New Mac OS X trojan virus has been discovered
April 16, 2012
Kaspersky Lab security researcher Costin Raiu has discovered a new Mac OS X trojan virus again. Called Backdoor.OSX.SabPub.a or just SabPub, for short, the new virus uses Java exploits to infect a Mac computer, then connects to a remote Web site, and wait for instructions that include taking screenshots of the user's Mac and executing commands.
"The Java exploits appear to be pretty standard, however, and they have been obfuscated using Zelix Klass Master, a flexible and quite powerful Java obfuscator," said Raiu. "This was obviously done in order to avoid detection from anti-malware products."
Raiu's new discovery comes as Mac users are on high alert over the Flashback Trojan, which reportedly infected over 600,000 Macs globally in the past few weeks. That exploit, which also uses Java, is capable of nabbing user passwords and other information from their Web browser or some applications.
Apple on Friday released a tool designed to remove Flashback from infected computers. Prior to that launch, it was believed that 270,000 Mac desktops were infected with the Trojan, down significantly from its height.
In a follow-up post on Securelist yesterday, Raiu provided a bit more information on SabPub to help differentiate it from Flashback. He reported that there are at least two SabPub variants in the wild today, including one that dates back to February.
The malware appears to be delivered through targeted attacks, which should limit its ability to make widespread incursions in a manner very similar to Flashback.
Raiu also reported that the malware appears to be spreading through Word documents that exploit the CVE-2009-0563 security vulnerability related to a stack-based buffer overflow in Office on the Mac.
"The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named 8958.doc." Raiu said. "This suggests that it was extracted from a Word document or was distributed as a Doc-file."
In other internet security news
The hacktivist and pressure group Anonymous has finally turned its attention to China, claiming to have defaced more than 480 websites over the past few days including several government sites, while urging Chinese hackers to join its cause.
Anonymous began its campaign in China with the launch of its Anonymous-China Twitter account, which seems to have began tweeting on or about March 30th. In a list posted to PasteBin, the group claims to have defaced close to 500 web sites, including several belonging to regional Chinese government organizations in areas such as Chengdu and Dalian.
In several other separate posts, Anonymous also claims to have hacked and leaked user names, password details, phone numbers and emails from various government sites. All the sites on the list we tried now appear to have been taken down, although the Wall Street Journal managed to take a screen grab showing the following message in English that reads:
"Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall. So expect us because we do not forgive, never. What you are doing today to your Great People, tomorrow will be inflicted to you. With no mercy."
According to the WSJ, the message also contained a link to an Anonymous site detailing how Chinese web users can bypass the Great Firewall, although at the time of writing this, the site appears to have been killed, most likely by Chinese government officials.
Not too happy with that, Anonymous also posted another message to PasteBin, urging the Chinese people to revolt. “So, we are writing this message to tell you that you should protest, you should be protesting and who has the skills for hacking and programming and design and other ‘computer things’ come to our IRC,” the note read.
This is the first major Anonymous campaign targeting China, which is somewhat strange given the government’s hardline stance on internet censorship and human rights-- two very strong issues guaranteed to get the group's immediate and undivided attention.
To be sure, the hacking of several minor regional government sites is unlikely to cause much consternation at Communist Party headquarters, and the group’s messages on PasteBin and posted on the defaced sites will largely have failed to reach their audience given that they were written in English.
Anonymous seems to be working on the latter issue, however, having sent a tweet out calling for help from would-be translators. Given China’s strict web controls on social media, it’s unlikely that the group will be able to broadcast its message on platforms such as Sina Weibo and Tencent Weibo, so for the time being it’ll have to stick to Twitter-– banned in China, and to the prospect of defacing even more websites in that country.
In other internet security news
In the last two weeks, Brandon Price, an alleged U.S. Army deserter has been charged with stealing the identity of Microsoft co-founder Paul Allen to run a bank fraud scam, and was arrested late yesterday.
In January 2012, Price allegedly conned Citibank call centre employees into changing Allen’s mailing address to that of Price’s modest home, as well as changing the phone number associated with his card. And just days later, he also persuaded Citibank workers to send a replacement debit card in Allen's name to the fake address.
"An individual identifying himself as Paul Allen called the customer service department of Citibank. The caller stated that he had misplaced his debit card at his residence, but did not want to report it stolen. The individual then successfully ordered a new debit card on the account of Paul Allen and had it sent via UPS," said FBI agent Joseph Ondercin.
However, the complaint fails to explain what personal information was used to successfully impersonate Allen. As a high-profile public figure, a great deal of personal information about Allen is in the public domain and his address and even his social security number might not have been that be hard to determine in the first place.
Overall, Citibank is defending its handling of the case, pointing out that the bank's anti-fraud systems quickly spotted something was wrong and blocked further fraud from the account.
“Through our own security procedures, Citibank correctly identified the actions of fraudulent account transactions and turned the matter over to law enforcement. We will continue to work with the FBI and the police in the ongoing investigation,” said Catherine Pulley, a CitiBank spokeswoman.
