sophos.com · Domains · Slashdot Mirror

Re:Apple's going to change computing for the masse by interval1066 · 2010-12-28 07:28 · Score: 1 · on Apple's $1 Billion Data Center Mystery

"Apple has created a situation where people no longer have to live in a world where there machine is pwned by malware."

Stop drinking that kool-aid, fan boy.

On Symbian malware/exploits by Rexdude · 2010-12-22 17:37 · Score: 1 · on Will 2011 Be the Year of Mobile Malware?

I've used Nokias exclusively for the last 6 years. S60 2nd edition allowed you to install any apps from anywhere, and there were quite a few trojans and other apps written for it, around 2004-05.
S60 3rd edition made it harder to do so by requiring all apps to be signed by Symbian, and earlier they only gave out certificates to companies rather than individuals. Nevertheless, there were (are) ways to self sign an install package (a .SIS file) and then install it.
Even then - the phone warns you that the application is not signed, so there's no way anything can silently install itself without user intervention.
The second most common vector for exploits is the browser. No matter what short sighted US tech blogs may say - Symbian is the world's most widely used OS, with over 2 billion devices sold to date. How come we haven't yet seen a browser based exploit for the internal Webkit browser?
A google search for 'Symbian 3rd edition malware' shows up hardly one or two examples - and reading the descriptions, they rely on social engineering to fool the user into getting installed.

The same rules apply as on desktop OSes - namely not to open/install unknown applications etc. What would be worrisome would be a browser exploit, where just visiting a link can compromise your phone, or some sort of silently installed malware. The former has yet to be proved and the latter can only happen through (all too common) user stupidity, so this leads me to conclude that Symbian at least is safe for the present.
Also bear in mind that Nokia pushes out firmware updates much more regularly than other phone manufacturers; even upto 2 years after launch (the 5800 Xpressmusic is a case in point), so you can expect security fixes, if found, to be available faster. Sucks to be in the US with a carrier subsidized handset though.

Re:bad for consumers as well. by gabebear · 2010-12-03 00:50 · Score: 1 · on Is 'Quadroid' the New 'Wintel'?

Sure.... You do realize that all Android phones are newer than the iPhone 3G?

I have two Android devices, one has a promised update to 2.2 in early 2010 and the other is officially stuck at 1.6. The security update situation on Android is crap. http://nakedsecurity.sophos.com/2010/11/26/android-how-security-can-work-while-failing/

Re:Antivirus? by qubezz · 2010-12-03 00:36 · Score: 1 · on AVG 2011 Update Causes Widespread Problems For 64-Bit Windows

Click this link to make your penis shrink 200%.

It is entirely possible. Even top-tier websites whore out their visitors to advertisers. Just look at a site like Gizmodo, they have like 20 other sites foisting ads, cookies, tracking scripts, and pixels on you. Ad networks do not vet the content that is being served out, so if a rogue 'advertiser' is able to push javascript or a 0-day png exploit out, your IE6-using mom just got ransomwared.

That said, I do not use antivirus, except in a virtual machine to scan highly suspect web stuff. Never rooted or virused. Antivirus is like having a bodyguard that belches and farts and likes to hit you in the arm and grab your girlfriends ass, you are guaranteed to have a bad time to protect against the chance of a real bad time. And I de-malware computers for a living (since software problems are the only consumer-level tech work left, since there is no repair or upgrade when everybody has appliance-level $300 laptops that are relevant about as long as the warranty). About the most Pwned I've gotten was having to kill the browser off because a rogue site got me caught in a javascript click-loop, trying to foist some exe.

Re:Guess which OS it targets? by Spad · 2010-11-18 03:08 · Score: 1 · on Stuxnet Virus Now Biggest Threat To Industry

Mac users shouldn't get too cocky about it.

Re:Ok... by Chapter80 · 2010-11-02 23:43 · Score: 1 · on Serious Security Bugs Found In Android Kernel

Odd, I don't know why you're picking on me,

Since I didn't recognize your name, and wondered why he might be picking on you, I Googled your name, and see why he might be picking on you. There are a lot of people out there who apparently think you are an asshole.

I am reserving my opinion, but I'm just trying to help you understand (and inform others who may not have heard of you).

Two testing options and a removal tool by Anonymous Coward · 2010-10-06 12:24 · Score: 0 · on Simple Virus For Teaching?

