Flashback Malware And The Confusing Case Of The Apple Flashback Malware Remover v1.0

--
[Updated 2012-04-18:
Symantec are now reporting that, according to their data collection, the Flashback botnet is down to 140, 000 Macs. That's still a vast number, but a remarkable improvement thanks to Apple's Java update and Remover. 

Symantec: Flashback malware now down to 140K machines

Also new: 
My net friend Al Varnell, who performs a great deal of vigilant work with ClamXav and the ClamAV project, has provided me with new information and insight reflected below. Of greatest interest is the fact that the Flashback malware series has been specifically aimed at Intel CPU Macs only. PPC Macs are immune.]


Apple has provided a separate tool for Mac OS X 10.7 users (only) for the removal of most versions of the Flashback malware. It is entitled (despite odd journalist claims to the contrary) the 'Flashback Malware Remover.' Apple also call it their 'Flashback malware removal tool.' The Software Update system in 10.7 is offering the tool to those who have no installed Java. Optionally, you can manually download it from Apple's Downloads site:


http://support.apple.com/kb/DL1517


Here is Apple's description of the Flashback malware removal tool:

About Flashback malware removal tool 

This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003.If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed. 

In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware. 

This update is recommended for all OS X Lion users without Java installed.

Why does the description say 'without' Java installed? Because there have been quite a few versions of the Flashback malware that did not involve Java. Mac users who do not have Java installed (which is the default starting with Mac OS X 10.7) would never have been offered Java for OS X 2012-003 via Software update and therefore would never have run Flashback Malware Remover on their Macs via that update. Rather than leaving those users out in the cold, Apple have provided the Remover as a standalone installer application.


NOTE: The Remover only runs on Mac OS 10.7. I checked.


What is confusing about the Remover is that Apple have NOT provided an actual application tool. Instead Apple has provided an 'installer' package that runs within their Installer program and that is ALL that it does. 

Essentially, Apple took the Java for OS X 2012-003 installer and removed everything except the Remover process from the installation. In other words: NOTHING is installed on your Mac. Not-a-thing. And yes, that is freaky. The installer is the Remover. Get it? This is going to freak out and confuse quite a few Mac users. This has already been proven to be the case up on Apple's Discussion forums at their Support site. I can't blame them! It makes no sense, except that Apple had the Remover handy inside their Java for OS X 2012-003 installer, so they sped the Remover out the door within that same format.


Don't worry about it! Just run the installer and the Remover will run. Keep the .dmg file if you would like to run it again in the future. This is a great idea because the older Trojan horse versions of Flashback (of which there are reportedly 13 versions that don't use Java) are going to remain out in the wild on the Internet.


Please refer back to my previous article for details about how to avoid being infected with Trojan horse malware, along with other security rules and tips:

The Rules of Computing: Keeping Your Mac Secure

The Numbers:


Adding up all the Macs infected with ALL the variations of the Flashback malware, apparently well over 600,000 Macs were affected:

Kaspersky Lab Confirms Flashfake / Flashback Botnet Infected more than 600,000 Mac OS X Computers, Describes Ramifications and Remedies

After Apple's three Java updates, the last of which included the Remover, the number dropped to half, less than 300,000 infected Macs:

Apple releases Flashback removal tool, infections drop to 270,000

Who's left in the Flashback botnet?

1) Users with Mac OS X 10.6 or 10.7 with Java installed who have not run the most recent updater or Apple's separate Flashback Malware Remover.

2) Users with Mac OS X 10.7 who never installed Java and have not yet run Apple's Flashback Malware Remover.

3) Anyone using Mac OS X 10.5 on Intel Macs. From the data of which I am aware, the Flashback malware code is directly ONLY at Intel Macs, making PPC Macs immune. It is not clear whether there has been infection of Mac OS X 10.4 Intel Macs. However, I continue to suspect there have. The Java security hole exploited by Malware.OSX.Flashback.N, the latest version (according to Intego) is apparently present in the last Java update for that version of Mac OS X.

Kaspersky has provided a web page where you can check if your specific Mac was infected with Flashback. However, I can't recommend it as the page requires you to enter your Mac's hardware UUID (Universally Unique Identifier). That's a bit like giving away your social security number and could be used by hackers to fake being you on the Internet. I suggest you only give it away to people you know and trust. Therefore, I'm not going to link Kaspersky's Flashback infection checking page here. If you'd like to use it, go digging around at the Kaspersky.com website.

