sophos.com · Domains · Slashdot Mirror

How to tell whether you are infected by daveschroeder · 2012-04-05 01:37 · Score: 5, Informative · on Flashback Trojan Hits 600,000 Macs and Counting

See here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Summary:

If you open Terminal and run

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

and

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

and see:

The domain/default pair of [...] does not exist

for each, you are not infected. Also, if you run nearly any AV software or other tools like Little Snitch, you are not infected as it checks for these and deletes itself if found.

Also, no sensible person ever said "Macs don't get [infected/hacked/whatever]." It just a lot less likely, and has historically been, even accounting for differences in marketshare. As Mac share increases, it only makes sense they'll be targeted more with malware. But Macs, as a whole, are indeed "more secure", in that still, to this day, you are far less likely — even with the complacency or, if you prefer, ignorance, of Mac users — to become impacted with any malware than with Windows. Maybe someday this will change. But it's never been true to date, and isn't true now. The fact that single instances of Mac malware get so blown out of proportion, STILL, is ridiculous. (Though, Apple could do better with patching known vulnerabilities in Java on Mac OS X...)

The same advice and best practices for avoiding malware apply to Macs as well as any other desktop platform, and Mac users would do well to run current AV software. The Sophos free edition is nice.

Re:Project much? by Anonymous Coward · 2012-04-04 03:03 · Score: 0 · on Microsoft Counted As Key Linux Contributor

http://nakedsecurity.sophos.com/2012/04/04/dont-be-an-internet-troll-you-could-be-sent-to-jail/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=a6d16b7680-naked%252Bsecurity

Re:Assuming you're not just "trolling" (u are)? by Anonymous Coward · 2012-04-03 09:53 · Score: -1 · on Microsoft Counted As Key Linux Contributor

1.) DNS has issues, for starters: Would you like a list of problems it's seen over time? Just ask. See below also...

---

2.) You're also adding on "weight" of extra programs that the hosts file can do the SAME JOB FOR, for less!

Especially for a home setup using a single system only.

Since hosts files are simply a filter for the ring 0/rpl 0/kernelmode Pnp designed (Windows &/or MacOS X) IP stack based on the best there is in BSD ones (most all OS are here)? They are less layered on b.s. & thus, are more efficient.

I.E.-> The IP stack, as well as the ring of privelege/CPU opertions it runs from? It is as fast & efficient as it gets, vs.:

A.) Loading on more programs like a local DNS server, especially in recursive mode!

(Potential DNS poisoning/redirect problems & can be done in SECONDS over the 51/53 port series iirc)

B.) Doing so results in eating up more CPU cycles, RAM, & other forms of I/O needlessly & illogically... as well as electric power too.

---

HOWEVER:

I can see using a DNS server, IF you have an Active Directory OR have to manage 100's to 1,000's of servers, but not for a single PC @ home!

(Mainly due to what I wrote above regarding electrical power usage, since programs do NOT "run for free", as well as CPU, RAM, & other forms of I/O)...

Still - To each his own on that account... there's logical ways of doing things, & illogical wasteful ways too.

---

DNS issues? It's even being noted in security forums today @ SOPHOS, here:

http://nakedsecurity.sophos.com/2012/04/02/dns-attack-internet/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=b82ef0b1e8-naked%252Bsecurity

Regarding Anonymous making threats to "take down" the root 13 DNS servers!

Yes - it is a possible, but unlikely, possibility of happening!

However, DNS poisoning & redirects, especially to recursive setups of DNS, and odds are you HAD to do that on yours most likely too?
No mere possibility of problems...

(Again - want evidences of that? Ask!)

APK

P.S.=> Of course, IF you need DNS services (and we all do, even hosts file users) and you are a single system user especially?

These are excellent options:

Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/
ScrubIT DNS -> http://www.scrubit.com/
OpenDNS -> http://www.opendns.com/

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT

Re:sophos report more, millions in IT security wor by elucido · 2012-03-06 04:58 · Score: 2 · on LulzSec Leader Sabu Unmasked, Arrested and Caught Collaborating

http://nakedsecurity.sophos.com/2012/03/06/sabu-lulzsec-betrayed-anonymous-hackers/?utm_source=facebook&utm_medium=status+message&utm_campaign=naked+security

“Sabu could be making millions of bucks heading the IT security department of a major company,” a law enforcement official said. “But look at him, he’s impoverished, living off public assistance and was forced between turning on his friends and spending a lifetime in jail.