There are a couple testing files and sites that exist for testing antiviruses that might be of interest. The one that I've used to ensure anti-virus software was functioning was EICAR which is a simple text file that virus definitions recognize but which does not actively do anything. This is useful for demonstrating that software is working, what a virus response looks like and how to remove a virus if it is found. Since it does nothing, it is only useful as a test and doesn't really get into how to deal with a fully compromised system.

An alternative is Spycar which will perform actions targeted in demonstrating browser exploits. It wouldn't be available in a non-internet lab, but you might be able to adapt the links there by putting the files up on an intranet.

http://www.spycar.org/Spycar.html referenced at http://www.pcworld.com/article/125138/put_your_antispyware_apps_to_the_test.html

http://www.eicar.org/anti_virus_test_file.htm referenced in a variety of places, including http://www.sophos.com/pressoffice/news/articles/2003/01/eicar.html

Removal scenarios vary according to how messed up a machine is by an infection. I usually use Trinity Rescue Kit as a first test for computers I don't trust or know have virus issues.

TRK: http://trinityhome.org/

I use MalwareBytes from http://www.malwarebytes.org/ in some cases and found it to be more effective than many of the other solutions, even in the free version.

Re:Flash drives, tarballs, &c. by acoustix · 2010-09-22 08:12 · Score: 1 · on Are Desktop Firewalls Overkill?

Off the top of my head: 135, 137, 138 (technically netbios isn't needed depending on your network configuration), 3389, 5900...

I also require some of the following ports to be open for anti-virus software: Sophos Ports

So at any given time the desktops on my network have a handful of ports that they are listening on.

So do I still fail? Do I fail because I need to send anti-virus updates to my desktops? Do I fail because my users need the remote desktop functionality? Do I fail because I need to troubleshoot desktops that are 2,000 miles away using ultraVNC?

Additional details from Netcraft, Sophos by 1sockchuck · 2010-09-21 01:38 · Score: 3, Informative · on Twitter Suffers Web Interface Exploit

There's more info on the spread of this exploit from Paul Mutton at Netcraft and Graham Cluely at Sophos.

Re:getting things done by basscomm · 2010-07-31 01:40 · Score: 2, Informative · on Microsoft To Issue Emergency Fix For Windows .LNK Flaw

Except for the fact that I've never had a Windows box that got compromised or infected with any kind of virus, trojan or malware. Most "vulnerabilities" in Windows are user initiated. Practice a little common sense (ie. don't run things that come from questionable or unknown sources) and you are unlikely to ever see a problem.

Baloney. Let me guess, you don't have any antivirus installed either, because you don't need it? Either you haven't been using Windows for very long or your only Windows box is turned off in the corner. Back in the 90s I got a disk from my school that was infected with Stoned, and a few years later bought a CD-ROM game that came with Michelangelo on the disc itself. Even more recently, hardware from (more or less) reputable sources come preloaded with malware. Heck, part of my job is removing malware from PCs on a near-daily basis, and even though I know better, my USB key got hit by the Autorun worm last Summer. So yeah, common sense and safe browsing habits are wonderful things, but they're not a panacea. There are so many attacks coming from so many vectors, that if you use a Windows box you will get some kind of infection eventually.

Re:what is this .lnk flaw anyway? by noesckey · 2010-07-31 00:13 · Score: 5, Informative · on Microsoft To Issue Emergency Fix For Windows .LNK Flaw

Stuxnet functions even if autorun is disabled: http://www.sophos.com/pressoffice/news/articles/2010/07/stuxnet.html

Re:Ignorance by SquarePixel · 2010-07-24 10:17 · Score: 3, Informative · on Survey Says Most iPhone Users Love AT&T

Malware != virus, just so we're clear. Do you have any citations to back your claim up about OS X viruses? Didn't think so.

Yes, I do. Also OSX is a BSD variant, which have had several viruses in the 80's and 90's.

Besides, Apple over-simplifies a lot for customers. When they're talking about viruses, they mean all of them - viruses, malware, spyware, trojans and so on.

Sophos by daw1234 · 2010-06-24 22:43 · Score: 1 · on Stand-Alone Antivirus Software?

Sophos have a standalone scanner / remover. http://www.sophos.com/support/knowledgebase/article/13251.html

Re:Operative words by DJRumpy · 2010-06-23 05:44 · Score: 2, Informative · on Fifth of Android Apps Expose Private Data

Then it might be more useful, and secure, to note in the warning that they cannot initiate a call without user action. I got the gist from the article that the sandboxing isn't that specific, meaning once you grant access, it's all or nothing.

