magmatic.com - Squawk Box

MAAS History

Entries by drStrangeP0rk (171)

Thursday

Jul022009

RSPlug.M Variant of Old Mac Trojan

Thursday, July 2, 2009 at 02:56PM

Currently it has been reported that this Trojan is making it way across the Web hiding on music sites offering music from such artist as 2Pac. Common names of links include "Fast Mp3 Music Downloader" and "MacCinema" and a host of others listed in earlier post which offer to install codecs but instead will install RSPlug.M. Users should not install any kind of video codec or software for that matter which the source is not certified as trusted either by the organization or independent verification.

Update on Monday, July 13, 2009 at 09:04PM by

drStrangeP0rk

Link to a removal tool...

http://www.dnschanger.com/

drStrangeP0rk |

Post a Comment |

1 Reference |

Wednesday

Jul012009

Firefox 3.5 Speed Up and New Privacy Browser Mode

Wednesday, July 1, 2009 at 08:43AM

Firefox 3.5 has significant improvements in speed especially when it comes to handling JavaScript heavy pages. This now puts it on par with Safari 4.0, in my case it performs better. The major security improvements includes a safe browser mode which does not store history, cookies, temp files and other information related to your browser session. There is also the addition of the Origin header for their Content Security Policy (CSP). This is an attempt to prevent drive-by-downloads and limit the threat of Cross Site Scripting (XSS). For more information connect to the reference on the Mozilla Security Blog.

Update on Monday, July 13, 2009 at 08:47PM by

drStrangeP0rk

There have been reports that the patch of SVGLength in Firefox versions below 3.5 were not effective. The bug may even be present in version 3.5, the current work around for all versions of Firefox is to set your cahce to zero. This will prevent a DoS through an unclamped loop in SVG (public Interface SVGLength).

http://www.w3.org/TR/2002/PR-SVG11-20021115/idl.html

Update on Tuesday, July 14, 2009 at 07:17PM by

drStrangeP0rk

This issue does affect version 3.5. US Cert is recommending disabling JavaScript, currently using NoScript is an excellent way to do responsible web surfing and setting cache to zero. If users cannot conduct a determination on a case by site basis then disabling JavaScript may be the best alternative.

http://www.us-cert.gov/current/index.html#mozilla_firefox_3_5_vulnerability

drStrangeP0rk |

Post a Comment |

2 References |

Firefox Updates

Tuesday

Jun232009

Trojan Jahkav-C, more to come?

Tuesday, June 23, 2009 at 06:18PM

Similar to the way in which users are enticedto install helper applications on the PC, Mac users who visit sites that deliver porn, such as PornTube(which should be on your black list), may get more then they bargain for. The downloaded Trojan hasnames such as HDTVPlayer3.5.dmg, VideoCodec.dmg, macTubePlayer.dmg. This is not self replicating, the user is the defense and it contacts the attacker. When installing applications from the Web users should make sure they trust the source, especially if they need to provide their admin(root) password. Checking the hash (MD5 and SHA) can go a long way as well in ensuring that the file recieved is the intended file.

The Trojan works by using a Perl script that communicates over http allowing the infected computer to exchange data with the attacker. Users may also find a malicious shell scriptsAdobeFlash in the /Library/Internet Plug-Ins. This is a variant of OSX.RSPlug, OSX/Puper and OSX/Jahlav.

Update on Thursday, June 25, 2009 at 08:06AM by

drStrangeP0rk

Wow, that took less time then I though. Venture capitalist Guy Kawasaki got a surprise from an auto feed from Twitter. His followers saw post promoting a sexy video of Leighton Meester. When hitting the link OSX/Jahlav-C would be downloaded and then install. The original feed called NowPublic but lower profile accounts are spreading the Trojan via Twitter. Do not open links or install any software from un-trusted sites. You do not need any codec or ActiveX controller to watch videos. (Unless your living in 1996) If you like nude photos stick to legitimate sites and never follow links from email or social sites, most likely you will encounter malicious code.

Link to orignal article on attack

http://news.cnet.com/8301-1009_3-10272457-83.html?part=rss&subj=news&tag=2547-1_3-0-5

Update on Wednesday, August 12, 2009 at 05:02PM by

drStrangeP0rk

Dark Reading is reporting that Trend Micro has discovered a new variant called OSX_JAHLAV.D infecting computers, it still posesas as a media player. The current version is changing DNS entries and sending unsuspecting users to redirected domains. Currently various anti-virus and firewall products do detect it. Users can do a search, find it and remove it, reset their DNS in System>Preferences and flush the cache with the following command:

dscacheutil -flushcache

There are other handy options, the man page is a must read.

It is suspected that it may have been tested for creating a Mac BotNet but in its current form it represents a manageable threat. However Mac users must make sure that they have taken steps to secure their systems. Many years ago some friends and I loved making simple client servers and aliasing commands to have fun with one another. The point is all Unix/Linux boxes have security available but it must be used and managed. The Mac as a Unix (BSD) box is no different.

http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml;jsessionid=C4L1DU5LN33RVQE1GHOSKHWATMY32JVN?articleID=219200192

Update on Wednesday, August 12, 2009 at 06:32PM by

drStrangeP0rk

One more time since the article is fresh.

http://www.dnschanger.com/

http://macscan.securemac.com/osxjahlav-c-dnschanger-trojan-horse/

drStrangeP0rk |

Post a Comment |

1 Reference |

Mac OSX Trojan,

Trojan

Tuesday

Jun232009

Thunderbird 2.0.0.22

Tuesday, June 23, 2009 at 06:01PM

Issues have been fixed in Thinderbird including arbitrary code execution, SSL tampering, memory corruption and same-origin violations when Flash loads. Some of these issues also affected Firefox and were fixed in version 3.0.11. If you or your organization is using Thunderbird as your mail application install update 2.0.0.22.

http://www.mozillamessaging.com/en-US/thunderbird/2.0.0.22/releasenotes/

drStrangeP0rk |

Post a Comment |

7 References |

Firefox Exploits,

Firefox Updates,

Updates

Thursday

Jun182009

IPhone OS 3.0

Thursday, June 18, 2009 at 09:36AM

Apple has released the latest iPhone OS to address many vulnerabilities which can allow an attacker to cause a DoS, compromise integrity, compromise confidentiality, conduct cross site scripting attacks and execute arbitrary code. iPhone users should apply the patch immediately.

drStrangeP0rk |

Post a Comment |

1 Reference |

Exploits,

Updates,

iPhone