash Player version available

An updated Flash Player, version 16.0.0.305, is now available for download on the Adobe website. This version patches the zero-day exploit I mentioned a few days ago. All users that have Flash Player installed should update asap. If you had previously disabled Flash Player just reverse the instruction I gave in the previously mentioned article.

For now users that have Flash Player installed appear to be safe once again. That is until the next vulnerabilities are found which won’t take too long. If you do not absolutely need Flash Player on your system, consider removing it completely. You’ll be much safer out there.

Posted in Security Tagged with: , , ,

Apple releases updated FlashBack Malware removal tools

It appears Apple has quietly released an updated tool in the fight against fake Flash Player installers. Two updates showed up today:
Flashback Removal Security Update 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware.” This update also disables the Java plug-in in Safari.
Flashback malware removal tool 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003. This update is recommended for all Mac users who do not have Java installed”

While both updates appear to do the same thing judging from their descriptions, a look at the installer shows the differences.

Flashback malware removal tool 1.0 installs the actual Flashback malware hunter, an agent called “MRTAgent.app” in System/Library/CoreServices. The app does not appear to activate until the next restart. At that point two files in /System/Library/LaunchAgents (com.apple.mrt.uiagent.plist) and System/Library/LaunchDeamons (com.apple.mrt.plist) will activate the app and take care of the Flashback ma
Flashback Removal Security Update 1.0 installs the MRTgent app and related files but also an app that disables Java called “JavaDisabler.app” in System/Library/CoreServices. An additional file is added to the System LaunchAgents folder “com.apple.javadisabler.plist”.

The descriptions and links on both updates point to older support pages, no mention is made anywhere that I could find about updated signatures or other changes. The documentation for the removal tool points to this page which was last updated on November 8, 2014. The documentation for the Security Update points to this page which was updated last around the same time as the other page, November 19, 2014.

Until someone digs around in these installers to see what’s new it’s unknown which variants specifically are targeted. It may be the recently discovered OSX.IronCore.A, Apple had already updated their XProtect with the signature in December. The fact that the update references the “Java for OS X 2012-003″ update that was released in 2012 is a bit confusing. Though I was able to see and download the updates using Software Update Server, none of the Macs on my network appear to be interested in the updates. If you do see these updates appear in your App Store, it’s a good idea to install them. If I find out more details about these updates I’ll post a follow-up.

Posted in Security Tagged with: , ,

New Flash zero-day also targets Mac users

Adobe released a security advisory today. Flash Player versions 16.0.0.296 (current version) and earlier are vulnerable to an exploit that can cause a crash which allows an attacker to take control of the affected system. This vulnerability is already being exploited in the wild and no patch is available at this time.

We recommend disabling Flash Player until this issues has been patched. Here’s how to do this:
Safari: Open the Safari Preferences and go to the “Security” tab. At the bottom where it says “Internet Plug-ins” click the button “Website Settings”. Click on the “Adobe Flash Player” plug-in and you’ll see a list of allowed websites. If any websites show in this list, click on them once and then remove them by using the “-” button. Set the setting “When visiting other websites:” to “Block”.
Firefox: From the menu bar, Tools menu, select “Add-ons”. Click on the Plugins tab in the left column and set “Shockwave Flash” to “Never Activate” (This should be set to “Ask to Activate” by default for enhanced security on any other day).

The best way is to completely uninstall Flash from your system. I have not had Flash installed for a long time and rarely run in to any websites that require it. To remove Flash from your system download the uninstaller here.

Adobe expects to patch this issue later this week but no timeframe was provided.

Posted in Security Tagged with: , , , ,

Apple updates Yosemite and Safari

Today Apple released the second update to the latest OS X, 10.10.2.
While the detailed list of security fixes in this update has not yet been released we know from other sources that Apple fixed the Thunderstrike exploit, briefly mentioned in my last post, and three of the vulnerabilities reported by Google last week. Also resolved is an issue where Spotlight would load remote email contents even if Mail itself had this disabled. Some of the other fixes in this release address poor Wi-Fi performance, slow loading webpages, the ability to browse iCloud Drive in Time Machine and Safari stability and security improvements.

Separate Safari updates were released for 10.8 Mountain Lion and 10.9 Mavericks users. Both updates address stability and security. Mountain Lion users will see their version of Safari updated to 6.2.3 and Mavericks users to 7.1.3. Four WebKit issues were addressed in these updates. Safari 8.0.3 for Yosemite users is included in the OS X 10.10.2 update.