Specifically, once you grant an App the ability to dial a number, can it do so without user intervention? Will it prompt after future updates?

It seems like an important security feature. The same with audio recording, accessing personal information, etc. All it would take would be an unscrupulous developer who had a seemingly innocent app, who later pushes out updates that allow this access behind the scenes, or one who doesn't even bother with an app update to hide what their doing, much like the banking software that was used to store users banking credentials.

http://www.sophos.com/blogs/gc/g/2010/01/11/banking-malware-android-marketplace/

Re:The bad guys thank you Tavis. by QuantGuy · 2010-06-15 16:27 · Score: 5, Insightful · on Miscreants Exploit Google-Outed Windows XP Zero-Day

There are a lot of "go-to" commentators that the press goes to for supposed insights about security. Graham is one of them. He's a smart guy, but also one of the worst carnival-barkers in the industry; always chasing stories. Here are a few classics:

On Bluetooth phone viruses, apparently the next big thing in malware (2004): "If you don't know about bluejacking these messages can be quite a shock" (2004)
On the groundswell of Mac malware: "This means two real viruses have emerged for the Mac OS X platform in less than a week. The question on everyone's lips is - when will we see the next one, and will it have a more malicious payload?" (2006)
On "naming and shaming" (his words) countries from whose IP address space spam appears to emanate: "A new dirty 'gang of four' - South Korea, Brazil, India and their ringleader USA - account for over 30% of all the spam relayed by hacked computers around the globe." (2010)

It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.

Overhyped by wiedzmin · 2010-06-10 06:24 · Score: 1 · on AT&T Leaks Emails Addresses of 114,000 iPad Users

Blown out of proportion, always look beyond the hype: http://www.sophos.com/blogs/duck/g/2010/06/10/apples-worst-security-breach/

Awesome idea. by adamofgreyskull · 2010-06-06 18:07 · Score: 1 · on Australian Police Ask Facebook For Police Alarm Button

I for one can't wait for this to be implemented. What could possiblie go wrong? I feel safer already.

Virus fears by Anonymous Coward · 2010-05-21 07:41 · Score: 1, Interesting · on A Playable PAC-MAN On Google Doodle

It's not just a productivity issue. Some users are also panicking that the Pacman game could be the result of a virus.

Sophos has reported on the scare at http://www.sophos.com/blogs/gc/g/2010/05/21/panic-pacman-virus-infected-google/, although personally I prefer the bit of their blog post where they describe *genuine* game-related viruses from the past.

Red herring by 0100010001010011 · 2010-05-15 04:35 · Score: 4, Insightful · on Facebook Throws Privacy Advocates a Bone

is an idiomatic expression the purpose of which is to divert the audience from the truth or an item of significance. For example, in mystery fiction, an innocent party may be purposefully cast as highly suspicious through emphasis or descriptive techniques; attention is drawn away from the true guilty party.
---
How is this any different than my bank forcing me to get an 'authorization code' via Text every time I login with a computer that doesn't have their cookie set?

The ninth highest search on Google is "delete facebook account"

Looks like the house of cards is starting to crumble. I know it's stupid, but maybe if they kept it simple like back in the day.... (Although I love the API for batch uploading photos)

Re:They have a point by drachenstern · 2010-04-20 11:08 · Score: 2, Informative · on Escalating Gmail/Spamming Attacks

There's been quite a bit of talk on this lately. See for instance this post at Sophos (not exactly a no-name company) http://www.sophos.com/blogs/sophoslabs/?p=1156

Re:Apple Original language lockdown. by Kitkoan · 2010-04-10 16:53 · Score: 2, Informative · on Adobe Evangelist Lashes Out Over Apple's "Original Language" Policy

Wow *claps* congraz on finding a single comment that might make it seem like Apple did no wrong... thing is a single user comment doesn't equal fact. The reality is that, yes, this bug effected all smartphones. Problem is, only Apple didn't feel the need to patch it before the information about it went live. That means you have every iPhone that could have been attacked (and was ). Since this glitch didn't need the user to cause it, many people would have been left in the dark without knowing the problem (my iPhone died, don't know how...). This is the phone's OS's fault since it would execute code it received from the service provider blindly without confirming the actions contained inside. And from as untrusted a source as a randomly sent SMS.

