It’s Apple’s Turn: OSX_KROWI.A

My guess (posted in my last month’s Firefox malware post) proved to be true. This week is Apple and Mac‘s turn on the malware spotlight.

Trend Micro and Intego reported seeing a malicious file (read: trojan) packaged inside a cracked version of iWork 09, the productivity suite recently released by Apple. The cracked iWork 09 is being circulated via the popular peer-to-peer (P2P) file sharing protocol Bittorrent. Upon installation of the cracked iWork 09 package, the malicious file (detected by Trend Micro as OSX_KROWI.A) is then automatically executed and can make the Macintosh machine compromised.

Interested to read the full techie details? Check out Trendlabs’ blog and Intego’s advisory.

I suggest that whenever you download any application software via P2P site, try to scan them first with your antivirus, anti-spyware and other security programs and check out for any suspicious files or detection. And remember that even Macs are not that safe nowadays.

Fake Linkedin Sites Redirects to Virus

Update 2010.09.30
There is a new Linkedin Spam and Linkedin Malware (or Linkedin Virus if you would prefer to search it this way) making rounds since Monday 9/27, so I advise readers of this blog to be careful on opening suspicious Linkedin Mail Invites. This incident is related to the notorious Zbot/Zeus Malware and Trend Micro detects the samples as a TROJ_ZBOT variants. The related spam messages and website links are also blocked via Trend Micro Smart Protection Network (which is good news to TM users 🙂 ).
Read Cisco Blog here for more info.

Original article below was info from January 2009 (Fake Linkedin Sites of Beyonce and other high profile stars), and is not directly related to this Linkedin Virus 2010 incident.

***
TrendLabs reports that there are several fake Linkedin sites out there that hosts redirects to malicious content (read: malware). The fake Linkedin sites poses as the profiles of several well-known (and if I may add “hottie”) celebrities like Beyonce Knowles, Kirsten Dunst, Christina Ricci, Salma Hayek, Kate Hudson and Victoria Beckham. Unknown computer users are then tricked on visiting these bogus sites and will lead to malware infection of their workstations.

Complete details can be found here

Linkedin is a popular social networking site for professionals. Their site describes them as an online network of more than 30 million experienced professionals from around the world, representing 150 industries. I myself have a Linkedin account that I use to get in touch with friends, colleagues and industry contacts. Given their and their sites popularity it’s logical that bad guys use them as infection vectors (social engineering technique).

I heard that there were similar incidents with Friendster and Facebook during the vacation. Let me do some research and post anything I can find here.

Updates:
The files downloaded from the malicious fake Linkedin profiles are detected by Trend Micro as TROJ_DLOAD.DL which in turn will download some variant of the infamous fake antivirus program (FakeAV).

So guys next time you see a Beyonce or Kristen Dunst profile (Linkedin or not) and it has links to their supposedly nude videos, think twice or thrice before clicking it.

In-the-Cloud Technology Beats Malware Pollution

I finally got permission from Computerworld Philippines to post here the article that we submitted for their Viewpoints column. I am already tinkering with the WordPress post/edit stuffs, but upon checking their site today, they already posted it on their online portal 🙂 I’m posting some snippets of the article below:

Computerworld Philippines

Web Security Lifeline: In-the-Cloud Technology Beats Malware Pollution

By Menard Oseña

Published in the November 2008 print edition of Computerworld Philippines

December 18, 2008

The State of Threats

Often, to impress upon the public the kind of dangers lurking online, security vendors struggle to pin a number on the volume of new malicious codes that are being produced everyday. AV-Test.org, an independent antivirus tester, placed it at 650,000 unique samples a month, an incredible jump from roughly 50,000 a month in 2005. We are seeing the same thing along with other AV (antivirus) vendors, although the number may differ among companies. The bottom line is that the numbers are indeed growing at an alarming rate.

Alongside the volume problem is the nature of these threats. Malicious codes these days no longer announce their presence on computers. The days of global outbreaks like the ILoveYou virus are over. They now operate stealthily, sitting unknowingly in computers to perform cybercrime. They can siphon personal and sensitive information from computers. They can hijack PC computing power for large-scale online attacks that can take down sites for hours. These threats are collectively known as Web threats and they are characterized by the smaller and targeted nature of their attacks, with money often the sole motivator.

