Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

A sneaky strain of Mac malware has been discovered

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

July 16, 2013

Hackers have recently created an exceptionally nasty version of Mac malware that uses back-to-front trickery to disguise its true intentions.

Janicab, which is written in Python, takes advantage of the right-to-left U-202E Unicode character to mask the malicious file’s real extension.

The U-202E marker applies a right-to-left override for the display of part of the malware’s filename.

So a file which appears to be called RecentNews.ppa.pdf is actually The file is designed to trick users into thinking they are opening a .PDF file which is in reality an an executable .APP.

This sort of back-to-front trickery has been seen in Windows malware in the past - such as Bredolab and the high-profile Mahdi trojan from last year - but it's reckoned to be a new and unwelcome arrival on Macs.

In order to maintain the subterfuge, the malware displays a decoy document while silently executing in the background, installing malicious code on compromised Macs.

Because of the right-to-left override character, the usual file quarantine notification from OS X will also display with the words written backwards.

Adding an extra layer of sneakiness, the malware has been signed with an Apple Developer ID on top of all that.

That nasty file is designed to record audio and capture screenshots from infected computers, using the third-party command line utility SoX.

But wait, there's more. That information is then uploaded to a command-and-control server whose location is defined by pages on seemingly innocuous pages on YouTube.

A full description of the attack together with several screenshots can be found in a blog post by F-Secure, the Finnish anti-virus firm that was the first to issue a warning about the threat.

A good explanation of the right-to-left trickery that's the main feature of the malware can be found in a blog post by independent anti-virus expert Graham Cluley.

And a tip of the hat goes to David Hartley of Eset who described back-to-front mendaciousness as "Malice through the looking glass".

None of the antivirus experts have stuck their necks out on this point, but the amount of care taken to put together the malware gives us a clear idea of what hackers have been up to lately.

The decoy document dropped by Janicab is in Russian and that may well have something to do with the target audience.

In other internet security news

Servers powering the U.S. Emergency Alert System can be easily tricked into broadcasting bogus and apocalyptic warnings from far away, say internet security experts.

Scientists at computer security firm IO-Active say they found private encryption keys within firmware updates for the devices.

Armed with that information, miscreants could successfully remotely log into the servers, installed at television and radio stations around the United States, and as an administrator, they could broadcast panic-inducing messages to the mass media, creating wide-scale panic all over the nation.

The discovery comes just a few months after shortcomings in the U.S. Emergency Alert System (EAS) were exploited to beam news of a zombie apocalypse to American TVs.

Montana Television Network’s regular programming was interrupted by warnings of the end of the world back in February. Viewers of KRTC in Great Falls, Montana, were confronted by an on-air audio warning that "bodies of the dead are rising from their graves and attacking the living".

A scrolling text warning at the top of the screen naming various Montana counties as targets for the spoof announcement of doom, which sparked calls to the state's cops.

As could be expected, KRTC promptly disavowed the bogus alert and the whole incident. The perpetrators behind this epic prank call still remain unknown to this day.

Initial investigations suggested that weak default passwords on emergency alert systems accessible over the internet may have been used to pull off the hack. But this still remains unconfirmed, even after five months.

But now researchers at IO-Active have found that systems used to receive and authenticate emergency alert messages are vulnerable to remote attack.

The security vulnerability is specific to Linux-powered application servers from two manufacturers, according to the US feds-- the Digital Alert Systems DASDEC-I and DASDEC-II servers, and the Monroe Electronics R-189 One-Net and R-189SE products, apparently all shipped with publicly downloadable firmware that contains private root SSH keys, a recent alert by the U.S. Cyber Emergency Response Team (CERT) warns.

“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package," explained Mike Davis, principal research scientist for IO-Active.

"This simple key allows an attacker to remotely log in over the internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”

The EAS is designed to enable the President of the United States to speak to U.S. citizens within just ten minutes of a major disaster occurring.

In the past, such alerts were passed from station to station using the Associate Press (AP) or United Press International (UPI) “wire services” which connected to television and radio stations around the nation.

Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its current broadcast to deliver the message to the public.

More recently, the system has been switched to a more automated and decentralised system. Once a station receives and authenticates the message, the DASDEC hardware interrupts transmission and overlays the message onto the broadcast with the alert tone containing information about the disaster.

The DASDEC application server receives and authenticates EAS messages so that security shortcomings with the technology are a serious concern.

IO-Active has also issued its own Labs advisory outlining the apparently affected products, the impact of such attacks and how to mitigate the issue.

According to CERT, a fixed version of the firmware is available that allows users to change their login keys, and should be applied to critical devices.

In other internet security news

On any given day, security flaws in server management technology create some hacking opportunities almost on par with direct physical access to servers, says Metasploit creator HD Moore.

The security problem arises from serious shortcomings involving baseboard management controllers, a type of embedded computer used to provide out-of-band monitoring for desktops and servers, which consists of technology installed on nearly all servers today.

To a lesser degree, the security issues also come the Intelligent Platform Management Interface (IPMI) protocol used by some system admins.

A potential hacker could be able to compromise a baseboard management controller (BMC), and should be able to compromise its parent server if he's knowledgeable.

