Category Archives: Security

600,000 Infected Macs 247 in Cupertino

 

Generally it is considered that only Windows computers are the ones that can get infected with backdoor trojan but the scenario has changed overtime. Recently a large number of Macs (600,000 plus Macs including 247 from Cupertino: its the Apple HQ) were found infected with a backdoor trajan Flashback (  Trojan-Downloader.OSX.Flashfake.ab ) . Its is to be noted that the trojan works on venerability of  Java ( Java 6 update 31.) and not the core Mac OS.How ever the fault which I see of Apple is that they did not patch the CVE-2012-0507 exploit even after 6 weeks.

If you are reading this on your shiny new MacBook Pro or a Mac you should be thinking by now how to remove it. Well here is a guideline on finding if you are infected with Flashback trojan.

Manually removing Flashback Trojan.

 

Manual Removal Instructions

  • 1. Run the following command in Terminal:defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • 2. Take note of the value, DYLD_INSERT_LIBRARIES
  • 3. Proceed to step 8 if you got the following error message:”The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
  • 4. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
  • 5. Take note of the value after “__ldpath__”
  • 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist
  • 7. Delete the files obtained in steps 2 and 5
  • 8. Run the following command in Terminal:defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
  • 10. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
  • 11. Take note of the value after “__ldpath__”
  • 12. Run the following commands in Terminal:defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES
  • 13. Finally, delete the files obtained in steps 9 and 11.

Please note that I cant assure you that following these steps will remove ALL traces of the Flashback trojan, its highly recommended that you install a antivirus for Mac and run a through scan after updating it.

Steps to help protect your Mac from future attacks.

1 Create a non admin account in your Mac. And use it for daily purpose like checking emails and surfing internet.(the account that is generally created by default and you use has admin rights)

2 Download and use a secure browser. I recommend to use Google Chrome as it got a sandboxing plus it also comes with a sandboxed flash player of its own.

3 After you have downloaded and installed the new browser dont forget to make it your default browser.

4 Uninstall or update the default flash player (Apple does not update the flash player regularly) Note: As you have default Google Chrome you no longer need the default flash player as Chrome comes with the updated flash player.

5 Uninstall/Disable Java, Apple does not regularly updates the Java it generally does after months since the release of it, and its not possible to manually update it on Mac. So if you don’t want to uninstalled it because you use some java web applets it is recommended that you at least  disable it from Safari browser.

6 Update your Mac software on a regular basis, it wont cost you a dime but will save you from known vulnerabilities.

7 Install a good antivirus for Mac. And update and run the antivirus from time to time.

8 Install the Little Snitch, it is a firewall program that shows you which application is trying to use the network and offers you to allow or block that application to connect to network.

 

Apple has yet to come up with a tool to remove the Flashback Trojan but guys from Kaspersky has come up with a tool which can be downloaded from here.

Ethical Hacker of Facebook gets Jailed.

Glenn Mangham
Glenn Mangham

 

A 26 years old British student,Glenn Mangham, landed up behind the bars(duration of 8 months) for bypassing the security at Facebook. He breached the webserver at Facebook that maintained the Puzzles to software engineers who are willing to work for the company. Glenn gained the access of Facebook employee Stefan Parker, and then later used it to access Mailman server that is used to run internal and external email lists, and the Facebook Phabricator server used by internal developers.

Facebook had to spent US $200,000 (£126,400) for the outcome of the hack on  “concerted, time-consuming and costly investigation” by the FBI and British law enforcement.

Glenn’s response to the hack was

“It was to identify vulnerabilities in the system so I could compile a report for lack of a better word that I could then bundle off to Facebook and show them what was wrong with their systems.”

To which Judge Alistair McCreath said the following

“This was not just a bit of harmless experimentation – you accessed the very heart of the system of an international business of massive size.”

“This was not just fiddling about in the business records of some tiny business of no great importance and you acquired a great deal of sensitive and confidential information to which you were simply not entitled… Potentially what you did could have been utterly disastrous to Facebook.”

It is to be noted that previously Glenn was awarded by Yahoo for finding out the security loop holes of the company.

As mentioned by one of the Daily Mail report Glenn is believed to have  Asperger’s Sydrome,  which is very common to most of the famous hackers who have fought with the law enforcement.

 

 

Carrier IQ – Your mobile operator secretly collects your personal data.

Recently it has been found that mobile operators(mostly US operators) are installing an app  called Carrier IQ that collects user data without any sort of approval and there is no way to force quit the application. Its been found in Android platforms mainly although its being told that BlackBerry and iPhones also have this app pre installed. The app that is installed htmlTo help you select a driving school that is suited for you, we have prepared some questions you may use to help you in your selection. in the Android platform was found out by a security researcher which he showed in this YouTube video.It clearly shows what it collects, the key press, sms,URLs that you visit from the cell phone browser (even when you are using it in wifi only mode)