So called because it looks like an Adobe Flash Installer. There seems to be a ton of news around this Trojan on various Mac-related websites. http://www.tuaw.com/2011/10/19/trojan-variation-disables-mac-malware-protection/ for instance.
We wrote protection for this in ClamAV about 5 days ago. I know a lot of Mac users run ClamAV, so I just thought I'd throw this out there.
Please leave comments below.
Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts
Wednesday, October 19
Tuesday, October 4
Let's just assume this pcap is bad...mkay?
Alerts (2.9.1.1, 4924362.pcap)
1:18347:3 BLACKLIST USER-AGENT known malicious user-agent string AutoIt Alerts: 4
1:19734:1 BLACKLIST DNS request for known malware domain 770304123.cn Alerts: 2
1:16816:5 BOTNET-CNC known command and control channel traffic Alerts: 1
1:18762:1 BLACKLIST URI request for known malicious URI /blog.updata?v= - Win32-Agent-GRW Alerts: 1
1:17834:3 BLACKLIST DNS request for known malware domain 343.boolans.com Alerts: 1
120:3:1 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Alerts: 3
1:16815:4 BOTNET-CNC known command and control channel traffic Alerts: 1
Please leave comments below.
1:18347:3 BLACKLIST USER-AGENT known malicious user-agent string AutoIt Alerts: 4
1:19734:1 BLACKLIST DNS request for known malware domain 770304123.cn Alerts: 2
1:16816:5 BOTNET-CNC known command and control channel traffic Alerts: 1
1:18762:1 BLACKLIST URI request for known malicious URI /blog.updata?v= - Win32-Agent-GRW Alerts: 1
1:17834:3 BLACKLIST DNS request for known malware domain 343.boolans.com Alerts: 1
120:3:1 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Alerts: 3
1:16815:4 BOTNET-CNC known command and control channel traffic Alerts: 1
Please leave comments below.
Tuesday, May 31
Apple's "known bad" Xprotect file is now automatically updated
Very technical term I used there in the subject.. I know.
Apple just released Security Update 2011-003, in which they check for the MacDefender Malware, which I wrote about here. But the most interesting part of the update is this paragraph:
If you don't know what I am talking about when I say "anti-malware file" I suggest you read this post as well.
Please leave comments below.
Apple just released Security Update 2011-003, in which they check for the MacDefender Malware, which I wrote about here. But the most interesting part of the update is this paragraph:
File QuarantineWhere apparently, Apple has built in an automatic updater to their anti-malware file, in it's most basic form, giving Apple the ability to directly protect their OS against the newest Malware.
Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7
Impact: Automatically update the known malware definitions
Description: The system will check daily for updates to the File
Quarantine malware definition list. An opt-out capability is provided
via the "Automatically update safe downloads list" checkbox in Security Preferences. Additional information is available in this.
Knowledge Base article: http://support.apple.com/kb/HT4651
If you don't know what I am talking about when I say "anti-malware file" I suggest you read this post as well.
Please leave comments below.
Wednesday, July 28
Project Razorback has been unleashed on the World
For several months, the Vulnerability Research Team (VRT) here at Sourcefire has been heads down in coming up with a new framework for detection called Razorback, and now, it's been unveiled to the world this this morning.
Being announced at Defcon this weekend by the VRT, so if you are in Defcon this week, reading my posts, First: Have a beer for me, as I am not there this year due to the impending birth of my child, and Second: Attend this talk. If no other talks are attended during your drunken hacking binge in Vegas, go to this talk.
OH AND BUY THE VRT BEER IF YOU MEET THEM. Mkay?
In Marketing speak: "Razorback is an Open-Source Framework for an intelligence driven security solution." Okay, okay, what does that mean?
Razorback is a system that detects and decodes, well, just about anything you need it to. Following that, it has the ability to then block and alert on that activity. So, for example:
This framework is aimed primarily at these Client based attacks, and, dare I use it? Advanced Persistent Threat (APT). It was born out of necessity and a discussion with the VRT during a panel they participated in last year about detection. The community asked for something to be able to perform a function like this, and well, here it is. Better. There is nothing to combat these threats, so Sourcefire created one.