Is this the time to buy Mac Anti-Malware software?

(Often wrongly called 'Anti-Virus' software). 

Probably not, unless you are dealing with the 'LUSER Factor' or unless you have an Intel Mac with Mac OS X 10.5 or 10.4. Even then, I suggest you first download and use Mark Allan's ClamXav software. It's FREE. My Mac Security friends and I work to keep the ClamAV open source project up-to-date with the latest Mac malware definitions. Install it, update its malware definitions and have it scan your entire boot drive.

There are also a number of free scanner versions of commercial anti-malware apps. I'd suggest checking out Sophos Free Anti-Virus for Mac. (I can no longer recommend the free PC Tools iAntiVirus app, which is drastically out-of-date).

If you'd like to buy the best Anti-Malware program, I continue to recommend Intego's VirusBarrier. They have a 30 trial version. I own it, use it and like it. It ships with excellent bells and whistles including its own firewall, Internet website protection, good background scanning that doesn't eat your CPU, and its own reverse firewall (similar to the renowned Little Snitch software). The only drawback is the yearly fee for malware definitions. I pay it and don't mind.

I have friends who like F-Secure Anti-Virus. They offer free online tools and a 30 day free trial. (Use the 'campaign code' on their AV page). The only reason I avoid F-Secure is that they are FUD mongers, attempting to scare Mac users with exaggerated reports about Mac malware. I don't deal with that.

Sophos is the best if you are running a small business or enterprise network of Macs. They also offer a free trial. I also like their free Sophos Security Monitor app for iOS devices. It provides timely computer security information.

The other anti-malware providers can be anywhere from OK to total CRAP. The crap includes (IMHO of course) anything from ZeoBIT and Symantec. IOW: Run away from MacKeeper and Norton Anti-Virus. 


Coming Up:


Over at my MacSmarticles blog, I will be posting an article about ZeoBIT paying their users to bombard Mac software review sites, a grotesque abuse of marketing.

Here at the Mac-Security blog, I will be providing a list of my favorite Mac security information sources.

--

The Rules Of Computing: Keeping Your Mac Secure

--
When I was a computer newbie, what I heard repeatedly was "The Number One Rule Of Computing is Make A Backup!" I've been working on an extended list beyond one item in order to help newer newbies consider further aspects of their computer experience that can help save them in a crisis. I don't consider my list definitive or even finished. But I like the list enough to publish it as a starting guide. So here I go:


The Rules Of Computing


1) Make a backup. Have two backup strategies. One strategy regularly backs up your crucial data to local external media away from your computer. The other strategy backup up this same data to an off-site location, such as in 'the cloud' or onto external media you take to a separate location each day. The idea is to have an off-site backup in case your computer site burns to the ground. Backups are also your first and best defense against malware damage and hardware failures. If you don't back up your data, you get what you deserve.


2) Verify all software before installing it. Verify your software source is reliable and that the software itself is reliable. Look up the software title on the Internet using a search engine to discover if it has been reported as problematic. Download software from reliable sources such as VersionTracker, MacUpdate, Major Geeks, etc. Don�t ever blindly install emailed software. It could be malware.


3) Verify that websites you visit are legitimate. This third rule is difficult to implement on your own. Use tools provided inside web browsers, as well as add-on browser extensions, that help you check websites you visit against a blacklist of known bad websites. One of the most popular ways of spreading malware at this time is via 'drive-by' infections via JavaScript and Java.  Don't ever blindly click on web links in email. The could be sending you to a malware infection or identity phishing website.


4) Keep your computer up-to-date with the most recent security updates. Apple provide security updates on a regular basis. Security Preferences, built into Mac OS X, should let you know when an update is available. You can also open Security Preferences yourself and have it check for you.


5) Use a 'Standard' account when surfing the Internet or using your Mac on any network. Do NOT use an 'Administrator' account in these situations. This is not a cure all to prevent your Mac from becoming hacked or malware infected. But it adds a terrific layer of security to help prevent malicious root access to your computer.