Also released was Security Update 2015-001 which “is recommended for all users and improves the security of OS X.” The update is available for 10.9.5 Mavericks users and is included in the OS X 10.10.2 update for Yosemite users. Issues addressed are AFP file sharing, bluetooth, network cache, CoreGraphics and other vulnerabilities. It’s quite a list which can be found here.

It is recommended to update your backups before installing these (or any) updates. In the case of a second OS X release I personally like to download and apply the combo update, this typically has resolved more of the ‘new OS’ bugs than simply running the single version update. At the time of writing the combo update and the above mentioned updates are not available for direct download. Keep an eye on the Apple downloads page where the combo update should pop up soon.

Posted in Security Tagged with: , , , , ,

Just an update (and a bit of a rant ;)

Happy new year everyone and thank you for your support, tips, samples and more over the past year.

I haven’t forgotten about this blog and I still keep my eye on any potential threats that require awareness. The past few months have just been very uneventful when it comes to Mac security. One issue I jumped on immediately was the recent NTP vulnerability but as I was writing the article I realized Apple pushed out this update to all supported Macs. With all clients being updated automatically I felt a post about the issue had little value. Flash player updates have been coming out at a fairly steady pace, every reader should know by now to update as soon as the system prompts for it so these updates also required no posting from my end.

Malware has not been an issue recently so there have been no AV test updates since October. Updating these tests every time a new piece of Adware is found would keep me busy full time so I wasn’t going to do that either. I also have been stretched very thin working on a lot of other projects that have been taking up almost all of my time. I would have made the time to report on anything significant but there have not been significant things to report on. One of the potentially big things I have been keeping my eye on since December is Thunderstrike. Currently still a proof of concept (PoC) but definitely something Apple needs to act on fast. Basically someone found a way to infect a Mac at the firmware level using a modified thunderbolt accessory. Once infected you can reinstall, replace the hard drive, install antivirus and other tools… it won’t help. The Mac belongs to the attacker as it controls the firmware and the firmware loads before anything else. More information can be found here and the original presentation can be found here (YouTube link). Other projects involving the exploiting of graphics cards (GPU’s) is something I also keep track of but not much has happened recently in that arena. Hacks of sites and services, exploits of certain software etc etc. I’m monitoring it all so I can report on it and let you know ASAP if relevant.

This post is to break the silence and to let you all know I’m still around, keeping my eyes and ears open every day and as soon as something post-worthy comes along you’ll definitely see an article :)

I have also been playing with OS X 10.10 Yosemite since it’s release. Continue reading “Just an update (and a bit of a rant ;)” »

Posted in Just an update, Security

Knock Knock, who’s there?

I saw an interesting video today which talks about the kinds of OS X malware and the ways they can persist. Now when it comes to ways that OS X malware can keep itself alive even after a reboot there is nothing new in this video, however the tool that was created by the author Patrick Wardle is pretty cool. Basically it checks all the locations and ways malware is known to be persistent. The known LaunchDeamons and LaunchAgents, browser plugins/extensions and Login Items are all checked but it goes a little deeper than that. Code is also checked, like plist files’ use of “RunAtLoad” or “KeepAlive” which could indicate persistent malware.

The tool is currently in Beta and command line only but worth checking out if you want to learn more about what goes on under the OS X hood. Or maybe you suspect a malware infection and your antivirus product is coming up dry. If you know me you know my opinion of OS X’s built-in anti malware tools X-Protect and Gatekeeper; They are fairly useless. Antivirus applications perform much better and have a much better chance at offering you protection but again, these products are (just like X-Protect) reactive. Based on signatures, hashes, location data and file names they almost always offer protection after the fact. True heuristics is very hard to find in OS X products which is sad because that may offer the best possible protection as it is proactive, not reactive. The Knock Knock tool can be easily extended with new plugins. If a new way of persistence is discovered, a simple python plugin can be written and added to the Knock Knock functionality.

I ran the tool on my Mac and found nothing that shouldn’t be there. When I ran the tool on an infected Mac however, it was able to point out a huge amount of malware. VSearch, Genieo, iWorm, CoinThief, CodecM, Revir, a ton of browser plugins, a keylogger and much more were found to be persistent in one way or another. Over 50 total. Now of course this tool is not an antivirus application. It doesn’t monitor your Mac constantly and it doesn’t tell you “this file belongs to this malware” but I like the functionality it offers. You’ll need to know a bit about OS X, which file belongs and which doesn’t. What is a possible threat and needs further investigating and what is harmless. However for those that want to learn more about their Mac’s internals, think they are infected with malware or research malware, this is a nice tool to add to the collection. If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.