So, say for example, a PDF comes in via email. The PDF is sent to Razorback by the SMTP engine, Razorback runs it through the detection, -- which I'm not even going to begin to explain here, because it's extremely awesome and complicated, and you should go to the talk to fully understand --, and if the detection decides the PDF is bad, it will record that fact in it's database so that all further attempts with a PDF like that one will be blocked from there on out. Now, that's just one example.
Since Razorback is an Open-Source project and framework, anyone can write a detection "nugget" for it. These nuggets, written in C, can detect pretty much anything and provide actionable intelligence on it afterwards, and of course, since it's Open-Source, many different "feeds" can be provided to Razorback.
SMTP, ClamAV, Snort, Web proxies, Web filtering devices, et all. They can all be written to feed data to Razorback which then can have the ability to take further action after it's analyzation.
This is a different approach to detection than what's been tried before. While IPS is great, it can't really grab a PDF off the wire, reassemble it, decode it, and block it in real-time. With Razorback, Snort can grab the PDF off the wire, pass it to Razorback where it will be analyzed, and so on.
After the talk if the VRT puts their slides and more info up on their website, I'll make sure that I post further information about it. But for now, here it is:
Razorback.
Here's another article about Razorback over at DarkReading.
Being announced at Defcon this weekend by the VRT, so if you are in Defcon this week, reading my posts, First: Have a beer for me, as I am not there this year due to the impending birth of my child, and Second: Attend this talk. If no other talks are attended during your drunken hacking binge in Vegas, go to this talk.
OH AND BUY THE VRT BEER IF YOU MEET THEM. Mkay?
What is Razorback?
In Marketing speak: "Razorback is an Open-Source Framework for an intelligence driven security solution." Okay, okay, what does that mean?
Razorback is a system that detects and decodes, well, just about anything you need it to. Following that, it has the ability to then block and alert on that activity. So, for example:
- Obfuscated Javascript? Decoded, Blocked?
- Bad PDFs? Decoded, Blocked?
- Bad Word Documents? Powerpoint Documents? Decoded, Blocked?
This framework is aimed primarily at these Client based attacks, and, dare I use it? Advanced Persistent Threat (APT). It was born out of necessity and a discussion with the VRT during a panel they participated in last year about detection. The community asked for something to be able to perform a function like this, and well, here it is. Better. There is nothing to combat these threats, so Sourcefire created one.
So, say for example, a PDF comes in via email. The PDF is sent to Razorback by the SMTP engine, Razorback runs it through the detection, -- which I'm not even going to begin to explain here, because it's extremely awesome and complicated, and you should go to the talk to fully understand --, and if the detection decides the PDF is bad, it will record that fact in it's database so that all further attempts with a PDF like that one will be blocked from there on out. Now, that's just one example.
Since Razorback is an Open-Source project and framework, anyone can write a detection "nugget" for it. These nuggets, written in C, can detect pretty much anything and provide actionable intelligence on it afterwards, and of course, since it's Open-Source, many different "feeds" can be provided to Razorback.
SMTP, ClamAV, Snort, Web proxies, Web filtering devices, et all. They can all be written to feed data to Razorback which then can have the ability to take further action after it's analyzation.
This is a different approach to detection than what's been tried before. While IPS is great, it can't really grab a PDF off the wire, reassemble it, decode it, and block it in real-time. With Razorback, Snort can grab the PDF off the wire, pass it to Razorback where it will be analyzed, and so on.
After the talk if the VRT puts their slides and more info up on their website, I'll make sure that I post further information about it. But for now, here it is:
Razorback.
Here's another article about Razorback over at DarkReading.
Friday, June 18
Apple updates Anti-Malware file
Last year in August I wrote a post called "Snow Leopard is coming..." where I mentioned the XProtect.plist file. This file protects and defends the OSX system against "downloader" trojans. Ones that you receive via iChat, or download via Safari, Mail.. basically if you download the trojan to your system.
In the most recent update of Snow Leopard that came out last week (10.6.4), that I didn't cover, it seems Apple has updated the XProtect.plist file to include a new trojan named "HellRTS".
I guess this answers my original question, if they are going to keep it updated, am I am glad they are, however, I'd like to see them update it even more often than that, and of course include more things. It's better than nothing, I suppose.. but I'd like to see more.
