DTH Computer Help! - IT News articles

Apple releases patch as 500,000 Macs infected with the Flashback Trojan.

SMH - Brian Krebs

April 5, 2012

Apple has released an urgent patch that will fix a security hole in its Mac operating system that has allowed some 30,000  Mac computers in Australia and more than 500,000 worldwide to be  infected with malicious software (malware).

The critical update to Apple's version of Java for Mac OS X plugs at least a dozen security holes in the program and mends a flaw that attackers have recently pounced on to broadly deploy a malicious software program, known as Flashback Trojan, both on Microsoft's Windows and Apple's Mac operating systems.

Flashback Trojan's most recent variant (it has been  around since 2011) self installs after users visit legitimate websites  that have been infected to distribute the program - a process known as  drive-by download. Once installed, the malware sniffs data traffic from the computer in search for user names and passwords

The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.

The revelations come from Russian security firm Dr.Web,  which reports that the Flashback Trojan has successfully infected more than 550,000 Macs (hat tip to Adrian Sanabria who wrote on his blog "(...) many Mac users have been lured into a  false sense of security, and will be, or may already be, in for a rude  awakening. Apple's marketing efforts are at least partially responsible for this.").

Symantec says hackers stole source code in 2006

By Jim Finkle “Tue Jan 17, 2012

(Reuters) Symantec Corp said a 2006 breach led to the theft of the source code to its flagship Norton security software, reversing its previous position that it had not been hacked.

 The world's biggest maker of security software had previously said that hackers stole the code from a third party, but corrected that statement  on Tuesday after an investigation found that Symantec's own networks had been infiltrated.

 The unknown hackers obtained the source code, or blueprint for its  software, to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, Symantec spokesman Cris Paden said.

 Last week, the hackers released the code to a 2006 version of Norton  Utilities and have said they planned to release code to its antivirus software on Tuesday. It was not clear why the source code was being  released six years after the theft.

 Source code includes instructions written in computer programming languages as well as comments that engineers share to explain the design of their software. For example, a file released last week from the source code of a 2006 version of Norton Utilities included a comment that said "Make all changes in local entry, so we don't screw up the  real entry if we back up early."

 Companies typically heavily guard their source code, which is considered the crown jewels of most software makers. At some companies access is granted on an as-needed basis, with programmers allowed to view code only if it is related to the tasks they are assigned.

 The reason for all the secrecy is that companies fear rivals could use  the code to figure out the "secret sauce" behind their technology and that hackers could use it to plan attacks.

 Paden said that the 2006 attack presented no threat to customers using the most recent versions of Symantec's software.

 "They are protected against any type of cyber attack that might materialize as a result of this code," he said.

 Yet Laura DiDio, an analyst with ITIC who helps companies evaluate  security software, said that Symantec's customers should be concerned about the potential for hackers to use the stolen source code to figure  out how to defeat some of the protections in Symantec's software.

 "What we are seeing from Symantec is 'Let's put the best public face on this,'" she said. "Unless Symantec wrote all new code from scratch,  there are going to be elements of source code in there that are still  relevant today."

 Symantec said earlier this month that its own network had not been  breached when the source code was taken. But Paden said on Tuesday that  an investigation into the matter had revealed that the company's  networks had indeed been compromised.

 "We really had to dig way back to find out that this was actually part  of a source code theft," he said. "We are still investigating exactly  how it was stolen."

 Paden also said that customers of pcAnywhere, a program that facilitates remote access of PCs, may face "a slightly increased security risk" as a result of the exposure.

 "Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information."

 (Reporting By Jim Finkle in Boston, additional reporting by Nicola Leske in New York, editing by Matthew Lewis)

Unprotected wireless router leads to Serious crime.

26 Apr, 2011

BUFFALO (AP) -- Lying on his family room floor with assault  weapons trained on him, shouts of "pedophile!" and "pornographer!" stinging like his fresh cuts and bruises, the Buffalo homeowner didn't need long to figure out the reason for the early morning wake-up call  from a swarm of federal agents.

