Tag Archives: malware

Mac malware signed with Apple ID infects activist’s laptop

Tech, , , ,
F-Secure

Stealthy Mac OS X spyware that was digitally signed with a valid Apple Developer ID has been detected on the laptop of an Angolan activist attending a human rights conference, researchers said.

The backdoor, which is programmed to take screenshots and send them to remote servers under the control of the attackers, was spread using a spear phishing e-mail, according to privacy activist Jacob Appelbaum. Spear phishing is a term for highly targeted e-mails that address the receiver by name and usually appear to come from someone the receiver knows. The e-mails typically discuss topics the two people have talked about before. According to AV provider F-Secure, the malware was discovered during a workshop showing freedom of speech activists how to secure their devices against government monitoring.

The malware was signed with a valid Apple Developer ID allowing it to more easily bypass the Gatekeeper feature Apple introduced in the Mountain Lion version of OS X. If it’s not the first time Mac malware has carried such a digital assurance, it’s certainly among the first. Both F-Secure and Appelbaum said the backdoor, identified as OSX/KitM.A, is new and previously unknown. For its part, AV provider Intego said the malware is a variant of a previously seen trojan known as OSX/FileSteal. Intego continued:

Read 3 remaining paragraphs | Comments

App developer calls critic “f*cken little know it all”; site goes down

Tech, , ,

Hackers compromised accounts belonging to maintainers of the open-source ZPanel after a team member supporting the Web hosting control panel called a critic a “fucken little know it all.” The ZPanel site went completely down after the incident and remained down at time of writing.

ZPanel support member Nigel Caldwell made the comment in the site’s official forums and it was directed at a user named joepie91. Shortly beforehand, the Netherlands-based software developer—whose real name is Sven Slootweg—claimed that websites using ZPanel in combination with certain modules were vulnerable to exploits that allowed attackers to remotely execute malicious code. Slootweg directed his statement at Caldwell, aka PS2Guy, after the support member left a comment saying ZPanel “is more secure than panels that you pay good money for.” Caldwell also said users have “got more chance of someone hacking your Operating System than the control panel that sits on it.”

In his response, Slootweg claimed there was an “arbitrary code execution and root escalation vulnerability in the current version of ZPanel.” To support this, Slootweg provided an example line of code he said could be inserted into a main ZPanel template to trigger the vulnerability. Last month, Slootweg disclosed a ZPanel vulnerability here. Two weeks ago, he stepped up his criticism after claiming the vulnerability had gone unfixed. “I find it shameful that I even have to post here to point this out, to prevent someone from putting themselves at risk,” Slootweg wrote in Wednesday’s post on the ZPanel forum. “This should be the responsibility of the ZPanel team.”

Read 12 remaining paragraphs | Comments

Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too

Tech, , , , , ,
Aurich Lawson / Thinkstock

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

“This is the first time I’ve seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx,” Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars. “Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users computers.”

Read 12 remaining paragraphs | Comments

Internet Explorer 0-day attacks on US nuke workers hit 9 other sites

Tech, , , , , ,

Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft’s Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said.

The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8.

A separate blog post from security firm CrowdStrike said its researchers unearthed evidence suggesting that the campaign began in mid-March. Their analysis of logs from the malicious infrastructure used in the attacks revealed the IP addresses of visitors to the compromised sites. The logs showed addresses from 37 different countries, with 71 percent of them in the US, 11 percent in South/Southeast Asia, and 10 percent in Europe. CrowdStrike’s data showed IP addresses before exploit code was run against the visitors’ machines. Not all those visitors were likely compromised since the exploit code worked only against people using IE8.

Read 8 remaining paragraphs | Comments

Internet Explorer zero-day exploit targets nuclear weapons researchers (Updated)

Tech, , , , , ,

Attackers exploited a previously unknown and currently unpatched security bug in Microsoft’s Internet Explorer browser to surreptitiously install malware on the computers of federal government workers involved in nuclear weapons research, researchers said Friday.

