ZDNet blogger Ed Bott, who’s known more for his reporting on Microsoft than on anything Apple, has been hot on this story since the get go. He reported Wednesday that as if on cue the Mac Defender creators have released a new version of the malware application that requires no password at all to install.

See, Mac users -including myself–have accurately pointed out that basically all attempted malware for the Mac required the user to enter the administrative password. If you did that, it was your own stupid fault for getting infected. With MacGuard, it’s completely different.

Here’s how these malware purveyors are getting around this: the application is now installing a downloader directly to the Applications folder, which requires no password and only clicking “Continue” to begin the install as long as you’re logged in as an Administrator.

Most Mac users are, since that’s the default OS X account. After that, the downloader automatically retrieves and installs MacGuard, which is almost the same as its earlier cousin Mac Defender.

Now with this taken care of, all that seemingly is left is these folks figuring out a way to fool the operating system into thinking that “Continue” button was pressed automatically, and you’d have malware on your Mac with no human intervention at all. Certainly now the malware problem from Apple has gone from an annoyance to a serious issue. Apple can no longer wait three weeks to address issues like this, like it seemingly did with Mac Defender.

Could Apple be headed for a repeat of the dark days of Windows in the early part of last decade where Microsoft ended up always being a step behind the attackers? Could be. The Mac Defender folks are proving there are ways into Mac OS, no matter what the Apple apologists may say.

I still agree that overall, OS X is a lot safer of an operating system than Windows will ever be, largely due to the fact that Microsoft must deal with a lot more legacy code than Apple does. Creaky old code is often the way in for these attackers.

I’d be interested in hearing from users running into MacGuard in the wild. If you see it, let us know here so we can stay on top of this story.

The botnet was a Zeus bot (Zbot) variant. The Zeus trojan is a  program that criminals use to gather personal and financial data from its victims.

Hackers that create trojans such as Zeus are becoming increasingly organized and function like corporations, according to a security recent report published by Microsoft. That structure enables regular malware release schedules, and gives criminals the ability to exploit complex vulnerabilities in software–even as operating systems become more secure.

Law enforcement has made some progress toward shutting down the data centers that criminals use to host their infrastructure, but the crooks are seemingly one step ahead, and have now migrated to Web-based services. IDG reports that unnamed law enforcement officials have begun to worry that stolen credit cards could be used to purchase cloud computing services such as AWS.

That’s a given. I hope that cloud providers take action to discover malware on their server, and have the capacity to shut it down before serious damage can be done. They have a responsibility to do so.

Cybercriminals are organized like corporations, and follow regular software release cycles, said Jeff Williams, principal group program manager for the Microsoft Malware Protection Center: “They are working for monetary gain.”

The report, entitled, Microsoft Security Intelligence Report Volume 7, is based upon data collected worldwide from January through June 2009. The data was obtained through Microsoft’s security products, Hotmail, and Windows Update, Williams said. “It shows differences from region to region, and provides a comprehensive view of the threat landscape.”

Globally, Microsoft found that the number of trojan downloaders has fallen markedly over the past year; although, they did remain the most common threat. That gain was offset by a rise in instances of worms, password stealers and monitoring tools, according to the report.

Malware has been increasingly targeting online gamers, and there has been a major uptake in fraudulent security software, Williams said. Criminals create trojan software that purports to protect users from malware, but does nothing more than steal personal information and obtain credit card information through false premise.

Criminals have also begun the practice of bundling malware, and making “pay for play” arrangements with one another, Williams said. Another trend Williams noted is the misuse of autoplay in Windows, and using removable media like USB jump drives as an attack vector to get inside of protected enterprise environments.

Microsoft recommends that customers should use trusted anti virus software, a Web browser with anti-phishing technology, and keep their operating systems up-to-date. Security software, combined with increased industry and government cooperation, has helped Microsoft better protect customers over the past year, Williams said.

However, Microsoft is playing a game of multidimensional chess against an opponent that is profit-driven. Improvements in security have induced cyber criminals to exploit more complex software vulnerabilities, and those vulnerabilities have become the new chosen mechanisms for propagating worms of worms, Williams acknowledged.

“They left a note in a worm telling us that they would take more direct action in the future. Criminals are becoming more aggressive,” Williams said. Simply put, when one door closes, they find another.

With Windows becoming more secure, third party applications are being targeted with rising frequency, Williams noted. To combat that threat, Microsoft has delivered free security tools to developers, along with documentation on the steps that it takes internally to create secure software.

Thankfully, other major software companies including HP and IBM have bought security firms, and are making efforts to secure their software. A lot of the industry still lags, but steady progress is being made.

A security expert once told me that hackers were the highwaymen of our century. Highwaymen were thieves that preyed upon travelers during the Elizabethan era. They became obsolete when society created toll roads–closing off their route of escape–and increased police patrols. The crime was not worth the time.

Software is exceedingly more complex than road building, and modern operating systems are some of the most advanced things man has ever created. It’s not really possible to make software that is entirely secure. Even still, I have confidence that enough progress will be made to raise the risks and reduce the gains of cybercrime.

These applications are apparently making the rounds on BitTorrent. Moral of the story here? Stop using pirated apps.

OSX.Iservice and OSX.Iservice.B are the names of the files, which essentially obtain the password of the Mac machine allowing the hackers to take control. Estimates of affected Macs number in the thousands, Symantec estimates.