Millions of bucks... IT security department
Millions of bucks
Millions

lol

Yeah right. That is disinformation and propaganda. If there were millions of bucks to be made doing that, many people have more skills than him and aren't ever going to make millions of bucks. That FBI guy who said that probably isn't making millions of bucks as FBI agents and law enforcement officers don't make millions of bucks. Someone who doesn't have a clue about how the industry works is talking about something they don't know anything about.

Sabu had some skill, enough skill to run an IT dept but that would only pay $80,000-100,000 and chances are they'd look at his resume and never even give him an interview. It wouldn't matter if he had skill or not since he probably doesn't have name recognition, a strong resume, or social networking to leverage.

sophos report more, millions in IT security work by Anonymous Coward · 2012-03-06 04:31 · Score: 0 · on LulzSec Leader Sabu Unmasked, Arrested and Caught Collaborating

http://nakedsecurity.sophos.com/2012/03/06/sabu-lulzsec-betrayed-anonymous-hackers/?utm_source=facebook&utm_medium=status+message&utm_campaign=naked+security

“Sabu could be making millions of bucks heading the IT security department of a major company,” a law enforcement official said. “But look at him, he’s impoverished, living off public assistance and was forced between turning on his friends and spending a lifetime in jail.

Millions of bucks... IT security department
Millions of bucks
Millions

lol

Re:As an aside by Anonymous Coward · 2012-02-18 09:04 · Score: 0 · on UK Student Jailed For Facebook Hack Despite 'Ethical Hacking' Defense

http://nakedsecurity.sophos.com/2010/01/15/chuck-norris-facebook-privacy/

Linux Trojan: Linux/Bckdr-RKC 02-2012 by Anonymous Coward · 2012-02-13 23:38 · Score: -1 · on Mozart and Bach Handel Subway Station Crime

http://pastebin.com/DwtX9dMd

- http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~Bckdr-RKC.aspx
- http://tinyurl.com/Linux-Bckdr-RKC

Category: Viruses and Spyware
Protection available since: 22 Dec 2011 08:23:46 (GMT)
Type: Trojan
Affected Operating Systems: Linux
Â© 1997 - 2012 Sophos Ltd.

Linux Trojan: Linux/Bckdr-RKC 02-2012 by Anonymous Coward · 2012-02-13 20:52 · Score: -1 · on ESA Discovers Unexpected 'Haze' of Microwave Transmissions

http://pastebin.com/DwtX9dMd

The link above contains a detailed look at this mysterious new trojan targeting Linux.

- http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~Bckdr-RKC.aspx
- http://tinyurl.com/Linux-Bckdr-RKC

Category: Viruses and Spyware
Protection available since: 22 Dec 2011 08:23:46 (GMT)
Type: Trojan
Affected Operating Systems: Linux
Â© 1997 - 2012 Sophos Ltd.

Re:That is *not* out-of-band by HTH+NE1 · 2011-12-29 08:52 · Score: 2, Informative · on Microsoft Issuing Unusual Out-of-Band Security Update

"Oracle issues rare out-of-band update for Apache DDoS vulnerability"

"This is only the fifth time Oracle has issued an alert outside its routine quarterly patch cycle since introducing its own version of Patch Tuesday at the start of 2005."

That would be Microsoft's "Patch Tuesday". Oracle doesn't call it "out-of-band".

"Adobe Releases Out-of-Band Patch"

Adobe called it a "Security bulletin", and judging from when Adobe releases updates for Flash Player, I'm not even seeing a regular schedule to classify it as "out-of-band" as Microsoft defines it.

"Installing out-of-band updates for IBM BladeCenter devices using Telnet fails"

They're actually talking about delivery of patches via FTP and TFTP. Another talks about SNMP as the method. That is out-of-band and not what Microsoft is doing.

If anything about Microsoft releasing a patch off-schedule is "out-of-band" it is that they call special attention to it via press release rather than otherwise silently informing people via Windows Update. And that's assuming that they don't issue press releases anyway that usually get ignored by the press when they're on the regular schedule. It's not delivering the patch out-of-band, it's informing the public out-of-band, i.e. via an alternate band of communication. But it isn't delivery of the patch; that still occurs through the normal channel: Windows Update. It's conflating security "update" as a deliverable fix with security "update" as bulletin about the availability of the fix via the usual channels.

And that's the closest to a concession you'll get out of me on this.

Re:That is *not* out-of-band by neokushan · 2011-12-29 07:22 · Score: 1 · on Microsoft Issuing Unusual Out-of-Band Security Update

Find an independent source that doesn't source or reference Microsoft and its off-schedule releases. And not one you make yourself, either.