6) Password protect your user account. Make sure your account password is not a dictionary word or you'll be hacked in no time flat. Use something long and obscure that you can remember but that you expect no one could guess. To this day I run into people who tell me 'But I'm the only one who uses my computer!'. Cure your ignorance please. There is NO excuse for not protecting your computer with a password. If you don't protect your user account, you get what you deserve.

Yes, I'm that mean and cruel when it comes to computer security. There are wonderful security strategies and tools that Apple provide, such as Time Machine, Disk Utility, Standard user accounts and password protection. If you don't put them to use, I have no sympathy! If you have questions about how to make them work for you, write to me, talk to Mac users you know, contact users on the Internet or at your local Mac user group. These tools are not difficult. They are important and they are FREE.




A Few Further Strategies:


I'm only going to list these strategies as they are more complicated and involved to install and get running. What's important is that they are available, they are also FREE, and they may well save you from giving away data to the bad guys.

A) FileVault. You will find it inside the Security System Preferences. It lets you transparently encrypt your entire user account folder so no one can ever get to your data without knowing the decryption password. This is rock solid encryption you can rely upon. Apple will be providing an option for encrypting your ENTIRE computer hard drive in Mac OS X 10.7 Lion. I personally consider whold drive encryption to be overkill. But it is considered to be critical in Enterprise business situations. Note that there are some minor dysfunctions that result from encrypting your user account. But if you have critical data, it is an excellent security tool.

B) Firmware Password. Apple provide a utility to set their Firmware Password Utility on all Mac OS X installation DVDs. It adds another layer of security to keep the bad guys out of your computer. Sadly, it is not fool proof. A tech savvy bad guy can work around it. Encryption is a much more effective tool. Also note that you lose some minor computer functionality when you use a firmware password.

C) GnuPG, aka GNU Privacy Guard. I have been using GPG for many years at this point. I'm a fairly infamous critic of the bugs that have should up in the related tools from time to time. Also note that GnuPG has a steep learning curve and can be a bit frustrating. However, it is a FREE and brilliant tool with many users. You can encrypt and password protect anything you like. The Apple Mail tool lets you digitally sign all your email in order to verify exactly who you are to those who receive your email. You can encrypt your email such that no one can read it in transit over the Internet. It lets you create any number of encryption keys as well as collect public keys from your friends and acquaintances. And more! If you want to be serious about encryption, GPG is excellent. These days it also has a terrific group of developers dedicated to keeping it bug free and up-to-date.

D) Disk Utility. Among the many features of the Mac OS X Disk Utility application is the ability to create encrypted, password protected .sparseimage files. I absolutely love this feature and use a sparseimage I created all day, every day. I have my sparseimage open every time I log into my user account. I provide the decryption password and it sits on my desktop like a disk volume. Anything I put into it is encrypted and unavailable to anyone but me as soon as I close the disk image. Because its a sparseimage, it can grow to as large a size as you choose as you add more into it. Recently the DropBox application and server have become notorious because nothing-at-all is encrypted when you use it. That can be very bad. However, I work around this problem by putting only my sparseimage file into my drop box. No one has any access to anything I have in my DropBox ever, thanks to this great tool.

E) Anti-Malware applications. I own, use and love Intego's VirusBarrier X6 ($50). There aren't any better anti-malware applications, period. But I have to pay for malware signatures every year. If you are a professional user, VirusBarrier is well worth the cost. 

If you're a casual computer user, paying for anti-malware is a bit less critical. I've worked fairly closely with Mark Allan and friends who develop and support the FREE program ClamXav. There was a time when I had quite the run-in with the ClamAV Open Source project because most volunteers there cared not-a-whit about Mac OS X. But gradually Mark and I managed to turn a few heads and encourage them to get up-to-date with current Mac malware. At this point in time I can tell you that just about all current Mac malware is being detected by ClamAV. Therefore, I highly recommend downloading, installing and running ClamXav from time to time if you are concerned about malware. The GUI Mark provides is excellent. 

Also, if you own Snow Leopard Cache Cleaner ($15) you will find that it includes its own implementation of ClamAV, also highly recommended. I no longer recommend free iAntiVirus as it is now out-of-date and less effective than the ClamAV alternatives.


There are plenty more security tools and strategies, both free and for a fee. But the above is a good start with reasonable coverage.

