Apple OS X Java Update

Apple have released an update that fixes the Flashback Trojan vulnerability:

Got to Software Updates and install it as soon as possible -

This Java security update removes the most common variants of the Flashback malware.

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

This update is recommended for all Mac users with Java installed.

For details about this update see: http://support.apple.com/kb/HT5242

Posted on April 13, 2012 by Jonathan Green and tagged Apple Flashback Mac OSX Malware Vulnerability.

Mac OSX Java Malware: OSX/Flashfake.c

This Trojan is installed via exploitation of a flaw in Oracle Java (CVE-2012-0507). The Mac OS X - based malware masquerades as an Adobe Flash Player install.

Upon infection the malware will install fake/rogue security software, and allow for the downloading of additional malicious components, sensitive data extrusion, and other malicious control methods.

Infected hosts report back to an external server and can receive further instructions/payloads via that method (C&C / bot-based control). CVE-2012-0507 is an Oracle Java vulnerability, which was patched by Apple (as a 34rd party component) in April 2012.

Therefore....make sure your OSX software is up to date

Posted on April 7, 2012 by Jonathan Green and tagged Java Mac Malware Trojan Vulnerability.

Microsoft Word Document Malware

Updating Word for Mac to the latests version protects you against this:

Exploit-OLE2.gen

MTIS12-053-A

THREAT IDENTIFIER(S)	Exploit-OLE2.gen;?Mac Control? RAT
THREAT TYPE	Malware
RISK ASSESSMENT	Medium/On-Watch
MAIN THREAT VECTORS	Web; E-Mail; WAN; LAN
USER INTERACTION REQUIRED	Yes
DESCRIPTION	The Exploit-OLE2.gen trojan disguises itself as a Word Document. Upon opening in a vulnerable Mac system, it executes a script that writes the malware itself and then a shell script that runs it. The malware takes advantage of a Java vulnerability patched by Microsoft in Bulletin MS09-027. In the variants observed, the malware is stored as binary files called "DockLight" or "launchd" while showing the user a text about Tibetan freedom and grievances. Both binaries can be easily found just by looking for them in the system.
IMPORTANCE	Medium. This threat has gained media attention

Posted on March 29, 2012 by Jonathan Green and tagged Mac Malware Word.

Visa Warns of Rise In Keyloggers

Visa International has warned retailers that keylogging malware is on the rise hidden in card reading terminals.

The problem appears to be exacerbated due to the fact that most EPOS Tills are Windows-powered.

In an article at InfoSecurity, Mickey Boodaei says:

"Consumers, meanwhile, should also take precautions against keyloggers, says Boodaei, as criminals are increasingly targeting payment card information on the Internet.

Many malware variants, he explained, collect card data as customers type it in while making a purchase online. In addition, more sophisticated malware can also change payment pages on websites asking for additional card and personal information.

"Our research team have also come across malware variants that steal card information when you log onto your bank account. They frequently change the login page to request your card information and then send this information on to the criminals", he said.

According to Boodaei, the increasing sophistication of cybercriminals looking to rip-off retailers, as well as their card-carrying customers, is a problem that will not go away because, as existing avenues of card fraud are closed off, cybercriminals will attempt to open new ones up.

"Unfortunately, keyloggers are an ideal vehicle for card fraud, as they allow fraudsters to radiate trojans out via sophisticated bulk emailers and sit back for unwary recipients to click on the links and unwittingly install the keylogging malware on their Windows-driven machines", he said.

"Consumers can do their part by installing a browser add-in such as Trusteer's Rapport software, which is offered as a free download by banks such as HSBC, RBS/NatWest and the Santander Group. Retailers, meanwhile, should contact their till terminal supplier for advice on their own IT security options", he added.

Here is a link to Trusteers Rapport Browser plug-in and the download page

Posted on April 8, 2010 by Jonathan Green and tagged Keylogger Malware Rapport Trusteer.

And yet more rogue AV software - Virus Protector

A brand new fake AV program Virus Protector is doing the rounds.

Hopefully by now you'll know never to install or run (or click) anything that pops up on your screen telling you there's a problem

File Changes:

RegistryEntries
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: Shell
Data: C:\WINDOWS\system32\agaz17mgx.exe

Posted on March 8, 2010 by Jonathan Green and tagged Malware Windows Winiguard virus protector.