That new wireless router. He'd gotten fed up trying to set a password. Someone must have used his Internet connection, he thought.

"We know who you are! You  downloaded thousands of images at 11:30 last night," the man's lawyer,  Barry Covert, recounted the agents saying. They referred to a screen name, "Doldrum."

"No, I didn't," he insisted. "Somebody else could have but I didn't do anything like that."

"You're a creep ... just admit it," they said.

Law enforcement officials say the case is a cautionary tale. Their advice: Password-protect your wireless router.

Plenty of others would agree. The Sarasota, Fla. man, for example, who got a similar visit from the FBI last year after someone on a boat docked in a marina outside his building used a potato chip can as an antenna to boost his wireless signal and download an astounding 10 million images of child porn, or the North Syracuse, N.Y., man who in December 2009 opened his door to police who'd been following an electronic trail of illegal videos and images. The man's neighbor pleaded guilty April 12.

For two hours that March morning in Buffalo, agents tapped away at the homeowner's desktop computer, eventually taking it with them, along with his and his wife's iPads and iPhones.

Within three days, investigators determined the homeowner had been telling the truth: If  someone was downloading child pornography through his wireless signal, it wasn't him. About a week later, agents arrested a 25-year-old neighbor and charged him with distribution of child pornography. The case is pending in federal court.

It's unknown how often unsecured routers have brought legal trouble for subscribers. Besides the criminal investigations, the Internet is full of anecdotal accounts of  people who've had to fight accusations of illegally downloading music or movies.

Whether you're guilty or not, "you look like the suspect," said Orin Kerr, a professor at George Washington University  Law School, who said that's just one of many reasons to secure home routers.

Experts say the more savvy hackers can go beyond just  connecting to the Internet on the host's dime and monitor Internet activity and steal passwords or other sensitive information.

A  study released in February provides a sense of how often computer users rely on the generosity -- or technological shortcomings -- of their neighbors to gain Internet access.

The poll conducted for the Wi-Fi Alliance, the industry group that promotes wireless technology standards, found that among 1,054 Americans age 18 and older, 32 percent acknowledged trying to access a Wi-Fi network that wasn't theirs. An estimated 201 million households worldwide use Wi-Fi networks, according to the alliance.

The same study, conducted by Wakefield Research, found that 40 percent said they would be more likely to trust someone with their house key than with their Wi-Fi network password.

For  some, though, leaving their wireless router open to outside use is a  philosophical decision, a way of returning the favor for the times  they've hopped on to someone else's network to check e-mail or download directions while away from home .

"I think it's convenient and polite to have an open Wi-Fi network," said Rebecca Jeschke, whose home  signal is accessible to anyone within range.

"Public Wi-Fi is for the common good and I'm happy to participate in that -- and lots of  people are," said Jeschke, a spokeswoman for the Electronic Frontier Foundation, a San Francisco-based nonprofit that takes on cyberspace  civil liberties issues.

Experts say wireless routers come with encryption software, but setting it up means a trip to the manual.

The government's Computer Emergency Readiness Team recommends home users make their networks invisible to others by disabling the identifier  broadcasting function that allows wireless access points to announce their presence. It also advises users to replace any default network names or passwords, since those are widely known, and to keep an eye on  the manufacturer's website for security patches or updates.

People who keep an open wireless router won't necessarily know when someone  else is piggybacking on the signal, which usually reaches 300-400 feet,  though a slower connection may be a clue.

For the Buffalo homeowner, who didn't want to be identified, the tip-off wasn't nearly as subtle.

It was 6:20 a.m. March 7 when he and his wife were awakened by the sound of someone breaking down their rear door. He threw a robe on and walked to the top of the stairs, looking down to see seven armed people with  jackets bearing the initials I-C-E, which he didn't immediately know  stood for Immigration and Customs Enforcement.