Ok then,

http://nakedsecurity.sophos.com/2011/09/17/oracle-issues-rare-out-of-band-update-for-apache-ddos-vulnerability/ "Oracle issues rare out-of-band update for Apache DDoS vulnerability"

http://www.simplysecurity.com/2011/09/27/adobe-releases-out-of-band-patch/ "Adobe Releases Out-of-Band Patch"

http://publib.boulder.ibm.com/infocenter/director/v6r1x/index.jsp?topic=/director.tbs_6.1/fqm0_r_tbs_um_installing_out_of_band_updates_for_bc_using_telnet_fails.html "Installing out-of-band updates for IBM BladeCenter devices using Telnet fails"

Re:8 more ANDROID security issues (40++ now) by mSparks43 · 2011-12-26 06:32 · Score: 1 · on Twitter To Open Source Android Security Tech

The point we seem to be labouring, is you seem to think vendors installing malware is a security issue.

security issues are ones in which problems arise after you get the device, outside of its intended use. Most of what you are posting is complaints about software doing what it was intended to do (albeit not what the user expected), That is something very different to say, switching your computer on and instantly getting infected with a virus, which has plagued windows for decades and has never been a problem on linux.

The very fact your own link says:
http://nakedsecurity.sophos.com/2011/07/09/android-malware-spies-sms-messages-zeus-family/
The Symbian, Windows Mobile and Blackberry modules of the notorious Zeus malware toolkit (also known as ZBot) have been known about for some months, and it has been clear that Zeus gang was interested in developing malware for mobile platforms.

However, until now we have not seen any evidence of Zeus targeting users who own Android or iOS (iPhone/iPad) devices.
__
Shows this is still much more of a problem on windows devices than linux based ones.

There are also tools out for Android based devices that let you revoke permissions for installed apps, Is there anything like that for windows devices?

Simple fact is, Linux is as secure as you make it, but you cannot make windows secure.

8 more ANDROID security issues (40++ now) by Anonymous Coward · 2011-12-26 05:25 · Score: 0 · on Twitter To Open Source Android Security Tech

There's 33++ other ANDROID security issues I posted you avoid like the plague & we KNOW why, lol!

In fact? Here's some more, "continuing the trend", 8 at a time (since /. won't let me post more than that in a single thread):

---

http://news.cnet.com/8301-27080_3-20087265-245/android-users-twice-as-likely-to-see-malware-than-six-months-ago/

http://mobile.slashdot.org/story/11/08/01/2242233/Android-Trojan-Records-Phone-Calls

http://www.theregister.co.uk/2011/08/12/defcon_handsets/

http://mobile.slashdot.org/story/11/07/24/1715232/Android-Password-Data-Stored-In-Plain-Text

http://nakedsecurity.sophos.com/2011/07/09/android-malware-spies-sms-messages-zeus-family/

http://www.theregister.co.uk/2011/06/01/android_trojan_rash/

http://mobile.slashdot.org/story/10/12/21/1849243/The-Smartphone-That-Spies-and-Other-Surprises

http://it.slashdot.org/story/11/05/17/1538226/Swiped-Tokens-Expose-Android-Devices-To-Data-Theft

---

* Once again, for the 4th o4 5th time now: Would you like more? I have PLENTY MORE where that came from!

APK

P.S.=> CarrierIQ running on ANDROID (a Linux variant) is indeed a problem for it, no matter what kind of "spin" you attempt to put on things I post - no questions asked, & it's only a SMALL FRACTION of the exploits "exploding" on the Linux variant called ANDROID!

So - do I "hate Linux or Android"? No, far from it - they're just operating systems after all!

(They both do the job & are pretty ok (I used both here over time))

HOWEVER, what I do dislike?

Well... the "std. 'FUD' b.s." I heard here on /. for YEARS (coming up on a decade now) of:

"Linux = secure, Windows != secure"

That has been disproven by security issues popping up on Linux (since it can no longer hide via "security-by-obscurity") OR ANDROID (a widely used Linux variant on smartphones, that TRULY illustrates that Linux was indeed, hiding behind lack of usage & thus, not a good target with enough users for justifying an "ROI" on time spent creating exploits for it... this is no longer the case on smartphones @ least))...

... apk

I merely post facts to back my statements by Anonymous Coward · 2011-12-22 10:19 · Score: 0 · on Twitter To Open Source Android Security Tech

After hearing yrs. of /. penguins & "Linux = secure, Windows != secure" & the data on android that keeps coming in my posts isn't weakening my case.