So much for the ‘Macs are immune’ meme. While this doesn’t point to an actual vulnerability just yet, it indicates that Macs like every other computer can be used for malicious purposes.

Of course the Apple faithful will be quick to yell this down, but I don’t think dismissing this is a good idea. So suck it up people and download a Mac virus scanner. Yes, you do need it.

I think the above is enough proof that the threat is real, no?

Update: Commenter Dave Barnes brought up another good program for detecting unwanted outgoing data: Little Snitch.

When a user installs the application, it propagates itself by spamming their friends profiles with fake but official sounding notices that they have violated the Facebook terms of service. In order to avoid “penalties,” the user is instructed to install the application. If the would-be victim falls for it, the cycle repeats.

Trend Micro has pointed out the obvious: Facebook should review its application hosting policy. The firm also recommended that users take responsibility for what they are installing, and to do some research beforehand.

One possible solution is a verification process for applications, but the problem would have to be more prevalent to justify its costs, said Caleb Sima, an HP executive that is the former co-founder and CTO of SPI Dynamics.

“Really, I don’t have much to say about this as I have been expecting it for a while. Its no different then email. I send you a link to a program you allow it to install it takes your contacts list and spams it out. There is nothing new here. Its just applied as a Facebook app or message.”

He also predicted that malware could start arising with any type of ‘app stores.’

The silver lining is that Faceobok applications are much harder to write and distribute than e-mails are, so it won’t be as big of a problem, Sima explained. Vigilance is the best course of action, he added. “Ultimately I don’t think there is much that Facebook can do about it besides act quickly to remove rogue apps when they are reported.”

These fake parking tickets have begun appearing on cars around Grand Forks, North Dakota, which directed users to a website.

The yellow flier reads:

PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to [website redacted]

Once on the website, pictures of cars in the area are shown, with the license plate information removed of course (oh, what nice hackers, eh?). In order to “find” your vehicle, the site asks the user to download a toolbar.

A trojan horse is installed by the toolbar, which directs information to childhe.com. That domain has already been fingered as malicious by several antivirus companies, including Symantec.

From here the user would get several fake infection warnings, which then would prompt for the install of even more malware. You got to give these folks credit: this is probably the most ingenious scam I’ve seen yet when it comes to virus and malware trickery.

Officials are not specifing what type of worm or virus it may be, only saying an alert had been posted for it, and that it was “taking steps to mitigate the virus.” The computers affected are part of the Global Information Grid, or GIG, and for security reasons the Pentagon does not speak on the specifics of intrusions to that system.

A guess as to what the malware may be could be gleaned from a post to the Symantec Security Response blog from Wednesday. It warns of an increase in USB-based malware attacks, and listed several different viruses and worms known to be using removable drives as a way to propogate themselves.

Such products are a scourge for Windows users–I’m not sure, incidentally, whether there’s such a thing as Mac scareware–and they must be a headache for Microsoft, too, since they’re one of the barnacles that degrades the experience of using Windows.

So I can understand why Microsoft is partnering with the Washington State Attorney General’s Office to take on scareware developers. The Washington AG is suing a company called Branch Software and its owner, James Read McCreary, over an omnipresent piece of scareware called Registry Cleaner XP;  Paula Selis of the AG’s office told the Washington Post that Registry Cleaner XP claims it’s found the same 43 errors on every PC it scans, then says it’s fixed them all. Microsoft has also filed suits to determine who’s behind such pieces of scareware as Antivirus 2009, Malwarecore, WinDefender, WinSpywareProtect, and XPDefender.

Sunbelt Software’s Alex Eckelberry told the IDG News Service’s Bob McMillan that the single most prevalent piece of scareware today is one called Antivirus XP 2008. I shuddered a bit when I saw that name, since the app had recently wormed its way onto a friend’s PC–how, I’m not sure. Its fusillade of “virus warnings” and atempts to sell a paid version rendered the machine unusable; it was the most unpleasant malware attack I’ve personally witnessed in a long time, and it happened despite the fact that she was running real anti-virus software and a firewall.

I’m not an expert on the applicable laws here, but I do know that some scareware vendors are essentially digital grifters. Bravo to Microsoft for taking ‘em on; I hope the legal repercussions are severe enough to give other con men pause before they try scams of this sort.

Meanwhile, a few quick tips for avoiding scareware:

–Be skeptical of odd error messages that seemingly spring from nowhere. Especially if they recommnend you download and run software to fix “problems.”

–Be very cautious about downloads from sites you’ve never heard of. If a utility isn’t available at large and reputable sites such as Download.com, it’s not a great sign.

–Use Google to do a quick check. Search for a utility’s name before you install it; if the results involve horror stories and instructions for removing it, don’t go anywhere near it.

--If a utility claims to have received glowing reviews from testers such as PC World, verify ‘em. Go to the sites in question and search for reviews; it’s not unusual for scareware sites to simply fabricate favorable reviews and other honors.

–If a utility site is oddly out of date, be wary. The Registry Cleaner XP site, for example, makes no mention of Windows Vista and features testimonials that end in 2006.

–If you just plain feel uneasy about a utility, run. Scareware apps and the ads used to promote them are often aggresively cheesy. If it doesn’t feel good, don’t do it.

]]> http://technologizer.com/2008/09/30/die-scareware-die-microsoft-takes-on-windows-scammers/feed/ 0 Harry McCracken registrycleanerxp