As of right now, there are a whole three trojans protected against in the XProtect file.
You can find this file in the:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
directory.
This article by Sophos turned me onto the update, but I reposted without the conspiracy theories:
http://www.sophos.com/blogs/gc/g/2010/06/18/apple-secretly-updates
In the most recent update of Snow Leopard that came out last week (10.6.4), that I didn't cover, it seems Apple has updated the XProtect.plist file to include a new trojan named "HellRTS".
I guess this answers my original question, if they are going to keep it updated, am I am glad they are, however, I'd like to see them update it even more often than that, and of course include more things. It's better than nothing, I suppose.. but I'd like to see more.
As of right now, there are a whole three trojans protected against in the XProtect file.
- OSX.RSPlug.A
- OSX.Iservice
- OSX.HellRTS
You can find this file in the:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
directory.
This article by Sophos turned me onto the update, but I reposted without the conspiracy theories:
http://www.sophos.com/blogs/gc/g/2010/06/18/apple-secretly-updates
Friday, January 15
Haiti domain registrations on the rise
Over the past couple days I've been reporting over on the Internet Storm Center about the number of domains that have been registered (either legitimately for good use, or for malicious use) concerning the Haitian Earthquake disaster. Read the original article here.
Like I said in that article, we're assuming that these domains are being registered for legitimate and helpful use, but we try and keep our eye out for the illegitimate ones, just in case someone wants to put some malware on a site, or try and trick you into giving up your credit card numbers or donating money via Paypal to a "cause" that never donates the money to Haiti on the backend. We saw this with Hurricane Katrina, we saw it with the Tsunami disaster, and now, we are seeing it with the Haitian Earthquake. (See the article here.)
But the number of registered domains is on the rise. We saw 38 on Wednesday, 445 on Thursday, and today we saw 680. (So, well over 1,000) It's practically impossible to check these domains by hand, so we are working with a couple partners in the Internet Space to take a look at these domains with us to ensure that they are clean.
Please exercise caution when visiting these sites, and please, donate money for the cause. But please be extra cautious about who you are donating money to. You know you can donate to legitimate sites like the RedCross, but do you also know you can donate to these other organizations:
(Thanks Kevin for those links)
Like I said in that article, we're assuming that these domains are being registered for legitimate and helpful use, but we try and keep our eye out for the illegitimate ones, just in case someone wants to put some malware on a site, or try and trick you into giving up your credit card numbers or donating money via Paypal to a "cause" that never donates the money to Haiti on the backend. We saw this with Hurricane Katrina, we saw it with the Tsunami disaster, and now, we are seeing it with the Haitian Earthquake. (See the article here.)
But the number of registered domains is on the rise. We saw 38 on Wednesday, 445 on Thursday, and today we saw 680. (So, well over 1,000) It's practically impossible to check these domains by hand, so we are working with a couple partners in the Internet Space to take a look at these domains with us to ensure that they are clean.
Please exercise caution when visiting these sites, and please, donate money for the cause. But please be extra cautious about who you are donating money to. You know you can donate to legitimate sites like the RedCross, but do you also know you can donate to these other organizations:
- CARE: http://www.care.org/
- International Red Cross: http://www.icrc.org/
- Medecins Sans Frontieres/Doctors Without Borders: http://doctorswithoutborders.org
(Thanks Kevin for those links)
Tuesday, August 25
Snow Leopard is coming..
In case you've been living under a rock for the past couple days, as plastered all over Twitter and every computer related gadget site, Snow Leopard, the next release of OSX is coming out on Friday.
This release is mostly enhancements to the Leopard operating system, not really any new "features" per say (even though there are a ton), but mostly bug fixes.
However, today, there has been some news circulated around about an anti-malware solution within Snow Leopard. There have been screenshots all over Gizmodo and Engadget today with this little blurb about OSX Leopard alerting you to the presence of a new piece of malware on OSX.
Now, in the past Apple hasn't taken a proactive stance against any type of malware, running ads claiming that Macs are not prone to viruses and trojans like the Windows platform.
We all know this not to be 100% true. While Apple does have it's own share of DNS Changing trojans and things like that, they are very very few and far between, and even harder to get onto an Apple system than their PC counterparts.