* I merely state facts when asked for them... plenty more where that came from too! Here are 8 more (making my total @ this point 25 already in my posts here now up to this one):

http://nakedsecurity.sophos.com/2011/09/16/spyeye-targeting-android-users-zeus-strategy/?utm_source=Non-campaign&utm_medium=eNews-newsletter&utm_campaign=eNews-NL-20110912

http://www.networkworld.com/community/blog/android-traveling-texts

http://www.theregister.co.uk/2011/09/15/android_malware_skyrockets/

http://www.wired.com/gadgetlab/2011/08/android-malware-explodes-ios-remains-safe/

http://www.theregister.co.uk/2011/02/17/android_trojan_click_fraud_scam/

http://www.theregister.co.uk/2011/02/07/difference_between_smartphones_and_superphones/

http://www.theregister.co.uk/2011/06/01/android_trojan_rash/

http://blogs.computerworld.com/17355/zombies_and_angry_birds_attack_mobile_phone_malware

---

* Continuing the trend via continuous data in each of my replies to "naysayer trolls" (especially the AC ones), in proofs of ANDROID security issues over time... 25++ & counting thusfar!

APK

P.S.=> I have 25++ recent issues regarding ANDROID (a Linux variant) security problems as of THIS post... Would you like more?

... apk

Re:pr0f exploit a hoax? by Em+Adespoton · 2011-12-21 12:27 · Score: 3, Informative · on Researcher Claims Siemens Lied About Security Bugs

That was a different water-treatment event; in fact, it's the one that prompted pr0f to pull his attack, because nobody was taking the security holes seriously: http://nakedsecurity.sophos.com/2011/11/22/interview-with-scada-hacker-pr0f-about-the-state-of-infrastructure-security/

Re:This is a duplicate. by IICV · 2011-12-13 04:13 · Score: 1 · on Adblock Plus Developers To Allow 'Acceptable' Ads

Yeah, even the NYT got hit with a fake anti-virus attack ad.

Untrusted ads are simply not safe.

As I Said Before by TheFlannelAvenger · 2011-12-13 02:57 · Score: 1 · on Adblock Plus Developers To Allow 'Acceptable' Ads

Look websites, we get it, the social contract. I would be fine helping you out by watching your ads. But the ads on your site, aren't from you, they are from an adfarm, or an adhosting company, or any number of third parties I do not know or trust.

Although not a tech site, everyone here has probably heard of the NY Times third party ad supplier getting hit, and injecting an attack to visitors from a poisoned advertisement. *

I use Adblock mostly in self defense, along with NoScript, because I don't know who is pushing the ads, or what their policies are. If AdBlock is going to vet advertisers and guarantee safe content, then maybe I will loosen up a bit. But I'm still leery, as even certificate authorities these days are getting gamed.

In general blocking anything except the web content I'm trying to view, seems best practice.

* http://nakedsecurity.sophos.com/2009/09/14/fake-antivirus-attack-hits-york-times-website-readers/

Re:Anyone else not surprised? by Nethemas+the+Great · 2011-12-08 13:08 · Score: 1 · on Iranian TV Shows Downed US Drone

That's speculation. What evidence can you provide to show that the communication protocols used are anything more secure than off-the-shelf consumer grade? This kind of crap makes me highly suspicious.

Very nice of the Rail Corporation to auction them? by sirdude · 2011-12-07 10:11 · Score: 2 · on Two-Thirds of Lost USB Drives Carry Malware

So, RailCorp decided to auction off lost property that could well be of a sensitive nature to some random member of the public? How responsible is that? Shouldn't the fact that they are able to sell lost (and used) property off at twice their retail value ring a few alarm bells?

Update .... Carefully by EnempE · 2011-12-06 14:08 · Score: 1 · on Adobe Warns of Critical Zero Day Vulnerability

Adobe have to be very careful about even recommending that you update these days, as that can lead to problems if not handled correctly.
Adobe is forced to officially advise the need to update, at the same time as spam containing malware laden upgrades are released. Naked Security article about malware spam
They might get a greater hit rate by using the Zero Day to create FUD that increases the number of clicks on the email rather than pushing an exploit on the Zero Day directly.

Re:Not a competitor by somersault · 2011-12-06 03:15 · Score: 4, Informative · on Sub-$100 Android 4.0 Tablet Coming Soon

until there are word processors, Exchange support, or other basic functionality, Android tablets will be considered at best a novelty.