For the extra security conscious, as ever I highly recommend the TWiT.tv podcast 'Security Now' with the most excellent Steve Gibson. It gets highly technical but is wonderfully presented and very contemporary. You can look up the podcast in iTunes or visit its dedicated webpage at:


http://GRC.com/SecurityNow


:-Derek
--

Another Scathing MacScan Review

--
If you read my stuff, you know I despise ripoffs. This week MacScan is being sold as part of the MacUpdate promo bundle, advertised as a 'security' program. Not much of one IYAM. Today I posted an updated review of MacScan at VersionTracker.com. I decided to provide it here as well:

Just to keep this issue hot on the burner:

Much as I very much like the idea of what MacScan is 'supposed' to do, it FAILs.

1) If you want to detect all the 'malware' on your Mac, you have to run the thing OVER and OVER and OVER. One run is never enough. That's crap programming. And yes folks: I personally have been telling them this for YEARS and YEARS and YEARS. Then they do nothing to improve their detection engine. Instead they post friendly little notes asking for more feedback. Right.

2) Their list of Trojan horses has NEVER been adequate. Right now there are 4 types of Mac OS X Trojans with a total of 22 different strains. MacScan does NOT detect all of them. So what's the point?

3) It claims to find 'spyware', but there is NO illicit spyware for Mac OS X. Not a one. Everything MacScan detects is 'legal' spyware that is freely sold commercially or as shareware to be used by employers or owners of computers in order to keep track of where their users are going and what they are doing with their computers, particularly useful for parents who care about their children. Detecting such stuff can be very useful if someone has secretly installed one of these things on your Mac for nefarious purposes. But this stuff is NOT malware.

4) It is debatable whether tracker cookies are malware. At worst they are a violation of your personal privacy. So turn on the setting in your browser that prevents downloading 3rd party cookies and turn off the setting in Flash that allows any site to put cached data on your computer. You're done. That's for free. It doesn't require MacScan.

I seriously hope MacScan can actually, factually improve and become a useful product that does what it says. But for now it is junkware, not worth paying for, well worth ignoring in favor of real anti-malware applications like VirusBarrier, ClamXav, and iAntiVirus.

--

Intego VirusBarrier Version 10.6 Review:Part I

--
Let's start with the GOOD NEWS:

Intego VirusBarrier is the only anti-malware program I can recommend for Mac OS X. Its interface and features are unmatched by any similar program. The signature updates are regular and reliable. Intego stay right up-to-date with all Mac OS X malware. The program is 100% compatible with Snow Leopard. Ignore all reports to the contrary. For Mac users who want a top notch single-user anti-malware program, this is the only one. Nothing compares, except perhaps Sophos, which is only designed for network users.

The new VirusBarrier 10.6 version adds a bunch of new security features worth the upgrade price. Some features are redundant to those already in Safari and FireFox. The reverse firewall is the only new feature I care about. Reverse Firewalls stop dead any way to zombie your Mac. They also stop all software from 'phoning home'. I've been using Little Snitch for years and love it. The reverse firewall in VirusBarrier 10.6 is not as good as Little Snitch. But it's there and it's useful.

A new single user license for VirusBarrier costs $49.95 and protects two Macs. A new family license is $69.95 and protects five Macs.The 10.6 upgrade is potentially free for those who purchased VirusBarrier 10.5 on or after November 25, 2009 through April 13, 2010. See Intego for details. Otherwise, the upgrade is $34.95 for single users. A family pack upgrade is $59.95 for protecting five Macs. Every new or upgrade license includes a year's subscription of malware signatures.

Intego also provide an occasionally useful and intelligent Mac Security Blog.

Now the BAD NEWS:

1) Accompanying the 10.6 update is a new advertising campaign that makes several wrong and ridiculous claims consisting of what is traditionally called BULL SHITE or FUD. Enjoy:

"More and more malware is discovered every day. Macintosh computers face threats from viruses, Trojan horses, worms and more."

Incorrect! There are ONLY Trojan horses for Mac OS X. Period. The End. If you believe otherwise, you've been duped.

"VirusBarrier X6, the Lowest-Priced Mac Antivirus"

No. FREE would be 'The Lowest-Priced Mac Antivirus', and there are a few of those to choose from. See below.

"... simply visiting a booby-trapped web page can compromise your Mac."

