Command server down; risk low, but points out potential vulnerability
A file that looks like a image file and bears a camera-like filename with the extension not visible by default has been discovered to actually be a rogue application that could install a permanent "backdoor" on Mac systems and triggers Preview to open an image, fooling the user into thinking it was simply an unusual picture file. The purpose of the Trojan appears to be supportive of the hacker Syrian Electronic Army, which is in league with the totalitarian regime of Syria's present government. It is currently considered low-risk for a number of reasons.
Trojan horse points to non-functional webpage, part of sound file
A bit of malware -- a Trojan horse file that tries to redirect to a website -- has been found inside an iOS app, but the code has turned out to be harmless. The app in question is called Simply Find It ($2) and comes from a legitimate developer that has produced a number of legitimate games -- suggesting that the malware was probably inserted into the app accidentally. The bigger issue (since there is no direct threat posed by the bad code) is how Apple's testing procedure missed it -- and how two well-known anti-malware scanners couldn't pick up on it either.
Not yet spotted 'in the wild' but could become a threat
Anti-malware software maker Intego is confirming reports of a new OS X-based malware it called "Pintsized" that uses a modified version of OpenSSH to potentially set up a remote connection into Mac accounts, whereupon it could be used to snoop for private owner information. Though not yet seen "in the wild," the malware attempts to disguise itself by using filenames that appear as part of the normal OS X printing system, and sets itself to launch on startup.
Uses 'SMS activation' to hide subscription charge on cell bill
A Russian security firm with a mixed track record is warning about a new malware threat for the Mac, which masquerades as an installer for various types of software. Doctor Web, who claimed to have discovered the malware, says it is widely available on various sites -- though at present it is targeting Russian Mac users. The Trojan is apparently a Mac variation on a widespread Windows and Android trickware ruse that asks users for their cell number in order to send an activation code by SMS.
Windows Mobile devices possible vector of Java-based infection
Researchers from Kaspersky Lab have released a description of a new malware delivery platform capable of spreading itself and its payload to Windows, Mac OS X, VMWare virtual machines, and Windows Mobile devices. The "Crisis" trojan is capable of intercepting emails and instant messages, with a module to keep track of websites visited by the infected computer.
Hong Kong iTunes Store launch marred by bad translations
Apple has pulled a Russian-language malware app from the App Store, according to The Loop. The app, Find and Call, was identified as a trojan on Thursday by security firm Kaspersky. Users who downloaded the title would have their address books surreptitiously uploaded to a remote server, which would then spam text messages purported to be from the user to contacts including a link to download the app. An Android version of the app was also available at one point, but has gone missing from Google Play.
Android hit by first mobile drive-by attack
Mobile security firm Lookout has issued an update alerting Android users to a new drive-by malware attack. In a first for mobile devices, the latest exploit uses hacked websites to target Android users. Users who have been affected have navigated unsuspectingly to a compromised website that has a hidden iframe at the bottom of each page triggering the NotCompatible Trojan to download to their Android device.
Steals GPU time, tries to capture passwords, more
Anti-malware makers Sophos and Intego have warned of a new Mac OS X Trojan Horse that hides inside pirated software, specifically GraphicConverter v7.4. The malware, known as OSX/Miner-D or "DevilRobber," steals GPU time to generate counterfeit Bitcoins (part of anonymous digital cash system) and also attempts to steal usernames and passwords through periodic screen captures. It also sends information about the Mac's security setup and browsing history to a remote server.
Users should be wary of any Flash update
Another malware installer for OS X has appeared, this time a variation on one spotted several weeks ago that masquerades as an installer for Adobe Flash, with the ultimate goal of stealing personal information from browsers and sending it to remote servers. While the latest version has several dead giveaways for savvy users, non-technical Mac users should be wary of any Adobe Flash "updater" they did not personally download from Adobe's own servers.
Google TV and social media also prime targets
The McAfee Threat Predictions report has stated that Apple’s platforms, particularly its mobile devices such as the iPhone and iPad will be increasingly targeted by cybercrime in 2011. The report noted a marked change in the threat landscape over the past year as mobile platforms have become more widely adopted in enterprise. It claims that where Apple has been relatively free of botnets and Trojans in the past, that these will become an increasingly common occurrence on its platforms next year.
Collects user info; removal tool available
The SecureMac team along with ESet Security have identified a new variant of the trojan horse malware they call "Boonana" (Intego and other firms refer to it as a form of the Windows trojan "Koobface," for reasons SecureMac disputes) that uses even crueler trickery in an attempt to convince users to install it. In addition, the companies has identified new servers actively collecting keylogged data such as user names and passwords. Though easy to prevent infection or remove if infected, the refined setup and misleading nature may fool novice users.