WTF are you talking about? For one thing there is Google Docs. For another, my Dell Streak came with "QuikOffice" or something like that that does word docs. Not that I'd really want to use an office suite on a tablet when I have a laptop available.

Android has had Exchange support since version 1.5 - ie since 2009. You are either lazy and ignorant, or flat out trolling.

Finally, there is device security. There has yet to be a single piece of malware on an iPad in the wild. Shows you something doesn't it?

Sure.

Re:Dropbox+KeePassX by Anonymous Coward · 2011-10-11 11:26 · Score: 0 · on Wine HQ Password Database Compromised

So what happens if someone gains access to your dropbox and gets your password database file?
http://nakedsecurity.sophos.com/2011/06/21/dropbox-lets-anyone-log-in-as-anyone/

Re:Damn, they're easy by Anonymous Coward · 2011-08-08 08:48 · Score: 0 · on RIM Helping UK Police Track Down Rioters

Looks like the Brits are still not getting the basics right. Back in the 60s we'd already taught the authorities who tapped our phones, read our mail, and sent ringers to our gatherings not to trust that kind of "intelligence."
It only takes a few cases where they prosecute someone based on that kind of "evidence" and it turns out that the defendant was in another country to make the prosecutor a laughing stock. Again.

Like the Topiary arrest?

Possibly part of the ZEUS botnet by Anonymous Coward · 2011-07-12 01:06 · Score: 0 · on New SMS Trojan Found In Android Markets

So, this is how/why HOSTS files help you in this case: http://nakedsecurity.sophos.com/2011/07/09/android-malware-spies-sms-messages-zeus-family/

PERTINENT QUOTE/EXCERPT:

---

Android malware spies on your SMS messages - but is it part of the Zeus family?

"The Symbian, Windows Mobile and Blackberry modules of the notorious Zeus malware toolkit (also known as ZBot) have been known about for some months, and it has been clear that Zeus gang was interested in developing malware for mobile platforms.

However, until now we have not seen any evidence of Zeus targeting users who own Android or iOS (iPhone/iPad) devices.

This fact was quite surprising to us, considering the popularity of the Android and iOS platforms and the growing prevalence of malware being written for the Google Android operating system in particular.

In the last couple of days, however, there has been quite a lot of discussion on the mobile malware analysis mailing lists about a version of a an Android version of Zeus.

We eventually concluded that this was a malicious application that Sophos products have been detecting as Andr/SMSRep-B since 31st May 2011.

The malicious application pretends to be an Android version of Trusteer Rapport banking security tool, and was served to devices running the Google Android OS by a web server which was set up to deliver Zbot malware to multiple platforms.

After the fact, it was not difficult to connect the Android application with Zeus toolkit, although we could not conclude 100% that there was a connection.

The installed application uses a stolen Rapport icon and displays a simple screen when launched on affected device.

The fake Rapport application registers a Broadcast receiver which intercepts all received SMS messages and forwards the messages to a malicious web server using HTTP POST requests. The stolen SMS messages are encoded using a JSON encoding scheme, often used by various web services.

Although the application is clearly designed to steal the content of SMS messages, its not very sophisticated.

That's why we cannot be 100% sure that this is indeed a part of the Zeus kit. The URL of the command and control server is hard-coded into the source code, for example, which makes the application quite inflexible for installation on an alternative server.

Nevertheless, this malicious Android application is interesting as it combines spyware functionality with the concept of fake security software. As we've seen recently in the Mac OS X world, fake anti-virus software is one of the most common themes adopted by malicious hackers in their attacks.

Eventually, the doubt whether this is really part of the Zeus family or not remains. I suppose only the developers of Zeus kit know for certain.

Unfortunately I have no means of contacting them, and even if I did I doubt they would be prepared to confirm or deny this theory." - by Vanja Svajcer on July 9, 2011

---

FROM -> http://nakedsecurity.sophos.com/2011/07/09/android-malware-spies-sms-messages-zeus-family/

* For YEARS now, I've been adding ZEUS botnet's hosts-domain names to my HOSTS file & IP addresses it uses (by far the minor one in IP Addys vs. host names) to my router firewalls & software firewall (Windows 7's native one) here, from this source for that data (which YOU may find useful too - especially in THIS case, vs. this particular ANDROID malware):

https://zeustracker.abuse.ch/monitor.php?filter=online

(Enjoy & I hope this is helpful to you ANDROID users out there...)

APK

P.S.=> ANDROID's unfortunatley just showing you all that Linux (which has more unpatch