MAAS History
Disclaimer
exocrine exocrine

All information Provided as is.

Entries by Sean OConnell Public (117)

Wednesday
Mar302011

Condition Remains GREEN

Intego is reporting that their security researchers have discovered a new variant of the remote administration tool BlackHole RAT (MAAS February 26 2011, Squawk Box 3/15/2010)and has categorized it as OSX/BlackHoleRAT.B. OSX/BlackHoleRAT.B includes an script called Safari.app and isightcapture. The Safari.app file is named as such to fool a user to allow the application access to the network. The isightcapture script takes a photo using the isight camera. 

Users should do the following: 

  • Do not download and install illegal or pirated versions of software, especially related to Adobe suite of Products. (Attack method Squawk Box Post 1/28/2009)
  • Install a firewall by a security vendor such as Intego's Virus Barrier 6.
  • Always confirm the exact application asking for access to network services.
  • Consider covering the iSight camera when in sensitive areas. 
  • For more restrictive environments the iSight camera hardware shall be removed. 

The threat currently is still low but several of the direction of the tactics will be unfamiliar to Mac users. This includes the use of social engineering to invoke user action. We continue to monitor and share all information as it becomes available. 

 

Tuesday
Mar292011

Condition Remains GREEN

We are currently aware of a mass SQL-Injection attack being reported by Websense. At this time only catalog pages for 2 Podcast display evidence of the attack. iTunes uses RSS/XML feeds to get a list of Podcast, however it will have no effect via iTunes. The attack at this time does not affect the most recent version of iTunes accounts or compromise them in anyway. The attack acts as an intermediary to serve up malware that is Windows centric. 

Consider the following actions

  • Block domain lizamoon(dot)com (91_213_29_182).
  • If you do not do business consider blocking Lithuania and Russia.
  • Block domain scansystonline(dot)uni(dot)cc.
  • Block the country vanity ccTLD for Turkish Republic of Northern Cyprus (.cc) and Cocos (Keeling) Islands (.cc) Australia. (Consider blocking all vanity ccTLD.)
  • Consider changing you iTunes/AppleID Password.
  • Do not store your password and log out if you are not making purchases.
  • De-Authorize a device or computer and remove your iTunes credentials along with other critical credentials before service.
  • Only use Apple Authorize Service Providers. 

At this time this mass SQL-Injection does not compromise the latest version of iTunes in anyway. We will provide updates as we monitor the situation.