Hides as a video via social networking, email
SecureMac and Intego, among other security firms, today alerted the Mac community to a new Trojan threat, trojan.osx.boonana.a (Intego gives it the name OSX/Koobface.a), which is spreading via social networking sites like Facebook and e-mail. The trojan appears as a link in messages with the subject "Is this you in this video?", and when users click on the link, a Java applet downloads an installer, which modifies system files to bypass passwords and other protections.
Snow Leopard antivirus
The upcoming Snow Leopard update reportedly contains new anti-malware functionality, according to the Mac security company Intego. A number of beta testers have noticed a new warning screen that alerts users to malicious code. A leaked screenshot shows an alert dialog for an RSPlug Trojan contained in a disk image downloaded through Safari.
Mac Trojan spotted
TrendMicro has spotted another Domain Naming System (DNS) Trojan targeting Mac systems. The malware, known as OSX/Jahlav-D, masquerades as a MacCinema Installer. Users are prompted to update QuickTime Player by downloading a QuickTimeUpdate.dmg file.
Typinator 3.4 ($27) is a tool that will type out repeating texts and pictures. Users can set up a list of commonly used words and images, and then set up fragments that can be used trigger each phrase or image. The new version adds a couple of user-requested features and includes a number of small improvements and fixes. Typinator can now be suspended temporarily and preserve the height of the set list when the window size changes. The update also allows the software to expand abbreviations in floating windows such as in Spotlight or the quick entry windows of OmniFocus and TaskPaper. [Download - 2.7MB]
Xmart Volume, iWorkService
Currency Assistant 3.0 ($19) allows users to convert values between 174 world currencies (all major circulating currencies plus the 16 Eurozone legacy currencies). The software also automatically updates exchange rates over the Internet using the rates published by the European Central Bank, the Bank of Canada, the International Monetary Fund, and the Bank of Italy. In the latest release the software has been rewritten as a Universal Cocoa application, the currency conversion calculator has a fully revised interface and introduces several other new features. [Download - 2MB]
Mac OS X Trojan found
Multiple variants of a new 'Trojan Horse', designed to allow a malicious user complete remote access to a Mac OS X system have been discovered in the wild earlier this week according to makers of Mac anti-spyware and anti-virus solutions SecureMac. Dubbed 'Applescript.THT Trojan' and disguised as an application bundle called 'AStht_v06' (3.1MB in size), the malware seemingly originated, and is distributed via a 'hacker' website, as well as Limewire and iChat. Post system infiltration, the malicious script can reportedly "log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing". A 'copy cat' program based on the OS X Remote Management exploit was discovered earlier this week.
First iPhone Trojan attack
The iPhone recently fell victim to its first Trojan attack, which came in the form of a malicious file named “113 prep”. While installation of the phony application is relatively benign – the app merely says “shoes” when activated – uninstalling the file causes damage to or deletes system-critical files in the /bin directory on the iPhone. In addition to harming the devices own software, third party utilities are also being rendered useless through the same means. This attack was orchestrated by an 11-year-old, and has some modmyifone.com forum members laughing to ease the pressure using references to the 1995 film Hackers, due to the similarity of circumstances.
Trojan removal tool
SecureMac has announced a free Trojan Detection Tool dubbed DNSChanger Removal Tool. DNSChanger Removal Tool detects and removes latest spyware targeting Mac OS X: DNSChanger Trojan (also known as OSX.RSPlug.A Trojan Horse). This trojan attacks users attempting to play a fake video file. Affected systems are used to hijack some Web requests that lead users to other phishing sites, or simply display ads for other pornographic websites to generate ad revenue. Phishing attacks may lead users to believe they are surfing to eBay, Paypal, or various banks when in fact they are accessing specially-crafted mockups designed to retrieve usernames and passwords for those sites. Upon attempting to play the video, the victim receives the following message: "Quicktime Player is unable to play movie file. Please click here to download new version of codec."
SonicWALL Quicktime issue
Networking security hardware manufacturer SonicWALL recently announced that it has distributed defensive measures to users of it's Unified Threat Management technology, against zero-day vulnerability exploits found in QuickTime. Malicious websites are able to create a stack-based buffer overflow in Apple's media player, by providing a phony movie file that, when activated, executes a series of code that allows a users machine to be taken over. SonicWALL says that the problem lies within the "Content-Type" header field that is sent from the server, which is not properly verified by the client's QuickTime. Once the "Content-Type" field reaches a certain length, a Buffer Overflow condition occurs, and through this, malevolent users can rewrite a user's privileges so that they have read-write access to the machine.