New Rogue Software

It's hard to keep up with all the latest rogue-ware that pops up like a Whack-a-Mole game these days.

The latest is called DrGuard, and like all the other rogues, will do a fake scan of your PC and alert you to all sorts of problems that don't really exist.

Please be wary of ANY software that pops open to alert you of a problem.

Posted on March 5, 2010 by Jonathan Green and tagged DrGuard Malware rogue scareware.

Malware - Desktop Security 2010

And yet another rogue 'security' program appears on the net.

Desktop Security 2010 adds to the long list of rogue software scams.

It scans your system and then 'finds' a number of bad files that it's just previously installed.

If you're unfortunate to have this software installed, it probably slipped in un-noticed whilst you were visiting a bad website, downloading files from a peer to peer network, or installing some other nasty freeware.

It can be removed with a number of legitimate anti-spyware programs, such as Ad-Aware or manually here:

411-spyware.com which also has a great write up on the whole nasty program.

As ever, please please be wary of the sites you visit, the files that you download, and the links that you click.

Posted on February 22, 2010 by Jonathan Green and tagged Malware desktop security 2010.

Rogue Antivirus 'Security Tool' targets Facebook users

Facebook users are currently being spammed with a bogus email asking them to review their agreement (by downloading an attached file)

We really hope that if you've visited our site, you won't get caught out by what is clearly a fake email.

The email reads as follows:

"Dear Facebook User,

Due to Facebook policy changes, all Facebook users must submit a new, udpated account agreement, regardless of their original account start date.

Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run "agreement.exe" by double clicking it.

Thanks

The Facebook Team"

Firstly anything addressed to Facebook User will be bogus.

Secondly, we really hope you'd be suspicious after being asked to double click an exe file

Thirdly, the use of language within the message is suspect.

If you unzip the file, you'll become the proud owner of a rogue malware anti virus called Security Tool.

Please do not respond to this message if you get it, and pass this post on to all your friends and family.

Please, always be suspicious of such emails.

Safe surfing.......

Posted on February 16, 2010 by Jonathan Green and tagged Facebook Malware rogue security tool.

Security Essentials 2010 - Malware, beware!

There's a piece of supposed security software doing the rounds called Security Essentials 2010.

This is an infected piece of malware and should NOT be downloaded or installed.

It normally arrives by way of an email informing you that you have a virus, and to clean your system you need to download and install Security essentials 2010. It can also appears as a pop-up on a web page.

This is not to be confused with the excellent Microsoft Security Essentials, which absolutely should be downloaded and installed (for Windows)

More details: (notice the inconsistent lower case 'e', but by this time, it's probably too late!)

Known System Changes:

Files
%System%\warnings.html
%System%\helpers32.dll
%System%\winlogon32.exe
%System%\smss32.exe
%System%\41.exe
%Temp%\250904.exe
%StartMenu%\Security essentials 2010.lnk
%Desktop%\Security essentials 2010.lnk

%ProgramFiles%\Securityessentials2010\SE2010.exe

Folders
%ProgramFiles%\Securityessentials2010

RegistryEntries
Key: HKEY_CURRENT_USER\Software\SE2010
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: Security essentials 2010
Data: C:\Program Files\Securityessentials2010\SE2010.exe
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: smss32.exe
Data: C:\WINDOWS\system32\smss32.exe

REMOVAL INSTRUCTIONS:

Delete Security essentials 2010 files:

%Program Files%\Securityessentials2010\SE2010.exe
%System%\warnings.html
%system%\winlogon32.exe
%system%\smss32.exe
%system%\41.exe
%system%\helpers32.dll

Delete Security essentials 2010 registry entries:

HKEY_CURRENT_USER\Software\Security essentials 2010
HKEY_LOCAL_MACHINE\SOFTWARE\Security essentials 2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Security essentials 2010″

SNS TIP

Sadly, if you do get yourself infected, the absolute safest and best way to rid your system is to completely re-format your hard drive and re-install Windows from fresh. A pain, but pretty much the only guaranteed way to safely remove all malware (some of which will have hooked itself so deep to your OS that you won't even know it exists).

This is why it is ESSENTIAL to have a current and viable backup system in place.

Posted on February 15, 2010 by Jonathan Green and tagged Malware security essentials 2010.