From this article http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html :

The new attacks, by contrast, can strike a phone without any action on the part of the user and are virtually unpreventable while the phone is powered on, according to Miller and Mulliner's research. And unlike the earlier exploits, Apple has inexplicably left them unpatched

Now this article makes mention of the hack being mentioned on Thursday, 2 days later. As mentioned in the article, Apple had known of this problem for more then a month, Apple didn't feel that it's user security was worth addressing until Aug 1st, 48 hours after it went live.

Now, phones where hacked, Apple could have prevent these issues but didn't. So much for having your freedoms taken away from your devices 'for your safety and security'.

If you want more iPhone issues that very well could have been from that hack, try these since they are all from that 48 time frame and all involve iPhones suddenly not working even though the user didn't do anything (signs of that hack in use, though thats the nature of massive computer problems, user doesn't know what went wrong, they know is just doesn't work anymore):

http://discussions.apple.com/thread.jspa?threadID=2101313&tstart=5310

http://discussions.apple.com/thread.jspa?threadID=2100562&tstart=5325

http://discussions.apple.com/thread.jspa?threadID=2099898&tstart=5340

http://discussions.apple.com/thread.jspa?threadID=2097626&tstart=5370

Re:Linux is more Secure than Windows by Kitkoan · 2010-04-06 06:27 · Score: 1 · on No JavaScript Needed For New Adobe Exploits

no OS unless it's completely locked down a la iPhone will protect you from user stupidity.

It's not alway user stupidity, just how the system is designed. Even a closed system like the iPhone can be hacked by a third party without access to the computer itself. This exploit effected all smartphones, granted only iPhone's didn't get patched against it until 48 hours after the information about it went public.But it showed that it was possible, even given it's locked down nature.

Re:Responsible reporting by yuhong · 2010-03-22 19:28 · Score: 1 · on Germany Warns Against Using Firefox

Yep, this blog entry said that "Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it's worth.": http://www.sophos.com/blogs/gc/g/2010/03/22/german-government-firefox/

Re:Eh wouldn't surprise me... by EvanED · 2010-02-23 15:40 · Score: 1 · on Windows 7 Memory Usage Critic Outed As Fraud

All GUI archive managers require a separate "Extract" command (that preserves execute permission), that is different from the default action that is to view a file (without giving it an execute permission even if it is present in the archive).

I have to admit I only tried "tar xvf" to verify that permissions were preserved. Nevertheless, you really think you couldn't get people to actually extract an archive?

For anyone but total newbies it should be obvious that the user should NEVER run anything he downloads unless he is installing some software that is not in a repository -- as root, as his own user or as anyone else.

Yeah, that users won't run crap is well justified.

And because I ran out of words in that sentence before links, here are some more: 1 2 .

To put those into context, those are all links from Wikipedia's "Timeline of Notable Computer Viruses and Worms" from the last decade, including the only two entries on that page from 2009 and 2010. Most of the above had a noticeable amount of mainstream press coverage at the time, and the list includes names like ILOVEYOU, Sobig, MyDoom, and Storm.

Sure, they aren't the scariest worms out there, and over the last few years they haven't been the most damaging. But at the same time, if I got to bet whether a manually-spread trojan is worthwhile, I know which side of that bet I'd take.

Personally I would just turn them into traditional #! scripts with "interpreter" doing what a file manager would, and file manager refusing to execute anything in them unless they are executable.

The .desktop files contain rather more information than just what program to run. How would you deal with that? Specially-formatted comments in the script? Pass the script a command line argument?

Besides, it's not like running scripts without execute permissions is a new concept. "source foo.sh", ". foo.sh", "perl foo.pl", "python foo.py", etc. IMO are all comparable to Gnome looking into the .desktop files on boot to see what to run.

Re:Hmm by Spad · 2010-01-01 12:01 · Score: 1 · on Online Services Let Virus Writers Check Their Work

Polymorphic malware is getting increasingly sophisticated, to the point that can be impossible to detect the malware except at run time by virtue of what it attempts to do to the system it's infecting. I thought that this little trick was a pretty neat one, the code only decrypts itself correctly at certain times on certain days, so AV vendors can't easily analyse the code and write detection signatures.

Re:What OS? by rxmd · 2009-12-17 03:39 · Score: 2, Informative · on Autonomous Intelligent Botnets Bouncing Back

My guess would be somewhere in the region of all of them.

