Knock Knock, me again!

Last October I wrote an article about Knock Knock, a tool that checks common hiding places of malware. You can read this article here. Overall a good tool but it was command line only. Immediately after writing the article I was asked both in the comments and via email to do a follow up piece with instructions on how to use it. I said I would but I never got around to it. The article ended with me saying the following “If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.”.

Today I received an email from the Knock Knock creator, Patrick Wardle, to say that he had done just that. Knock Knock now has a neat user interface which will make it a lot easier and more fun (for nerds like me anyway) to use. On top of that he integrated VirusTotal so you can see if a particular file is thought of as malware. VirusTotal is not foolproof and may not show a detection for everything but it can certainly give a good indication as to whether a file should be investigated further.

Let’s take it for a spin and see what we got!
If you prefer to explore for yourself, download Knock Knock here.

The application is a very light 1.5MB and the UI is very clean. I tested the app on my main system first (OS X 10.10.3). Simply clicking the “Start Scan” button immediately resulted in a permission request dialog asking me if Knock Knock could access confidential information from the Safari Extensions List. I allowed it once, then did another scan and denied the access. Allow or Deny, the scan still shows you results for browser extensions, the only difference is that Safari results are omitted if you deny the access. I believe you can safely allow this access. Knock Knock only attempted to make one connection to a remote server during and after the scan, to Google for the VirusTotal results. The connection to “ghs-svc-https-c46.ghs-ssl.googlehosted.com” was blocked by my Little Snitch so initially I did not get any VirusTotal results. If you block any and all Google related connections, Knock Knock still functions. You just miss out on the VirusTotal results which could help you if you are new at this.

Knock Knock showed me a little over 30 results which were all clean. This list may seem small but this is because Knock Knock omits OS and known items. If you want the full list, every kernel extension and login item, click the gear and check “show os/known items”. Then run the scan again. If you do not want to confuse yourself, stick with the default settings. In the preferences you can also disable VirusTotal integration and enable the app to save the results for you. If enabled, there will be a “kkFindings.txt” in your downloads folder after a scan. Make sure you rename that text file if you want to save the results as Knock Knock will overwrite that same file with the next scan results. A little colored lock icon also shows if a found file is signed or unsigned which can be helpful.

Everything looks and works well on a clean system. No abnormal CPU or memory usage, no hangs or freezes. Let’s see how it handles an infected OS.

Thanks to the VirusTotal integration it’s very obvious if something is detected. Knock Knock will mark the category that has potentially infected items in bright red and the individual suspect files show their VirusTotal score in red as well. As mentioned before, VirusTotal is not foolproof so as expected a lot of files were not flagged as malware. To be clear, Knock Knock showed them all, VirusTotal just didn’t flag them. The files that you want gone can easily be exposed with the “show” icon which will take you to the Finder location of that file.
I did notice on the infected system (OS X 10.9.5) Knock Knock did not prompt me for access to Safari Extensions and no Safari extensions were listed in the scan results even though Safari is heavily infected with all kinds of malware. It did find Chrome and Firefox extensions. Even with this small issue, I still recommend at least trying Knock Knock 1.0.0. Keep it on your system if you like it/find it helpful and just like AdwareMedic, run it periodically to see if anything shows up that raises red flags.

Knock Knock is not an all-in-one security solution, such solutions do not exist. As mentioned before, the best security comes in layers and Knock Knock is certainly one of many layers worth having.

Previous writeup on Knock Knock.
Knock Knock download and basic instructions.
Also mentioned: AdwareMedic
Also mentioned: Little Snitch

Posted in Security Tagged with: , ,

Updates for OS X and iOS

Apple today released updates for OS X Yosemite and iOS 8.
As usual it is recommended to install these updates as they include a slew of security patches but also bug fixes and enhancements.
Some users may also see a separate security update available (Security Update 2015-004) and/or a Safari update (6.2.5 or 7.1.5).

The list of security patches, fixes and enhancements is long so rather than listing them all, here are some links:

OS X 10.10.3 Update (General Info) (Security Content) (Download)
OS X 10.10.3 Combo Update (General Info) (Security Content) (Download)

Security Update 2015-004 for Mountain Lion (Download)
Security Update 2015-004 for Mavericks (Download)

Download size can vary depending on the source. The download site lists file sizes of 1.52GB for the 10.10.3 Update and 2GB for the 10.10.3 Combo Update. OS X Server’s Software Update service lists 2.6GB for the regular update and 2.3GB for the Combo Update. Use the links above to go to Apple’s download page, use Software Update on Mountain Lion and Mavericks or use the App Store’s Updates tab on Yosemite to get these updates and Safari as well.

iOS 8.3 was also released and includes a long long list of fixes and enhancements, info on that can be found here.