This has never happened on Mac OS X in the wild or in a 'Crack A Mac' competition without an account user providing deliberate sabotage assistance. However it 'could' happen if a JavaScript or Java security hole wasn't patched in your web browser or operating system. (Readers of my posts know what contempt I have for the state of JavaScript).


I hope Intego have brains enough to dump the false advertising before they get sued. I despise FUD and would hate to have to put Intego on a par with Symantec, the renowned masters of anti-Mac security FUD and makers of easily the worst anti-malware for Mac.



2) Yearly malware subscriptions for VirusBarrier are required and expensive. $29.95 for one year. Yikes! A two year subscription is 50% off the second year at $44.90. If you're up for renewal and are using version 10.5, you might as well upgrade to 10.6 at $34.95 and get the included one year subscription, saving yourself $25.

3) Intego outright refuse to provide a list of malware detected and removed by VirusBarrier. That's idiotic and I've directly told them so. They don't care. Instead, I follow the imperfect but useful Threats Database provided by the PC Tools site, the makers of the up and coming competitor program iAntiVirus.

4) And of course, if you turn on the Real-Time Scanner feature, expect VirusBarrier to eat your CPU. So turn it off. You don't need it unless you're dealing with LUSERs, in which case all you have to do is prevent them from having access to an administrator account and password. It's seriously that simple.

CONCLUSION:

So what is VirusBarrier for? It protects you from LUSER behavior and lets you find and wipe out Windows malware you may be passing along to Windows users.

If you're a conscientious Mac user who checks the validity of all software you install, you don't need VirusBarrier to protect your Mac. There are less reliable free alternatives if you want to try them out, such as ClamXav and iAntiVirus. (Avoid MacScan, which is ultra-lame).

I'll be posting a detailed feature review in Part II after I test the new VirusBarrier 10.6.3 update.
--

Security Concerns After Installing Snow Leopard

--
We all hopefully know that, at this time, Mac OS X is the safest commercial GUI OS on the planet. But in the spirit of perfection, here are some problems I found with the default installation of Snow Leopard. Some of them are very bad. Some are merely worrisome.

1) The firewall is OFF. So TURN IT ON!!! You can do this in the Security preferences.
--> I'm very annoyed with Apple on this blunder. Firewall protection is fundamental these days. A good scolding is in order. I have no doubt the professional security experts will do the job for me.

2) Automatic login is ON. So TURN IT OFF!!! You can do this is the Accounts preferences.
--> Again, Me = very annoyed. Again this is fundamental. Scold scold scold. You'd think no one at Apple had ever studied the security hell known as Windows. Both firewall protection and login protection were lacking in Windows for years, leading to major hacking and cracking.

3) In Accounts preferences, under the 'Guest Account', the checkbox "Allow guests to connect to shared folder" is ON. If you have no interest in guests doing anything on your Mac, turn this off.
--> If you are on a LAN with other people and want to allow sharing, leaving this on is important. But if you are on your own at home, it's safer IMHO to just leave this off until such time as you want to use it. Mobile laptop users most likely want this off by default until such time as they return to their LAN. I would have much preferred Apple left this off by default after installation.

4) In the Accounts preferences, Login Options, "Display login window as:" is set to "List of Users". I suggest you change this to "Name and Password".
--> Family computer users should ignore me on this one. At home, who cares. But if your computer is going out into the wild, I like the added security of forcing any would-be hackers to have to guess at BOTH your username AND password. Why give them a break and give away usernames?

5) In the Security preferences, General tab, "Require a password to unlock each System Preferences Pane" is turned OFF. I like this checked ON.
--> This is one of those fiddly things that maximize security but can also be annoying. Turning it on means that no rogue software running on your Mac can play around with your system preferences. As soon as it did you'd see boxes popping up requesting your administrator password. Theoretically this could happen with one of the current Trojan horses for Mac OS X. So to play it safe, check it on. But it's not a major deal. On the other hand, it's not exactly paranoia either.

6) This one is for MacBooks and iMacs only: In the Security preferences, General tab, at the bottom of the window are the setup switches for your infrared remote. The remote can be used to access Front Row, among other things. After installation it is important that you 'Pair' your specific remote with your Mac. Otherwise, as it says in settings, "This computer will work with any available remote." That's BAD. Therefore, hit the "Pair" button and go through the process.
--> This is a very good chore to follow immediately after your Snow Leopard installation. If you are extra paranoid about having a remote, or you lost your remote, you can always check ON "Disable remote control infrared receiver."