The attack code appears to have exploited a zero-day vulnerability in IE version 8 when running on Windows XP, researchers from security firm Invincea said in a blog post. The researchers have received reports that IE running on Windows 7 is susceptible to the same exploit but have not been able to independently confirm that. Versions 6 and 7 of the Microsoft browser don’t appear to be vulnerable.

Update: In an advisory published a couple hours after this article went live, Microsoft confirmed a code-execution vulnerability in IE8. Versions 6, 7, 9, and 10 of the browser are immune to the exploit. People using IE8 should upgrade to versions 9 or 10, if at all possible. Those who are unable to move away from version 8 should take the following mitigations:

Read 5 remaining paragraphs | Comments

What’s a known source of malware doing in an iOS app? Ars investigates

Tech, , , , , , ,
A warning delivered by the Google Safe Browsing service. The link reported as malicious was embedded in a game available in Apple’s iOS App Store.

At first blush, it looked serious: a Web link to a known source of malware buried deep inside of a highly rated app that has been available for months in Apple’s iOS App Store. For years, antivirus programs have recognized the China-based address—x.asom.cn—as a supplier of malicious code targeting Windows users. Were the people behind the operation expanding their campaign to snare iPhone and iPad users?

Although Macworld writer Lex Friedman said the link was likely harmless, I wasn’t so sure. As he pointed out, an iOS app from antivirus provider Bitdefender warned that the Simply Find It app, last updated in October, contained malware classified as Trojan.JS.iframe.BKD. Even more suspicious, Google’s safe browsing service was causing the Firefox and Chrome browsers to block attempts to visit the address on the grounds that it had been reported as an attack page. “Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners,” Google’s advisory warned as recently as Thursday.

So, what was the link, embedded in an HTML tag known as an iframe, doing in an MP3 file included with the game? Who put it there? And, most importantly, was it infecting people who installed Simply Find It on their iOS devices?

Read 7 remaining paragraphs | Comments

Secret Bitcoin mining code added to e-sports software sparks outrage

Tech, , , ,

Competitive video gaming community E-Sports Entertainment Association secretly updated its client software with Bitcoin-mining code that tapped players’ computers to mint more than $3,600 worth of the digital currency, one of its top officials said Wednesday.

The admission by co-founder and league administrator Eric ‘lpkane’ Thunberg came amid complaints from users that their ESEA-supplied software was generating antivirus warnings, computer crashes, and other problems. On Tuesday, one user reported usage of his power-hungry graphics processor was hovering in the 90-percent range even when his PC was idle. In addition to consuming electricity, the unauthorized Bitcoin code could have placed undue strain on the user’s hardware since the mining process causes GPUs to run at high temperatures.

“Turns out for the past 2 days, my computer has been farming bitcoins for someone in the esea community,” the person with the screen name ENJOY ESEA SHEEP wrote. “Luckily I have family in the software forensics industry.”

Read 7 remaining paragraphs | Comments

Java users beware: Exploit circulating for just-patched critical flaw

Tech, , , , , ,

If you haven’t installed last week’s patch from Oracle that plugs dozens of critical holes in its Java software framework, now would be a good time. As in immediately. As in, really, right now.

In the past few days, attack code targeting one of the many remote-code-execution vulnerabilities fixed in Java 7 Update 21 was folded into either the folded into the RedKit or CrimeBoss exploit kit. By Sunday, that attack code was being actively unleashed on unsuspecting end users, according to a short blog post published by a researcher from antivirus provider F-Secure.

The post doesn’t say where the attacks were being hosted or precisely how attackers are using them. Still, Oracle describes the vulnerability as allowing remote code execution without authentication. And that means you should install the patch before you do anything else today. The track record of malware purveyors of abusing advertising networks, compromised Apache servers, and other legitimate enterprises means readers could encounter attacks even when they’re browsing a site they know and trust.

Read 3 remaining paragraphs | Comments