As always, back up your Mac and iOS device before installing any updates.

Posted in Security Tagged with: , , , , , , , ,

Apple releases security updates, iOS 8.2 and Apple TV 7.1

(Updates may not be available yet for download. They should be available to everyone before the end of the day)

Apple today released a security update for it’s most recent three OS X systems, iOS 8.2 and Apple TV 7.1 which also includes security fixes.

For OS X 10.8.5 Mountain Lion, 10.9.5 Mavericks and 10.10.2 Yosemite users the update “Security Update 2015-002″ is available and (depending on the version of OS X you use) contains security fixes for iCloud Keychain, the Kernel and Secure Transport. The Secure Transport patch addresses the recently discovered FREAK vulnerability.

iOS 8.2 is available for iPhone 4S and later and addresses vulnerabilities in SMS Messaging, iCloud Keychain and Secure Transport.

Apple TV 7.1 update also addresses the FREAK vulnerability.

All users are recommended to install the security update on Mac and iOS update on applicable devices. Mac users can use their usual Software Update methods, iOS users can update through iTunes or by going to Settings > General > Software Update. Back up your Mac or iDevice before installing updates just as a precaution.

More info on Security Update 2015-002
More Info on the security contents of iOS 8.2
More info on the security content of Apple TV 7.1

Of course iOS 8.2 is not just about security patches. There is improved stability for several apps and processes, bug fixes, Apple Watch support and Health App improvements.

Posted in Security Tagged with: , , ,

Java installs adware. If you allow it. Relax people.

Java is now bundled with an Ask.com toolbar. The web is blowing up about it. “Beware”, “Adware”, “shady”, “Sneaking” and other terms are used. Is this just a hype or is there something to these claims? Let’s find out.

I set up a brand new Virtual Machine, installed all the latest updates, the latest browsers, the latest versions of Flash Player and Little Snitch. I downloaded the latest version of Java directly from it’s source; oracle.com. When the download is selected it leads to the Java.com website (https://www.java.com/en/download/). The latest version at the time is Version 8 Update 40.

Adware is free software sponsored by ads. Toolbars are usually a form of adware. I use free software that is sponsored by ads on my Mac and my iPhone, nothing wrong with adware. When Adware starts to act like spyware and injecting ads in places it should not be, then there’s a problem.

I ran the Java installer and found clear mention of the Ask.com toolbar with two options:
– Set Ask as my default search provider
– Set Ask.com as my browser home page and new tabs page

If these boxes are unchecked, you guessed it, just Java is installed. But let’s behave like the typical user and click “Next” as fast as we can, completely ignoring all the information the installer provides.

The toolbar is installed in Safari and both the default search and home pages are changed to ask.com. Firefox users (as we should all be imo) get a warning stating a 3rd party is attempting to modify Firefox. You must allow it to be activated. If you do not allow this, the add-on will be installed but de-activated by Firefox. It does however change your default home page and search engine.

Here is what I’ve found:
– If you READ the installer information this toolbar will never make it on to your system.
– If you did manage to just click “Next” and get the toolbar installed, Firefox warns you about it and you must provide additional approval to activate the toolbar. Safari users are stuck with the toolbar immediately.
– Your new Ask.com homepage clearly shows links to how you can reset your homepage or remove the toolbar. They do not try to hide it.
– The toolbar does not inject ads anywhere they should not be.
– There are no additional processes running because of the toolbar.
– No dubious server connections are made by the toolbar.
– Tt takes 10 seconds to reset your home page, search engine and uninstall the toolbar in Safari.
– It takes 19 seconds to reset your home page, search engine and remove the toolbar from Firefox.
– It takes a minute to delete the few files left in the Library folder.

So, is it the worth the hype? Absolutely not. Clickbait mostly in my opinion.