Compromising a server would allow miscreants to copy data from any attached storage, make changes to the operating system, install a backdoor, capture credentials passing through the server, launch denial of service attacks, or simply wipe the hard drives clean, among many other things.

Attacks like that are easily possible according to Moore, Rapid7's chief research officer and creator of penetrating testing software Metasploit, because vulnerable services are accessible across the internet.

Various research by Moore discovered that around 308,000 IPMI-enabled BMCs were exposed on the web, and the list appears to be growing quite rapidly.

Approximately 195,000 of these devices only support IPMI 1.5, which doesn't provide any form of encryption. Another 113,000 of those devices support IPMI v2.0, which suffers from serious design flaws as well.

For instance, 53,000 IPMI v.2.0 systems are vulnerable to password bypass attacks because they rely upon a weak cipher suite. Passive scans by Moore separately discovered that about 35,000 Supermicro BMCs expose an exploitable Universal Plug and Play (UPnP) service.

The security shortcomings under discussion are well beyond the capability of script-kiddies and could only be abused by a very skilled and experienced hacker.

But even then, it would be wise for system admins and data center managers to listen to the warning in Moore's research.

A blog post by Moore provides recommendations on how enterprises and hosting providers can mitigate the security risk of having their servers hacked into.

A lot of this comes down to fairly basic elements-- firewalling vulnerable services, disabling the vulnerable Cipher 0 cryptosuite and using complex and secure passwords.

Supermicro system users should apply an updated firmware image as well. Previous research by Moore earlier this year revealed that everything from medical systems to traffic light boxes is wide open to hackers thanks to a lack of authentication checks.

The flawed utilization of the Universal Plug and Play (UPnP) protocol meant that anything up to 50 million of devices are insecure, Rapid 7 warned back in January 2013.

In other internet security news

Hewlett Packard left a very serious security vulnerability in its StoreOnce SAN solution-- a hard-coded administrator account in its management software.

According to blog site Technion, several weeks of contact initiatives with HP's Software Security Response Team have failed to elicit a response, so the poster decided to go public.

“My last three weekly requests for an update have gone ignored,” Technion writes. It's a simple and all-too-depressing scenario: during product development, someone creates a vendor admin account because nobody wants to waste time with password recovery, and the account stays in the product because nobody remembers to remove it.

It certainly looks like an accident: while Technion didn't post the password that the HP Support account uses, he posted the SHA1 hash of it, and H. Online writes, “The password is just seven characters long and draws on a ten-year old meme”, suggesting that someone's already brute-forced it more than once.

As Technion writes “This hash is out there and it can't be taken away. Someone will crack it, and they will do so very soon.”

And this isn't the first time that HP has been bitten by secret backdoors. In 2010, its StorageWorks P-2000 G3 MSA was found to have a similar undocumented account. The company's advisory at that time was that the admin account password could be changed by users through the command line interface.

It's not yet known whether the StoreOnce admin account can be similarly secured, however, and this is troubling.

We sought comment from HP in Europe, Australia and the U.S., and will update this story if a response is received. As of this morning, we are still waiting.

In other internet security news

There's a new kid on the block and not too many people have heard of him yet, except some people in the internet security segment of the industry.

It's called 'WebRTC' and it may very well sound like yet another Internet acronym, but what it promises to bring to web browsers could simply be the death knell for those eternal plugins. And WebRTC is now available with the latest version of Mozilla's Firefox.

WebRTC is a new protocol and it stands for Web Real-Time Communications. Following the recent introduction of the protocol to Google's Chrome browser, today's update to Firefox makes it the second browser to support the plugin-free protocol.

Ask just about any internet security expert and he or she will tell you that browser plugins are generally one of the most abused software when it comes to internet security issues.

The debut of WebRTC in Firefox version 22 is quite a big deal, and some have been waiting for it for many months already.

"Browser plugins are the single largest source of internet security problems and of various stability issues that we see," said Johnathan Nightingale, Mozilla's vice-president of engineering for Firefox.

WebRTC is planned for Firefox for Android, which also updated today, but it has yet to be added to the mobile browser.

On its surface, WebRTC sounds a bit like Skype. It lets you conduct voice and video calling one browser to another via its PeerConnection component, but it also lets you transfer data directly between two browsers, thanks to a component called DataChannels. These were both added in today's new stable version of Firefox.

"Actually, how is it different from Skype misses the point of it," said Nightingale, who nearly bounced with enthusiasm in his seat while talking about WebRTC. "It's a lot bigger than that. It's eight million developers who have access to the Web camera, or one of those audio remix tools, online."

Also enabled in the new Firefox browser is ASM.js, a Mozilla patent to improve the speed of JavaScript to the point where it almost loads as fast as native code.

"ASM.js plus is fast," said Nightingale. So fast, he explained, that developers at the gaming company Epic were "jumping up and down," he said.

During a quick demonstration of ASM.js last month, we saw the code powering a first-person shooter that appeared to render in Firefox nearly as smoothly as native code on a console.

Other changes in Firefox for desktops include better WebGL performance thanks to asynchronous canvas updates, which means that your browser will use your hardware's graphics chip more efficiently. There's also better memory management when loading images.

There's also support for the Web Notifications API, which will let Web updates appear in browser tabs. And, last but not least is adding a download progress indicator to the Dock icon on Macs.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: F-Secure.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.