Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2009  
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov  
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Viruslist poll
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog / January 2009

Analyst's Diary

More rogueware for Mac


  Sergey Golovanov       January 26, 2009 | 15:53  GMT

comment  

Well, we congratulated Mac on its 25th birthday - and then found some new rogueware. We've got two versions of this piece of malware and detect them both as not-a-virus:FraudTool.OSX.iMunizator.

By now, Windows users are used to programs which claim to detect problems on the computer, and then "offer" the user the chance to buy software to fix the problem. Mac users haven't been subjected to this, perhaps because malware traditionally doesn't target Macs, but this program is a clone of MacSweeper, which we first detected last year.

This program ups the figures that we gave over the weekend, and sounds a warning to Mac users to start approaching security in the same way that Windows users do.

Happy birthday, Mac!


  Magnus       January 24, 2009 | 10:21  GMT

comment  
Thanks to my colleague Christian for providing the info for this post

Today, 24th January, the famous Macintosh celebrates its anniversary – it was 25 years ago to the day that Steve Jobs introduced the first Macintosh Computer, the 128K, at Apple’s AGM. It was the first commercially successful personal computer to feature a mouse and a graphical user interface rather than a command line interface – a big step at the time. With devoted Mac followers guessing and gossiping about what the future holds, let's take a quick look back at malware and security for Mac over the last few years.

Traditionally, malware writers have overlooked Mac in favor of targeting Windows with its bigger market share. But the proof-of-concept samples which appear periodically show that Macs aren't invincible.

We wrote about two such examples in 2006 – IM-Worm.OSX.Leap.a, which tricked users by pretending to be screenshots of Leopard, the latest version of OS X, and spread via iChat; and Worm.OSX.Inqtana.a, which exploited a Bluetooth vulnerability and attempted to infect other Bluetooth devices within range.

Apple’s switch in 2006 to x86 architecture opened up new horizons; the ability to run Windows natively, and lower prices attracted new users. The result: a steadily rising market share, from 2.88% at the end of 2004 to more than 10% by the end of 2008. The downside: increased popularity lead to an increase in the number of malicious programs targeting Macs.

Although the numbers shown above are low - especially in comparison with Windows based malware - the abrupt rise in 2007 is a bit scary. We’ve all seen that once market share of any device achieves a certain critical mass, malware writers start targeting it. And these days, it’s going to be cyber criminals who are looking for serious profits from the attacks they conduct. Incidentally, as I write, there's a new Trojan making the rounds, Backdoor.Mac.iWorm.a. While it could be said that this malicious program is written in order to teach software pirates a lesson - it disguises itself as a free version of iWork 09 - malware is always malware.

It’s not just computers that are at risk. Apple’s other products such as the iPod and the iPhone, with their ever evolving functionality and networking capabilities, also offer new opportunities for malware attacks.

So Mac users have to learn to take care of their systems in the same way that Windows users do by updating their OS and applications regularly. The iTunes media player and Safari are particularly well known for containing vulnerabilities. Although Mac is currently one of the least attacked systems, security has to be taken seriously in order to maintain this happy situation.

Happy Birthday Macintosh! Here’s to the next happy – and healthy! – 25 years.

Kido, you ain't kidding


  Costin       January 23, 2009 | 08:33  GMT

comment  
On January 13th we raised the alert level for the Kido family to orange: moderate risk. It's been quite a while since an 'old school' network worm has caused such a stir - Kido's managed it by not only relying on critical Windows SMB vulnerabilities to spread but it also bruteforces weak passwords in order to gain access to other machines in a local network.

Because of this (along with a few other things) Kido can be very painful to get rid of. That's why we've decided to release a free tool which can be used to clean infected machines.

You can grab our KidoKiller tool here.

Feel free to give it a try.