The video can be found here.
The slides for the video can be found here.
Knock Knock can be downloaded here.

Posted in Security Tagged with: , ,

Upgrading to OS X 10.10 Yosemite

You may have been amongst the first to upgrade your Mac to OS X 10.10 Yosemite or you may be one of the people that prefers to wait a bit. Here are a few tips to ensure the upgrade goes smooth when the time comes.

1. Make sure your Mac meets the minimum system requirements, at LEAST.
According to Apple the following Macs can run Yosemite:
• iMac (Mid 2007 or newer)
• MacBook (Late 2008 Aluminum, or Early 2009 or newer)
• MacBook Pro (Mid/Late 2007 or newer)
• MacBook Air (Late 2008 or newer)
• Mac mini (Early 2009 or newer)
• Mac Pro (Early 2008 or newer)
• Xserve (Early 2009)
– OS X 10.6.8 or later.
– 2 GB of Memory.
– 8 GB of available storage.

As with OS X Mavericks, the requirements cover a broad range of Macs and as with OS X Mavericks, it is not a good idea to install the system on a Mac that meets the bare minimum requirements. Here is my recommended minimum requirements list:
• iMac (Early 2009 or newer)
• MacBook (Late 2008 Aluminum, or Early 2009 or newer) (if you must)
• MacBook Pro (Early 2009 or newer)
• MacBook Air (13-Inch, Late 2010 or newer)
• Mac mini (Early 2009 or newer)
• Mac Pro (Early 2009 or newer)
– OS X 10.9.5 Mavericks.
– 4 GB of Memory, 8 GB preferred.
– 20 GB of available storage.
– A graphics card that has 512 MB of memory or more preferred.

This list is based on my experience over the years. After a new OS is released I see people every day that upgraded and have issues immediately. More often than not this is because their previous system was already experiencing issues. Cluttered drive, upgrades on top of upgrades, no maintenance etc. These can all cause issues. Upgrading from an older OS, skipping one or more versions and going straight to the latest often causes issues as well. Something I also hear a lot is “but I meet the minimum system requirements, why is it so slow?”.

Minimum system requirements tell you what is needed to run the OS, just the OS. The way these requirements are often understood is; I have 2 GB of memory so I can run the latest system ánd any application I want. With only 2 GB of memory the Mac will load the OS, start up and present you with your desktop and files but by that time it will already have consumed most of that 2 GB. If you then try to run iPhoto, iTunes, Safari, Spotify or any other application on top of that, you’ll be out of memory in a matter of minutes. Since OS X Mavericks the memory (RAM) management has really improved so people can do more with less but there are limits. Look at your system now and your most used applications to figure out what your ideal setup should look like. For example a user on average uses these applications:
– iTunes
– iPhoto
– Safari
– Microsoft Office
– Mail
This is just basic use of a Mac. Lets see what each of these applications require.
– iTunes (500 MB of RAM)
– iPhoto (4 GB of RAM recommended)
– Safari (1 GB of RAM recommended depending on use)
– Microsoft Office (1 GB of RAM recommended)
– Mail (200 MB of RAM)
Talking about Photoshop or other photo/video editing applications?
– Photoshop (1 GB of RAM for CS 6, 2 GB but 8 GB recommended for CC)
– Aperture (4 GB of RAM recommended)
– iMovie (2 GB of RAM, 4 GB recommended)

These applications require this amount of memory on top of what the OS needs to run. As you can tell, 2 GB of RAM is not enough to do anything smoothly. If the minimum requirements for something is X GB, double it to make sure it runs smooth. The average system needs 4 GB to run smoothly most of the day but these days 8 GB is definitely recommended.

2. Compatibility.
Once you are sure your Mac can handle the new system it’s time to check all your applications. Is all the software you have and use compatible with the new OS? Check manufacturer websites to see if you need updates or maybe even completely new versions. User forums for products can help too. If a lot of people on the Apple or Adobe forums are complaining about compatibility issues, you may want to hold off.

3. Be prepared to start fresh
If you are planning to upgrade a system that is running 10.6 or 10.7, I recommend starting fresh. Meaning a clean install of the system. While upgrades like this that skip one or two OS versions can result in a perfect smooth running machine, this is mostly not the case. Again, speaking from experience. If your system is currently experiencing issues (regardless of the OS version you have installed) like slow performance, freezing, spinning beachball or applications unexpectedly quitting do not upgrade. An upgrade is not a magical fix, it will almost certainly make the issue worse. Instead resolve the problem first and then upgrade. Depending on the issue a clean install may be the best solution.