Oracle did not do anything “shady”. Oracle did not “sneak” this toolbar in there. Does Ask.com suck as a search service? Absolutely. Is it annoying to have to reset and uninstall the Ask.com materials after you failed to properly read an installer? Sure, but that’s on you. Is there data theft, ad injection, horrible unspeakable things happening? No. As with all installers, read the information that’s provided. Don’t brainlessly click things you shouldn’t be clicking and you can avoid most of this stuff.

Posted in Security Tagged with: , ,

Old Mac trojan returns

For the past few days I’ve been keeping an eye on reports stating an old Mac trojan, OpinionSpy, is back. Intego has indeed confirmed the old trojan has found it’s way back to the Mac platform. This time through downloads from download.cnet.com. The application “Free Video Cutter Joiner” will install additional contents if you allow it to. With most people just clicking through installers as fast as they can to get to the good stuff, additional content like this can easily be overlooked.

I have obtained all the samples associated with the above mentioned file and a few others, they will be included in the antivirus test during the next update. In the mean time, watch out for any content from cnet.com and download.com and the following names:
– Free Video Cutter Joiner
– Free MP3 Cutter Joiner
– Audio Converter Mac
– Video Converter Mac
– PremierOpinion
– DVDVideoMedia
See any of these names in a file or website, stay clear for now.

If you use Little Snitch, and you should, look out for any connection attempts to:
– securestudies.com
– premieropinion.com
or any of their subdomains.

More info here.

Posted in Security Tagged with: , ,

New Flash Player version available

An updated Flash Player, version 16.0.0.305, is now available for download on the Adobe website. This version patches the zero-day exploit I mentioned a few days ago. All users that have Flash Player installed should update asap. If you had previously disabled Flash Player just reverse the instruction I gave in the previously mentioned article.

For now users that have Flash Player installed appear to be safe once again. That is until the next vulnerabilities are found which won’t take too long. If you do not absolutely need Flash Player on your system, consider removing it completely. You’ll be much safer out there.

Posted in Security Tagged with: , , ,

Apple releases updated FlashBack Malware removal tools

It appears Apple has quietly released an updated tool in the fight against fake Flash Player installers. Two updates showed up today:
Flashback Removal Security Update 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware.” This update also disables the Java plug-in in Safari.
Flashback malware removal tool 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003. This update is recommended for all Mac users who do not have Java installed”

While both updates appear to do the same thing judging from their descriptions, a look at the installer shows the differences.

Flashback malware removal tool 1.0 installs the actual Flashback malware hunter, an agent called “MRTAgent.app” in System/Library/CoreServices. The app does not appear to activate until the next restart. At that point two files in /System/Library/LaunchAgents (com.apple.mrt.uiagent.plist) and System/Library/LaunchDeamons (com.apple.mrt.plist) will activate the app and take care of the Flashback ma
Flashback Removal Security Update 1.0 installs the MRTgent app and related files but also an app that disables Java called “JavaDisabler.app” in System/Library/CoreServices. An additional file is added to the System LaunchAgents folder “com.apple.javadisabler.plist”.

The descriptions and links on both updates point to older support pages, no mention is made anywhere that I could find about updated signatures or other changes. The documentation for the removal tool points to this page which was last updated on November 8, 2014. The documentation for the Security Update points to this page which was updated last around the same time as the other page, November 19, 2014.

Until someone digs around in these installers to see what’s new it’s unknown which variants specifically are targeted. It may be the recently discovered OSX.IronCore.A, Apple had already updated their XProtect with the signature in December. The fact that the update references the “Java for OS X 2012-003″ update that was released in 2012 is a bit confusing. Though I was able to see and download the updates using Software Update Server, none of the Macs on my network appear to be interested in the updates. If you do see these updates appear in your App Store, it’s a good idea to install them. If I find out more details about these updates I’ll post a follow-up.

Posted in Security Tagged with: , ,

New Flash zero-day also targets Mac users

Adobe released a security advisory today. Flash Player versions 16.0.0.296 (current version) and earlier are vulnerable to an exploit that can cause a crash which allows an attacker to take control of the affected system. This vulnerability is already being exploited in the wild and no patch is available at this time.