Malware Miscellany, December 2008


  Yury       January 22, 2009 | 08:23  GMT

comments (2)  

  • Greediest Trojan targeting banks
    Trojan.Win32.Qhost.gn wins this category, by redirecting clients of 39 different banks to phishing sites.
  • Greediest Trojan targeting payment systems and payment cards
    Just like last month, a single piece of malware comes out top in these two categories. This time, it’s Trojan.Win32.Agent.eii, which targets users of three payment systems and 4 payment cards simultaneously.
  • Stealthiest malicious program
    Trojan-PSW.Win32.LdPinch.auv is packed with 10 different packers.
  • Smallest malicious program
    Trojan.BAT.Shutdown.g is a mere 20 bytes, but it’s still able to reboot the infected computer in spite of its minute size.
  • Largest malicious program
    Trojan-Banker.Win32.Banbra.bby is 27 MB in size.
  • Most common malicious code which exploits a vulnerability
    In December, exploits for an SWF vulnerability made up 12% of all malicious content.
  • Most common malicious code on the Internet
    Trojan-Downloader.HTML.IFrame.wf accounted for nearly 8% of all malicious traffic this month.
  • Most common Trojan family
    1499 previously unknown modifications make Backdoor.Win32.Hupigon the winner of this category in December.
  • Most common virus/ worm family
    Worm.Win32.AutoRun came up with 312 new modifications this month, putting it at the top of this class.

Mobile thefts – using malware in Indonesia


  January 20, 2009 | 18:41  GMT

comments (3)  
In many countries mobile providers allow their clients to transfer money, specifically credit that can be used by the recipients on their own phones, from one mobile number to another. This is useful when you need to communicate with someone who does not have enough money in their account. Indonesia is one country where such transfers are popular.

One Indonesian mobile provider allows customers to transfer money/credit from account to account by simply sending a text/sms to number 151 with the following text: TP . Malware writers in Indonesia appreciated this chance to make some money.

We found 5 new Trojans over the past week which send such money transfer requests to 151 – without the permission or knowledge of the phone’s owner. All 5 Trojans are written in Python and work on Symbian: Trojan-SMS.Python.Flocker.ab, Trojan-SMS.Python.Flocker.ac, Trojan-SMS.Python.Flocker.ad, Trojan-SMS.Python.Flocker.ae, Trojan-SMS.Python.Flocker.af

The sums we have traced range from 5 000 to 10 000 Indonesian rupees (0.45 – 0.90 USD). Obviously the goal is to transfer large quantities of small sums in the hopes that while individual users might not notice the leak, the overall sum of transfers will be significant.

We have seen many attacks in Russia based on un-sanctioned sms/text messages to steal money. We were certain that the problem would spread – and it has. We will continue to monitor the situation and keep you posted.

The Google variable


  Dmitry       January 05, 2009 | 18:38  GMT

comments (2)  
Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer.
And what could be easier than to use Google? Everybody does – so why shouldn’t virus writers? Recently we’ve been seeing attacks which work in the following way.

The malware writers start by doing Google searches to identify popular websites
The most popular sites thrown up by each search are then ‘pen-tested’ for vulnerabilities. The most vulnerable websites are then compromised and in order to cover their tracks, malware writers aren’t adding code to these compromised pages in the form of new files or even obfuscated code. Instead, they’re simply modifying scripts that are already running on the compromised pages. In this particular case, the new parameters added to the existing script include the following function: (--referer=http://www.google.com/).

This function checks where the visitor to the infected page has come from. If it’s from a link in a Google search, then you automatically get re-directed to a series of malicious web sites – ones that have nothing to do with the original site. The result: an infected computer.

Interestingly enough, the redirect doesn’t work if you simply type in the name of an infected website. None of the injected script functions will run – all you see is the page that you wanted. This helps prevent webmasters, employees and regular visitors to the site from suspecting infection, while the criminals still achieve their goals:

  • infecting numerous people

  • hiding the malicious script from the webmaster to ensure a longer life for the malware.

So this type of attack doesn’t just harm users; it can also lead to innocuous websites getting blacklisted by security products.

Incidentally, it’s not just websites which have been optimized to achieve high search rankings that are being used; the criminals are also targeting some security sites. For instance, there’s been a lot of talk about fake antivirus solutions such as Antivirus XP. If you’re using Google to try and find information about this, the search results will come up with a lot of different pages – the only problem is, if you click through to a site from the Google results list, the modified script on the hacked security server will execute Antivirus 2010 on your machine.

Compromising websites optimized for search engine success and infecting users through a series of malicious re-directs is bound to be a popular attack vector in 2009 and will undoubtedly cause webmasters new headaches.

This case just goes to show that nothing on the Internet is as safe as it might seem. And it’s not just Google that’s affected – I tested this attack scenario using Yahoo! and MSN, and the results were the same. We detect the malware used in the case detailed above as Trojan-Downloader.Win32.Fraudload.vffa, and we’re bound to see more variants of it, so make sure you keep your antivirus software up to date!

 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com