Some trojans and malware requiring you to perform actions like typing in your admin password and things like that. So this "anti-malware" solution is in a new territory.
Turns out there is some details starting to emerge about this anti-malware solution, apparently right now, it's in a Preferences file called "XProtect.plist", and as of right now, it appears that it only checks for two known OSX Trojans.
In addition to that, it only checks the files if they were downloaded through iChat, Safari, Entourage, and several other applications.
Files that are on a CD, Thumbdrive, etc, are not checked against this plist file. Presumably, the things that this XProtect file checks for are all "downloaded" trojans. Attack vectors that appear over iChat, like those that have come out in the past.
I find it interesting that this is taking place. Will Apple keep this file up to date with System Update? Will they enable greater functionality within the system for this file? Scan files?
Right now OSX Server uses ClamAV to check incoming SMTP email messages arriving through the software against known malware, whose to say that Apple doesn't take this solution a step further and make it simple to use?
I can't imagine that OSX as an attack platform will stay isolated for long, but we'll see, with the new security improvements that have been made within OSX, like improved address randomization and things like that, we'll see how much of a successful attack platforms these "next gen" OSes turn out to be.
This release is mostly enhancements to the Leopard operating system, not really any new "features" per say (even though there are a ton), but mostly bug fixes.
However, today, there has been some news circulated around about an anti-malware solution within Snow Leopard. There have been screenshots all over Gizmodo and Engadget today with this little blurb about OSX Leopard alerting you to the presence of a new piece of malware on OSX.
Now, in the past Apple hasn't taken a proactive stance against any type of malware, running ads claiming that Macs are not prone to viruses and trojans like the Windows platform.
We all know this not to be 100% true. While Apple does have it's own share of DNS Changing trojans and things like that, they are very very few and far between, and even harder to get onto an Apple system than their PC counterparts.
Some trojans and malware requiring you to perform actions like typing in your admin password and things like that. So this "anti-malware" solution is in a new territory.
Turns out there is some details starting to emerge about this anti-malware solution, apparently right now, it's in a Preferences file called "XProtect.plist", and as of right now, it appears that it only checks for two known OSX Trojans.
In addition to that, it only checks the files if they were downloaded through iChat, Safari, Entourage, and several other applications.
Files that are on a CD, Thumbdrive, etc, are not checked against this plist file. Presumably, the things that this XProtect file checks for are all "downloaded" trojans. Attack vectors that appear over iChat, like those that have come out in the past.
I find it interesting that this is taking place. Will Apple keep this file up to date with System Update? Will they enable greater functionality within the system for this file? Scan files?
Right now OSX Server uses ClamAV to check incoming SMTP email messages arriving through the software against known malware, whose to say that Apple doesn't take this solution a step further and make it simple to use?
I can't imagine that OSX as an attack platform will stay isolated for long, but we'll see, with the new security improvements that have been made within OSX, like improved address randomization and things like that, we'll see how much of a successful attack platforms these "next gen" OSes turn out to be.
Saturday, February 14
A tale of my mother in laws laptop
So, yesterday, my mother in law moved into my house to stay with us for awhile. (Yes this is cool with me, it was actually my idea.. Anyway.)
She handed me her laptop, Sony Vaio (this thing is a freaking brick!), loaded with Windows XP, she always makes jokes about my network here at the house, and about how “clean” it probably is (all macs, security etc..) So I went about starting to clean it.
First, I wanted to get the antivirus updates. She had a current Antivirus client (Symantec), it was the full suite, with the firewall and everything. So I updated that, took awhile as it hasn’t been updated in awhile.
-- Sidebar --
My mother in law has been on dialup in her neighborhood where she used to live for a long time. She doesn’t log in for long, long enough to log into her AOL account and check her email and some light surfing.. (yes AOL. Seriously.)
So you can imagine, everything hasn’t been updated in a long time because of the speed of her connection, she doesn’t have the kind of time to sit there and let downloads download overnight.
-- Back to my Story --
The Antirvirus ran, asked me if I wanted to deal with the stuff in Quarantine. I looked what it was, 3 instances of “Bloodhound.Exploit” in Temp Internet files. Okay, not a big deal, they’ve been quarantined for over a year, so I just deleted them. Hopefully that’s all it finds.