"They are screaming at him, 'Get down! Get down on the ground!' He's saying, 'Who are you? Who are you?'" Covert said.

"One of the agents runs up and basically throws him down the stairs, and he's got the cuts and bruises to show for it," said Covert, who said the homeowner plans no lawsuit. When he was allowed to get up, agents escorted him and watched as he used the bathroom and dressed.

The  homeowner later got an apology from U.S. Attorney William Hochul and  Immigration and Customs Enforcement Special Agent in Charge Lev Kubiak.

But this wasn't a case of officers rushing into the wrong house. Court filings show exactly what led them there and why.

On Feb. 11, an investigator with the Department of Homeland Security,  which oversees cybersecurity enforcement, signed in to a peer-to-peer file sharing program from his office. After connecting with someone by the name of "Doldrum," the agent browsed through his shared files for  videos and images and found images and videos depicting children engaged in sexual acts.

The agent identified the IP address, or unique identification number, of the router, then got the service provider to  identify the subscriber.

Investigators could have taken an extra  step before going inside the house and used a laptop or other device outside the home to see whether there was an unsecured signal. That  alone wouldn't have exonerated the homeowner, but it would have raised the possibility that someone else was responsible for the downloads.

After a search of his devices proved the homeowner's innocence, investigators went back to the peer-to-peer software and looked at logs that showed  what other IP addresses Doldrum had connected from. Two were associated  with the State University of New York at Buffalo and accessed using a secure token that UB said was assigned to a student living in an  apartment adjacent to the homeowner. Agents arrested John Luchetti March 17. He has pleaded not guilty to distribution of child pornography.

Luchetti is not charged with using his neighbor's Wi-Fi without permission. Whether it was illegal is up for debate.

"The question," said Kerr, "is whether it's unauthorized access and so you have to say, 'Is an open wireless point implicitly authorizing users or  not?'

"We don't know," Kerr said. "The law prohibits unauthorized  access and it's just not clear what's authorized with an open unsecured  wireless."

In Germany, the country's top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet  users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users  responsible for illegal content downloaded by the third party.

The ruling came after a musician sued an Internet user whose wireless  connection was used to download a song, which was then offered on an online file sharing network. The user was on vacation when the song was  downloaded.

Date: 28/6/2010

FTC Obtains Court Order Halting International Scheme Responsible For More Than $10 Million In Unauthorized Charges On Consumers' Credit and Debit Cards

Operation Used Expansive Network of "Money Mules"

At the request of the Federal Trade Commission, a federal court has halted an elaborate international scheme that used identity theft to place more than $10 million in bogus charges on consumers’ credit and debit cards, pending a trial. More than a million consumers were hit with one-time charges of $10 or less, and their payments were routed through dummy corporations in the United States to bank accounts in Eastern Europe and Central Asia.

The defendants, using phony company names resembling real companies, and information taken from identity theft victims in the United States, opened more than 100 merchant accounts with companies that process charges to consumers’ credit and debit card accounts, according to the FTC complaint. The FTC believes the defendants may have run credit checks on the identity theft victims first, to be sure they were creditworthy. The defendants also cloaked each fake merchant with a virtual office address near a real merchant’s location, a phone number, a home phone number for the “owner,” a Web site pretending to sell products, a toll-free number consumers could call, and a real company’s tax number found on the Internet.

The FTC alleged that with spam e-mail, the defendants recruited at least 14 “money mules” – people in the United States they paid to form 16 dummy corporations, open associated bank accounts to receive the card payments, and transfer the money overseas. The defendants used debit cards linked to these bank accounts to set up telephone service, virtual addresses, and Web sites that helped deceive the card processors, according to the complaint.

The “money mules” responded to spam e-mail pretending to seek a U.S. finance manager for an international financial services company. The FTC has not determined how the defendants obtained the stolen identities or consumers’ credit and debit account numbers. Consumers’ payments were sent to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus, and Kyrgyzstan.