Make that "most of them". OS X botnets have been appearing for a while, and other forms of OS X malware have been known for quite some time.

While many of these pieces of malware are fairly lame, I'd expect more and more "professional" variants of those in the future. One factor that shouldn't be overlooked is the generally complacent attitude of non-Windows users towards the security of their own machines (not unlike what you exhibit in your own post). In other words, from a technical point of view, if users download a malware-infested key generator and enter a password to execute it, it's pretty much irrelevant whether it's for OS X or for Windows. Arguably in this scenario, OS X is actually slightly more likely to be infected, since many Windows computers have at least some form of anti-virus software installed, while on other platforms this is still fairly rare.

Re:What OS? by rxmd · 2009-12-17 03:39 · Score: 2, Informative · on Autonomous Intelligent Botnets Bouncing Back

My guess would be somewhere in the region of all of them.

Make that "most of them". OS X botnets have been appearing for a while, and other forms of OS X malware have been known for quite some time.

While many of these pieces of malware are fairly lame, I'd expect more and more "professional" variants of those in the future. One factor that shouldn't be overlooked is the generally complacent attitude of non-Windows users towards the security of their own machines (not unlike what you exhibit in your own post). In other words, from a technical point of view, if users download a malware-infested key generator and enter a password to execute it, it's pretty much irrelevant whether it's for OS X or for Windows. Arguably in this scenario, OS X is actually slightly more likely to be infected, since many Windows computers have at least some form of anti-virus software installed, while on other platforms this is still fairly rare.

Re:So AAA is a bailout for Ford Motors? by Penguinisto · 2009-12-09 03:06 · Score: 1 · on Microsoft To Get Malware Bailout In Germany

It'd be a long list... (Sophos is reporting that 8 of 10 bits of common Vista malware run just fine on Windows 7. Mind you they tested trojans as well, but there's enough non-trojans in the pile to make the cite valid).

The Mac threat is non-zero but overblown. by Valdrax · 2009-11-03 15:53 · Score: 3, Informative · on In Test, Windows 7 Vulnerable To 8 Out of 10 Viruses

Hitting Google is apparently easier than doing research. I went through the articles on your "osx+virus+in+the+wild" link, and what I found on the first pages was...

4 pages on Leap-A: A Trojan that requires one to give an admin password after opening what's supposed to be an image file. It propagates itself via iChat file transfers, but it still requires an idiot to give a password upon opening a file that shouldn't require one.
1 forum post by someone worried about an unidentified Mac virus in the news around the same time as Leap-A.
1 page on Inqtana-B: A false positive from an AV package.
1 blog post by someone bragging about how there aren't any self-propagating Mac viruses in the wild.
1 nigh-incomprehensible wiki article on AV software for Macs.
2 articles on Inqtana-A: (See below.)

None of these (except possibly Inqtana-A) would be a threat to semi-competent users, and the only article that isn't from 2006 is the garbled wiki page.

Now if you want some actual research on Mac OS X viruses, you can check a vendor's site:
http://www.sophos.com/security/analyses/viruses-and-spyware/search-results/?search=OSX&action=search&x=0&y=0

Interestingly, what the site won't tell you is that most (if not all) of these viruses are phantom menaces; you have to Google each one yourself for that kind of detail. Many are proof-of-concept never seen in the wild, and most exploit holes already patched in the OS. All are trojans that require serious PEBKAC to run, even the only two known "worms" for the plantform -- Inqtana and Tored.

Inqtana, a virus one that got some notoriety and media attention is an example of all three -- a proof of concept (with an expiration date) that attacked an old hole in the Bluetooth stack and which required victims to consent to accept the download from an infected machine. Tored was an email worm that required you to execute an attachment on a very stupid looking spam email payload. Both are basically glorified trojans -- nothing on par with Conficker.

Now, trojans aren't complete non-issues, but savvy computer users currently have very little to fear from running a Mac w/o AV software since there are currently no self-instantiating viruses for the platform in the wild. Don't download pirated software (and risk something like iWorkS which hides itself in installers for certain programs), and don't trust installers where none should be present.

Re:I'm shocked! by Nadaka · 2009-11-03 14:25 · Score: 2, Informative · on In Test, Windows 7 Vulnerable To 8 Out of 10 Viruses

Depends on what you mean by "self propagating"? There are a number that run on macs with MS office. There were quite a few for OS9 and earlier.