We recommend disabling Flash Player until this issues has been patched. Here’s how to do this:
Safari: Open the Safari Preferences and go to the “Security” tab. At the bottom where it says “Internet Plug-ins” click the button “Website Settings”. Click on the “Adobe Flash Player” plug-in and you’ll see a list of allowed websites. If any websites show in this list, click on them once and then remove them by using the “-” button. Set the setting “When visiting other websites:” to “Block”.
Firefox: From the menu bar, Tools menu, select “Add-ons”. Click on the Plugins tab in the left column and set “Shockwave Flash” to “Never Activate” (This should be set to “Ask to Activate” by default for enhanced security on any other day).

The best way is to completely uninstall Flash from your system. I have not had Flash installed for a long time and rarely run in to any websites that require it. To remove Flash from your system download the uninstaller here.

Adobe expects to patch this issue later this week but no timeframe was provided.

Posted in Security Tagged with: , , , ,

Apple updates Yosemite and Safari

Today Apple released the second update to the latest OS X, 10.10.2.
While the detailed list of security fixes in this update has not yet been released we know from other sources that Apple fixed the Thunderstrike exploit, briefly mentioned in my last post, and three of the vulnerabilities reported by Google last week. Also resolved is an issue where Spotlight would load remote email contents even if Mail itself had this disabled. Some of the other fixes in this release address poor Wi-Fi performance, slow loading webpages, the ability to browse iCloud Drive in Time Machine and Safari stability and security improvements.

Separate Safari updates were released for 10.8 Mountain Lion and 10.9 Mavericks users. Both updates address stability and security. Mountain Lion users will see their version of Safari updated to 6.2.3 and Mavericks users to 7.1.3. Four WebKit issues were addressed in these updates. Safari 8.0.3 for Yosemite users is included in the OS X 10.10.2 update.

Also released was Security Update 2015-001 which “is recommended for all users and improves the security of OS X.” The update is available for 10.9.5 Mavericks users and is included in the OS X 10.10.2 update for Yosemite users. Issues addressed are AFP file sharing, bluetooth, network cache, CoreGraphics and other vulnerabilities. It’s quite a list which can be found here.

It is recommended to update your backups before installing these (or any) updates. In the case of a second OS X release I personally like to download and apply the combo update, this typically has resolved more of the ‘new OS’ bugs than simply running the single version update. At the time of writing the combo update and the above mentioned updates are not available for direct download. Keep an eye on the Apple downloads page where the combo update should pop up soon.

Posted in Security Tagged with: , , , , ,

Just an update (and a bit of a rant ;)

Happy new year everyone and thank you for your support, tips, samples and more over the past year.

I haven’t forgotten about this blog and I still keep my eye on any potential threats that require awareness. The past few months have just been very uneventful when it comes to Mac security. One issue I jumped on immediately was the recent NTP vulnerability but as I was writing the article I realized Apple pushed out this update to all supported Macs. With all clients being updated automatically I felt a post about the issue had little value. Flash player updates have been coming out at a fairly steady pace, every reader should know by now to update as soon as the system prompts for it so these updates also required no posting from my end.

Malware has not been an issue recently so there have been no AV test updates since October. Updating these tests every time a new piece of Adware is found would keep me busy full time so I wasn’t going to do that either. I also have been stretched very thin working on a lot of other projects that have been taking up almost all of my time. I would have made the time to report on anything significant but there have not been significant things to report on. One of the potentially big things I have been keeping my eye on since December is Thunderstrike. Currently still a proof of concept (PoC) but definitely something Apple needs to act on fast. Basically someone found a way to infect a Mac at the firmware level using a modified thunderbolt accessory. Once infected you can reinstall, replace the hard drive, install antivirus and other tools… it won’t help. The Mac belongs to the attacker as it controls the firmware and the firmware loads before anything else. More information can be found here and the original presentation can be found here (YouTube link). Other projects involving the exploiting of graphics cards (GPU’s) is something I also keep track of but not much has happened recently in that arena. Hacks of sites and services, exploits of certain software etc etc. I’m monitoring it all so I can report on it and let you know ASAP if relevant.

This post is to break the silence and to let you all know I’m still around, keeping my eyes and ears open every day and as soon as something post-worthy comes along you’ll definitely see an article :)

I have also been playing with OS X 10.10 Yosemite since it’s release. Continue reading “Just an update (and a bit of a rant ;)” »

Posted in Just an update, Security

Malware Detection Rate Results

Last updated:
Sunday October 5th, 6:40PM EST
436 Samples, 44 Applications
#1 Avast
#2 Intego
#3 Norman
Get it here.