None of the consumers affected by the scam had contact with any of the defendants. Most consumers either didn’t notice the charges on their bills or didn’t seek chargebacks because of the small amounts – charges ranged from 20 cents to $10. Consumers who called the toll-free numbers that appeared on their bills either found them disconnected or heard recorded messages instructing them to leave a message, but no calls were returned.

The defendants are the 16 sham companies – API Trade LLC, ARA Auto Parts Trading LLC, Bend Transfer Services LLC, B-Texas European LLC, CBTC LLC, CMG Global LLC, Confident Incorporation, HDPL Trade LLC, Hometown Homebuyers LLC, IAS Group LLC, IHC Trade LLC, MZ Services LLC, New World Enterprizes LLC, Parts Imports LLC, SMI Imports LLC, SVT Services LLC – and one or more persons who are unknown to the agency at this time. The FTC charged them with making unauthorized charges to consumers’ credit cards in violation of Section 5 of the FTC Act. The court froze the defendants’ assets and ordered them to stop operating, pending final resolution of the case.

NSS Labs: Testing shows most AV suites fail against exploits

By Jeremy Kirk

August 17, 2010 09:32 AM ET

IDG News Service - A majority of security software suites still fail to detect attacks on PCs even after the style of attack has been known for some time, underscoring how cybercriminals still have the upper hand.

NSS Labs, which conducts tests of security software suites, tested how security packages from 10 major companies detect so-called "client-side exploits." In such incidents a hacker attacks a vulnerability in software such as Web browsers, browser plug-ins or desktop applications such as Adobe Acrobat and Flash.

NSS Labs is an independent security software company that unlike many other testing companies does not accept vendor money for performing comparative evaluations. Vendors are notified, however, and are allowed to make some configuration changes before NSS Labs' evaluation.

"This test -- the first of its kind in the industry -- was designed to identify how effective the most popular corporate endpoint products are at protecting against exploits," according to the report. "All of the vulnerabilities exploited during this test had been publicly available for months (if not years) prior to the test, and had also been observed in real attacks on real companies."

The attacks are often done by tricking a user into visiting a hostile Web site that delivers an exploit, or a specially crafted code sequence that unlocks a vulnerability in a software application, according to the NSS Labs report.

There can be different variants of exploits that attack the same vulnerability but target different parts of a computer's memory. Security vendors frequently add signatures to their databases that enable the software to detect specific exploits, but those exploits may evolve.

"A vendor may develop a signature for the initial exploit with the intent to later deliver subsequent signatures," the report said. "Our testing has revealed that most vendors do not take these important additional steps."

Only one of the 10 software suites tested detected all 123 exploits and variants, which were designed to attack vulnerabilities in software such as Microsoft's Internet Explorer browser, Firefox, Adobe Acrobat, Apple's QuickTime and others.

The 10 software suites scored vastly different, with one catching all of the exploits at the top end and 29 percent at the low end.

NSS Labs said the average protective score was 76 percent among the 10 suites for "original exploits," or the first exploit to be made publicly against a particular software vulnerability. Three of the 10 caught all original exploits. For variant exploits, the average protective score was 58 percent.

"Based on market share, between 70 to 75 percent of the market is under protected," the report said. "Keeping AV software up-to-date does not yield adequate protection against exploits, as evidence by coverage gaps for vulnerabilities several years old."

NSS Labs president, Rick Moy, said all of the vulnerabilities are "low-hanging fruit." Information on the vulnerabilities has been available in some cases since 2006, which means the hackers all know the problems and the exploits are still being used.

But security software companies have tended to focus on the malicious software delivered after an exploit. Those samples number in the millions now. However, the number of exploits are much, much less numerous and would be a better choke point to protect computers.

"I think part of the problem is the industry is focusing more on the malware than the exploit," Moy said. "You need to look at both, but ...you really need to look a vulnerability-based protection and stopping the exploits."