7) Software Update preferences are set to "Download updates automatically". Please turn this OFF.
--> Allowing your computer to automatically download anything is BAD. It has already been proven that it is possible to hijack a server address, have it fake being an update server, then have it spew at you malware downloads. No, it has never happened to Macs. But it can. Therefore, only YOU should approve ANYTHING that is downloaded. No auto-downloads EVER. OK?

8) Safari preferences, in the General tab, "Open 'safe' files after download" is checked ON. Please turn this OFF and leave it off forever.
--> Much as it is nice to have .zip and .dmg files open up for us immediately after they download, get out of the habit. This is another really BAD IDEA in all cases. It is as bad as auto-downloads. Instead, you personally want to open anything you have downloaded.

Imagine this: Some malware was somehow downloaded to your computer, via Safari, and automatically opens up its downloaded file. There it is in front of you in a window and you think everything is OK and run the application that was inside. You may have just infected yourself with the malware. Therefore, making sure that only you open anything you personally download is important as part of a deliberate process of verifying that you are not installing a Trojan or other malware. And remember to always verify a file or application is 100% legitimate before you download it or open it.

Once we get into the habit of clickity-click on every little thing, we can get ourselves into trouble. Some people say that going through all these extra steps of caring about exactly what you are doing can become drudgery and you end up doing clickity-click anyway. Nope! That never happens with me. Instead what I found is that I got into the habit of being careful. That is the entire point, and making that point a habit is very good for all of us.

There is some other minor stuff of concern in Snow Leopard, but I need a break. You can breathe now and/or break into joyful LaUGhTeR at all these extraneous security precautionary maniaism stuff things. It's OK. I'll just go cry quietly into my hanky. I can take it. (;_;)

Windows users have to be incredibly meticulous about all this security rigmarole. Every little nook and cranny of Windows can be a security hole. We Mac OS X users get to relax, mostly, about security regiments. At the moment, the worst we can do is download and install a Trojan and get out Mac zombied. That's all! ;-) If we think about being careful, no Trojans can get us.

Nonetheless, I'm attempting to show other Mac users how to be as safe as possible. Therefore, all of the above list applies if you are security conscious. I use myself as a guinea pig to see what it takes to be stealthed and defended to the MAX, and to see if I can stand it. The answer is yes, I can stand it. But I woudn't wish it on my granny!

Check this out: I have Little Snitch popping up asking if this app can go do that on the Internet. I have the mess known as 'JavaScript' turned OFF by default in my web browser. I only turn it on only for trusted websites. My browser is set to never accept cookies from third party sites. That stops Tracker Cookies. I read up on the latest security problems and updates via Apple, Intego, Secunia and SANS, among others. That means I've always got the lastest versions of Flash, Shockwave, AIR and Adobe Reader installed in order to avoid Adobe security vulnerabilities. The same goes for FireFox, QuickTime, iTunes, etc. I have Intego VirusBarrier installed, kept up-to-date with malware signatures and always running. I also have both ClamXav and iAntiVirus freeware installed (mostly for testing). And there's more! (0_0)

That's just me playing with Mac security for my interest and yours. You could ignore all this stuff, except the advice about Trojan horses!!!, and be happy as can be. You've got a Mac.

But there are ways to be SAFER. That's why I write this blog. Put it to use as you will. Hopefully you won't actually need any of this stuff. But maybe you will...

Share and Enjoy!
Glad to be of service!
Nothing ever goes wrong at
Cirus Cybernetics Corpororpororpor*@%

;-Derek
--

A Primer on Trojan Horses and Their Aliases

--
There actually is a standard naming system for malware. But very few anti-malware developers care. Therefore, we end up with a bunch of names for exactly the same malware. The CNET POS article mentioned previously, not worth reading HERE, demonstrates the problem. Here are some translations. I list the standard name first, then the extraneous names after:

The Trojan.OSX.RSPlug series is aka "DNSChanger" and "Jahlav" and "Puter".

Trojan.OSX.Lamzev is aka "Malez"

Trojan.OSX.PokerStealer is aka "Corpref"

The Trojan.OSX.iServices series is the fourth current Trojan type for Mac OS X. I'm unaware of any aliases so far.