4. Backup and Clone

Upgrading to a whole new OS is a very invasive undertaking. In case something goes wrong (see point 3 but even if your system is fine, stuff can still go wrong) you want a backup to restore from. You should already have some kind of backup strategy in place like Time Machine backups but in cases like these it’s a good idea to have a clone of your system as well. A clone is a 1:1 copy of your hard drive contents and will allow you to boot up from it or restore the entire system. If you upgrade to Yosemity and find out you hate it, have too many incompatible applications or it just doesn’t run well on your older machine, just start up from the clone drive and clone the whole thing back to your Mac. Once the clone is done and you restart it’ll be like nothing ever happened.

SuperDuper is my preferred cloning tool and I recommend using an external hard drive that supports FireWire 800, USB 3.0 and/or eSATA for best performance. USB 2.0 and FireWire 400 will work but both the cloning and booting from it, if needed, will be painfully slow. Keep running your Time Machine backups as usual too of course.

5. Remember your passwords
After installing the new system you will be asked for your Apple ID so that features like iCloud and Messages can be enabled so make sure you know the login details before you upgrade. You can set up your iCloud and Messages later on but entering these details during the installation will make for a smoother experience when it’s done.

6. Duplicate important documents
Once you upgrade and start working on a document in a new version of Numbers, just to name one, you can not open that document in older versions anymore. This is the case for a lot of software. With a new OS usually come big application updates or upgrades as well. If you have important documents that you still need to be able to work on even if you decide to downgrade back to your previous system later on (with that clone I mentioned), make a copy and work on that instead. If you open/edit the original file you may not be able to use it anymore if you downgrade your system.

Having a backup (clone preferred) will ensure you can go back to the current state of your system and is therefor the most important step when it comes to any upgrade.

I have enjoyed the new look and features so far and have yet to find any bugs or issues.

Posted in Just an update Tagged with: , ,

Antivirus Detection Rate results updated – October 5, 2014

With quite a few AV products improving their detection rates steadily and (mostly) consistently, it’s time to raise the bar a little. Previously, the results PDF showed 4 categories:
Category 1 - The best AV products with a detection rate of 90% or higher.
Category 2 - AV Products with a detection rate of 60-90%.
Category 3 - AV Products with a detection rate of 60% or lower.
Category 4 - AV Products that were excluded from testing.

These categories have been changed and are now:
Class A - The best AV products with a detection rate of 95% or higher.
Class B - AV Products with a detection rate of 95-85%.
Class C - AV Products with a detection rate of 85-75% or lower.
Class D - AV Products with a detection rate of 75% or lower.
Class F - AV Products that were excluded from testing.

This seems like a very high bar but then again, why not expect the best of the products that claim they protect us? I will also attempt to release updates on a set schedule.
Class A- Updated every month or as new samples become available.
Class B- Updated every two months.
Class C- Updated every three months.
Class D- Updated every six months.
Class F- Updated every year or not at all.
Continue reading “Antivirus Detection Rate results updated – October 5, 2014” »

Posted in Security Tagged with: , , , ,

Apple patches Bash vulnerability

Since late last week the internet has been buzzing about something named Shellshock. The Bash shell is something most users will never know or hear about, it runs under the hood of OS X and other major operating systems and is critical for a lot of tasks. The flaw that was discovered last week allows an attacker to basically take over your machine if certain conditions are met and was already being exploited online shortly after it’s discovery.

Apple stated that most Mac users were safe from Shellshock as remote services like web sharing are disabled by default. OS X Server users were not mentioned but I consider them to be at far more risk as it is much easier to set up and enable a web server or other remote services. However this bug was serious enough to get Apple’s immediate attention and today they released a software patch “OS X bash Update 1.0″. Strangely this update can not be found through the normal software update process but has to be downloaded from Apple’s website.

The patch was released for the last three operating systems and can be found here:
OS X 10.7 Lion
OS X 10.8 Mountain Lion
OS X 10.9 Mavericks
No restart is required to install this security patch but you do need to have the latest version of your OS installed. If the patch refuses to install, run Software Updates first.

All Mac users running any of those OS X versions should download and install immediately.
The fact that this update is not available through the Software Update menu or App Store is a concern. This means that a lot of OS X user may never install the update. Hopefully this will be corrected.

Posted in Security Tagged with: , , , , , ,

Malware Detection Rate Results

Last updated:
Sunday October 5th, 6:40PM EST
436 Samples, 44 Applications
#1 Avast
#2 Intego
#3 Norman
Get it here.