Patching the known vulnerabilities will also stop the exploits, but many companies won't apply all patches immediately since it may break other software those companies are using, Moy said. Security software represents a good "virtual patch," but only if it can detect those exploits and subsequent malware, he said.

NSS Labs puts the suites in three categories: "recommend," which means a product performed well and should be used in an enterprise; "neutral," which means a product performed reasonably well and should continued to be used if it is already in use; and "caution," which means the product had poor test results and organizations using it should review their security posture.

NSS Labs chose to reveal those security suites it rates as "caution": AVG Internet Security Business Edition 9.0.733, ESET Smart Security Enterprise Business 4.474, Norman Endpoint Protection 7.2 and Panda Internet Security 2010 (Enterprise) 15.01. The full report costs US$495 and is available on NSS Labs web site.

Fake antivirus security scanner/malware was only detected by 8 of 40 anti-virus products, according to this VirusTotal Report.

VirusTotal is a service that analyzes suspicious files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and web analysis toolbars.

VirusTotal's main characteristics are:

• Free, independent service.
• Runs multiple antivirus engines.
• Real time automatic updates of virus signatures.
• Detailed results from each antivirus engine.
• Runs multiple web site inspection toolbars.
• Real time global statistics.

File name: packupdate_build8_195_2_.exe Submission date: 2010-04-12   23:29:50 (UTC) Current status: finished Result: 8/40 (20.0%)

VT Community not reviewed  Safety score: -Â

 

Antivirus	Version	Last Update	Result
a-squared	4.5.0.50	2010.04.12	Trojan.Win32.FakeAV!IK
AhnLab-V3	5.0.0.2	2010.04.12	-
AntiVir	7.10.6.64	2010.04.12	-
Antiy-AVL	2.0.3.7	2010.04.12	-
Authentium	5.2.0.5	2010.04.12	W32/FraudLoad.C!Generic
Avast	4.8.1351.0	2010.04.12	-
Avast5	5.0.332.0	2010.04.12	-
AVG	9.0.0.787	2010.04.12	-
BitDefender	7.2	2010.04.12	-
CAT-QuickHeal	10.00	2010.04.12	-
ClamAV	0.96.0.3-git	2010.04.12	-
Comodo	4580	2010.04.12	Heur.Suspicious
DrWeb	5.0.2.03300	2010.04.12	-
eSafe	7.0.17.0	2010.04.12	-
eTrust-Vet	35.2.7421	2010.04.12	-
F-Prot	4.5.1.85	2010.04.12	W32/FraudLoad.C!Generic
F-Secure	9.0.15370.0	2010.04.12	-
Fortinet	4.0.14.0	2010.04.12	-
GData	19	2010.04.12	-
Ikarus	T3.1.1.80.0	2010.04.12	Trojan.Win32.FakeAV
Jiangmin	13.0.900	2010.04.12	-
Kaspersky	7.0.0.125	2010.04.12	-
McAfee	5.400.0.1158	2010.04.12	-
McAfee-GW-Edition	6.8.5	2010.04.12	-
Microsoft	1.5605	2010.04.12	-
NOD32	5023	2010.04.12	-
Norman	6.04.11	2010.04.12	-
nProtect	2009.1.8.0	2010.04.06	-
Panda	10.0.2.2	2010.04.12	-
PCTools	7.0.3.5	2010.04.12	-
Prevx	3.0	2010.04.12	Medium Risk Malware Dropper
Rising	22.43.00.04	2010.04.12	-
Sophos	4.52.0	2010.04.12	-
Sunbelt	6167	2010.04.12	Trojan.Win32.Generic.pak!cobra
Symantec	20091.2.0.41	2010.04.12	-
TheHacker	6.5.2.0.259	2010.04.12	Trojan/Dropper.gen
TrendMicro	9.120.0.1004	2010.04.12	-
VBA32	3.12.12.4	2010.04.09	-
ViRobot	2010.4.12.2272	2010.04.12	-
VirusBuster	5.0.27.0	2010.04.12	-