Scan backward through my previous posts for coverage on each of these Trojans.




Count with me!





As of today:

• The RSPlug series has variants A through P. That equals 16 variants. (When I checked last week there were 13 variants, so some mean old crackers have been very busy).
• The Lamzev Trojan has no variants. Add 1.
• The iServices series has variants A through C. That equals 3 variants. (The C variant is recent).
• The PokerStealer Trojan has no variants. Add 1.

Count them all together and what do we got?

The number 21!
That's 21 Trojans!

BwaHaHa!

I am using the iAntiVirus Threat Database maintained by PC Tools as my source. Their list of Mac malware has flaws, but at least they have one. Who else bothers? Certainly not Intego! (Ahem! hint! hint!)

Just for comparison: I was hanging out at the ClamXav forum yesterday and someone pointed out that as of June there were 574,043 malware signatures in ClamAV. Let's see... take away 21... that's somewhere around 574,022 Windows malware in the wild. A little more math and that comes to 1 Mac OS X malware for every 27,334 Windows malware. Wait! Wait! What was that?!

1 : 27,334!

So who was the dope who thought up that 'security by obscurity' myth? I don't think so.
--

Quickie Reviews of ClamXav, iAntiVirus and MacScan

--
Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:

I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.

II) iAntiVirus Is Basic, Not Perfect, Mostly Works:

Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*

Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:

Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].

CONCLUSIONS:

1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.

--

Hope For ClamAV For Mac

--

As you recall from our last episode, ClamAV was essentially worthless for detecting and removing the current 11 malware for Mac OS X. However, hope appeared last week thanks to the persistence of Mark Allan, the developer of the ClamXav GUI application, and myself.

I wrote a series of posts over at the ClamXav Forum last week that revved up some interest in sorting out the problem with ClamAV. I found out that a number of people, including Mark Allan himself, had submitted MOSX malware to the ClamAV project, using the official protocol, and had been entirely ignored. From my experience, there are a number of plain old dickheads over at the ClamAV project who resist any improvement in MOSX support. You have to wonder what goes on in some people's heads.

However, Mark Allan and I chatted about the situation and he was inspired to try once again to contact someone sane over at the ClamAV group. And he SUCCEEDED. I could not be more pleased.

Mark is now working with the ClamAV project to provide them with Mac OS X malware. The resulting malware definitions will then be integrated into ClamAV. If this relationship works out, and Mark is able to continue his freely given dedication to Mac OS X security, we should soon see and continue to see ClamAV as a free useful tool for Mac OS X users.

You can read about and download ClamXav, Mark Allan's free Mac OS X GUI version of ClamAV, HERE. Donations are welcome. You can join in on the ClamXav Forum discussions THERE.

--

Trojan OSX.Lamzev.A

As of last week, Mac OS X has a second piece of malware. It is a Trojan horse officially called OSX.Lamzev.A. (It is also erroneously known as OSX.TrojanKit.Malez).

Detection and removal of this malware is built into the latest versions of the FREEWARE anti-malware programs ClamXav and iAnti-Virus.

So what is the strategy this time? To quote ZDNet:

OSX.Lamzev.A is a hacker tool designed primarily to allow attackers to install backdoors in a user's system, according to Intego. However, the company dismissed the tool as a serious threat because a potential hacker has to have physical access to a system to install the backdoor.

. . .

Other antivirus vendors noted that Lamzev could be disguised as a piece of legitimate software and used to trick users into creating the backdoor themselves.

Theoretically, this will become another piece of social engineering / wetware error malware where the user is tricked into installing it. Therefore, as usual, always verify that anything you install is legitimate software. Check it out at any of the well known shareware distribution sites like VersionTracker.com, MacUpdate.com, TuCows.com or MajorGeeks.com. All of these sites have human users and reviewers who can tell you what's legitimate. If you can't verify an application, don't install it! Also, if you want to be extra safe, work only inside a 'Standard' Mac OS X account, not an Administrator account.

I'm going to keep an eye on this Trojan to see what damage it can do. If it is a true 'backdoor' to Mac OS X, a cracker can do anything they like with your Mac. We'll see with time if this becomes a problem. For now, the anti-malware distributors consider it only a minor threat. Just run your usual FREEWARE anti-malware apps once a week, at least, to clean it out if somehow you've installed it.
--