AV Vendors Fight Back

In pattern matching, AV vendors use different sourcing strategies to obtain the file plaguing customers. We look for the marker or the unique thumbprint of the file and program a malware definition that can detect it, an activity we can now automate with the use of technology, making it an effective way of battling malware. But doing this for every single sample that we obtain will eventually consume too much computing power, making the user experience suffer as a result.

Quite different from pattern matching, heuristics involves the collection of a vast number of malware samples. Engineers create rules based on an analysis of common malware behavior and characteristics. Heuristic patterns detect not only all existing variants similar to the malicious code that was analyzed, but also future variants. This technique, however, although generally considered to be less resource-intensive, requires a safety net to be in place as it is more prone to false detection.

In-the-Cloud* is the Way to Go

Looking at the big picture, however, these strategies ultimately fall short. Detecting threats at the gateway and at the endpoint, after all, requires that a threat already be present on the system. In an ideal world, threats are detected and blocked at the source. Instead of the messy file-based battle, AV vendors must figure out a way to deliver protection at all possible fronts.

In today’s attacks, the infection chain begins long before a file is downloaded. Malware writers, for instance, can entice users via social engineering to click on a malicious URL. This can happen via spam or an instant message or even as part of the search results of a legitimate search engine. The URL can lead to several redirections which in the end causes the PC to download a malicious file. This means there are actually several chances to cut off the infection chain before a file ever gets to perform its payload. In addition to detecting files, this new level of protection must filter out fraudulent mail and block malicious URLs, bringing users farther away from the risks of these sneaky Web threats.

Going in the cloud for Trend Micro means “setting up camp” on the Internet and installing lighter-weight clients on user PCs to block threats before they ever reach the corporate network. This move likewise presents several pluses. By hooking up to a Web-based protection network, each client becomes a part of a real-time global protection schema. When the network detects an Internet security threat on behalf of any one participant in the network, all participants are automatically and immediately protected. They act as “sensors” looking out for the rest of the subscribers. This protection also extends to all devices connected to the network. By affording this protection proactively, the network significantly lessens the need to download new pattern files, reload databases, or even perform that customary system scan. In this case, file size and memory consumption are no longer an issue. Needless to say, time to protect is shorter, and we may at last have the chance to beat malware writers at their own game.

Complete article can be found HERE
Update 06.07.2009
Since Computerworld link is broken now, I am posting the whole article above.

The Computerworld Philippines November 2008 Cover

Computerworld Philippines November 2008

My personal thanks goes to Macky and Jercyl of TrendLabs Tech Marketing team for their help on the “prettification” of the article and to Deb of MediaG8way for the CWP Logo and the permission to post here in my blog.

IE7 Zero-Day Exploit: JS_DLOAD.MD

Trend Micro reported that there is new malware called JS_DLOAD.MD found in the wild that exploits a vulnerability of Internet Explorer 7(IE7) browser. The report mentioned that the malicious file was uploaded to several websites (albeit unknowingly) and if downloaded by users will then download several other malware including some Trojan Spyware that steals account information for popular online games (Lineage and Legend of Mir) and a rootkit. More information can be found on their malware blog.

Last week I posted some info on malicious Firefox in this blog also and this week its IE7’s turn 🙂  Let’s hope that MS patch this bug soon. Maybe next week it will be Apple/Mac’s turn 🙂

TROJ_DROP.BP – A Firefox Malware

I stumbled upon a Computerworld article and it reported that Bitdefender guys got hold of a malicious infostealer that poses as a Firefox plugin. Bitdefender detects it as Trojan.PWS.ChromeInject.A (Trend Micro as TROJ_DROP.BP). Complete details can be found here

In my previous blogs, I usually do not care to post about these new antimalware/antivirus stuffs but what got me interested is this: I recently installed Firefox on several of my PCs to see how Menardconnect.com will look like using different browsers (honestly before I was a pure IE7 kid, but I recently said my goodbye to those all MS-days of mine), and its very intriguing to know that now even Firefox have its own share of this malware menace. I believe this just highlights some points:

1. When you gain market share you the probability of being the target for malware will be higher. So its true that Firefox is gaining on IE then 😼 ??? So Apple better watch out 🙂

2. Where there is money, bad guys will go (there) to get milk and honey (hehe my rhyme sucks). But seriously look at the sites that the trojan targets (see Computerworld article) and you will get my point better.

I’ll try to write more AV/techie stuffs on this blog next time.