So I started to download XP updates. This is really where I started to value my Macs. This machine was pre Service Pack 3, Windows XP. So you know the drill, get the updates up to date so you can download SP3, then download SP3, then install that, then update, update, update, update. I had to go to Windows Update at least 5 or 6 times. Office was actually updated, but the Windows OS updates were so far behind it took me 6 hours to get this thing updated.
Now, I know when you build a fresh Mac install you have to do the same thing. But it only takes me about 20 minutes to do it, not 6 hours.
I started telling my tale, as I was going, to my followers on Twitter. A lot of jokes were made, you know, about making the laptop a doorstop, or if I had a table with one short leg, go ahead and prop up the table with it.
Other suggestions were made like, “load Ubuntu on it, tell your mother in law it’s the new version of XP”. I thought about it, but my mother in law is just one of those kinds of people who get comfortable with her computing experience and you don’t want to upset that. She like her XP, and Microsoft Word, so I don’t want to mess with her right now, maybe she’ll get a mac on her next computer buying experience.
Anyway, it’s fully updated and working now, yes, it’s on my network, as much as I hate to admit it. (It’s the first Windows machine on my network in about 6 years.)
Hopefully now, I can keep her patched and updated.
Monday, November 3
Research
Okay, so MS08-067 Worm(s). I got some intel from some various listservers that I belong to about a new worm (or worms) that were starting to be seen in the wild. So I got a few url’s to play with and started poking around. Note, these are not all the url’s that I tried to get the exploit/worm from. They are not all of the same worm, and they may or not be related... BTW -- I am not a very good malware analyzer, Just an FYI.
It appears, one of the variants of this worm that I am looking at attempts to spread, not only though network vulnerabilities (08-067), but also through P2P networks like Emule.
So, I tried to get one of the files, named 6767.exe in this case. This EXE file does several things, some of which are very unclear as to the reason... as I said, I’m not a malware guy...
This exe downloads, and upon execution (again, in my particular sample, I am sure it will change), from a network perspective, on MY machine, it didn’t do anything. I have read several write ups of the 6767.exe variant, and I saw what it was “supposed” to do. But in my particular example, it didn’t do anything. I don’t know if it some kind of virtual machine detection in it, and that’s why it didn’t execute? I don’t know. Just throwing that out there. Maybe it has some kind of sleep function so that it won’t execute right away.. making reverse engineering difficult. (boring!) For a list of what it does to a machine, take a look here. At this point I am more interested in how it spreads, not really what it does to the machine.
So, I downloaded a second sample “10wrjcenew.exe”, and executed it.
It tried to download two files, the first was “mimi.1268772” from ls.lenovowireless.net, and the second was pp.av from “218.4.137.213”. After this pp.av file was downloaded, the malware then attempted to register my computer on ce.10wrj.com. With this string:
This connection succeeded, but was immediately terminated. Since this particular HTTP connection was tried over and over again to register, and since the mac address is a vmware mac address, I can only guess that the machine receiving the Client Registration knows which mac addresses are vmware and doesn’t attempt to infect those? Just a theory. I found some interesting information about this here.
The two files were saved, actually on the desktop (because the malware I had executed was sitting on the Desktop), and were named svchost.exe and winlogon.exe.
So, you can tell that this is a completely different worm from the first one I tried.
Then, after that, scanning commenced on port 139 to try and find other hosts. Now I have a double NAT going on here, (172.16 addresses (vmware) are being bridged out to 192.168 (home network) addresses, then translated to the internet.. I didn’t notice it, but the worm must have looked up my ‘external’ address at some point because the malware never did scan my local subnet, it only scanned the public address scheme of my local subnet. Upon further review of the malware through other websites, I also found this to be the case.
After successfully connecting (which didn’t happen in my case) on port 139, it then exploits the other machine on port 445. Which is detected by Snort through rules:
[1:7224:8] NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt
[3:14817:1] NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt
[3:14783:1] NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt
So I suggest you check out the newest subscription ruleset through Sourcefire at www.snort.org. Like I said, I am not a malware guy, I just did some clicking around to see what was out there and what it did. I haven’t reversed a binary in almost 4 years. Who has the time!? ;)
Subscribe in a reader
Subscribe to:
Posts (Atom)