Prosecutors in the case say that Price used the debit card the same day UPS delivered it on January 13 to make a $658 payment into his Armed Forces Bank loan account before unsuccessfully attempting to use it to pay for the wire transfer of Western Union and attempted purchases from Gamestop and Family Value stores in Pittsburgh.
All three of the latter transactions were blocked from the account. Price, who has been absent without leave from the U.S. Army since June 2010, faces wire fraud and bank fraud charges over the alleged scam. He's been held in federal custody pending a trial, the date for which is yet to be set. He faces a minimum 8 to 10-year term in a U.S. federal prison, plus a $250,000 fine.
In other internet security news
A Microsoft-led security operation resulted in the takedown of core servers used in the now infamous ZeuS and SpyEye banking Trojan botnets on March 23.
After months of investigation that culminated in the coordinated seizure of command-and-control servers associated with the botnets and hosted in Scranton, Pennsylvania, and Lombard, Illinois, Microsoft has confirmed today that the botnets are down for good and do not represent any threats anymore.
The action comes after Microsoft filed a lawsuit against no less than thirty-nine unnamed parties on March 16, asking for permission to sever the command-and-control structures of these ZeuS botnets. The action follows the same tactics as previous successful takedowns of Waledac, Rustock and Kelihos spam-distribution botnet networks back in 2010.
In a public statement, Microsoft described the ZeuS takedown as its most complex to date. It said the action had the "limited and achievable" aim of disrupting the operations of ZeuS-related cybercrime operations rather than decapitating a zombie network, as in previous security operations and takedowns.
Overall, cybercriminals have designed and built hundreds of botnets using variants of the ZeuS malware. For this action – codenamed Operation B-71, Microsoft focused initially on botnets using ZeuS, SpyEye and Ice-IX variants of the ZeuS family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in overall damages.
Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here wasn't the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain.
By definition, ZeuS and SpyEye are essentially cybercrime toolkits for the creation of customised banking Trojans. Those crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the malware. Many cybercrime gangs use ZeuS as the launchpad for banking fraud so there are many different zombie networks at play here and at any given time.
In the last year, Microsoft has detected more than 13 million suspected infections of ZeuS and SpyEye-related malware worldwide, with more than 3 million in the United States alone. The malware is designed to infect the Windows operating system and some of its user software such as Office and Outlook.
Friday's takedown action follows months of work by investigators at Microsoft in co-operation with officers from the Financial Services, the Security Information Sharing and Analysis Center (SFS-ISAC), the National Automated Clearing House Association and the U.S. electronic payments association.
Net security firm F-Secure is credited with providing a major help in analyzing the malware that features in the operation. U.S. Federal Marshals accompanied security investigators in the raids on two hosting companies, during which servers were seized for subsequent analysis.
Microsoft's statement fails to clarify this point but other reports strongly suggest the hosting firms involved were unwittingly playing host of the key infrastructure resources associated with the ZeuS botnets rather than acting as accomplices in cybercrime.
The operations resulted in the dismantling of two IP addresses behind the ZeuS ‘command-and-control’ structure. Microsoft has started monitoring 800 domains secured in the operation, helping it to identify thousands of ZeuS-infected computers.
In other internet security news
Security experts testifying at hearings held by the U.S. Senate Armed Services Committee on internet security have repeatedly warned that maintaining a perimeter protection to keep out cyber spies is unsupportable, and that the United States should assume that its networks have already been fully penetrated, when they may have not.
"We've got the wrong mental model here," said Dr James Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. "I don't think that we could keep spies out of our country. We've got this model for cyber security that says, 'We're going to develop a system where we're not attacked.' I think that we have to go to a model where we assume that the adversary is in our networks," he said.
"It's on our computers and servers, and we've got to operate anyway," said Peery. The committee heard that the U.S. Department of Defense (DoD) operates over 15,000 computer networks with about seven million computing devices, and protecting them against hacking was virtually impossible, particularly in light of the increasing complexity of both the devices themselves and the software that runs on them.
The commercial software industry has, of course, realized that the old idea of a perimeter defense is increasingly useless, and groups such as the Jericho Forum have been working on systems to protect data, rather than network boundaries for many years.
Such principles might be a bit blurry to the military mind, but Dr Kaigham Gabriel, current head of the DARPA Group said that the cost of perimeter control would be huge and most likely ineffective at any rate.
"Modern computer systems today will demand the effective use of cyber, kinetic, and the combined cyber and kinetic means," he suggested. "The shelf-life of cyber tools and capabilities is short-– sometimes measured in just a few days. To a greater degree than in other areas of Defense, cybersecurity solutions require that the DoD develops the ability to build quickly, at scale, and over a broad range of capabilities."
Overall, cyber arms races are all well and good, but the head of research at the National Security Agency (NSA) Dr Michael Wertheimer warned that the U.S. is also facing an increasing intelligence gap, as not enough citizens have the skills of online defense.
A bit less than two years ago, there were just 726 computer science PhDs awarded to U.S. citizens, and only 64 of them signed up for government work.
Source: Kaspersky Labs Internet Security.
You can link to the Internet Security web site as much as you like.