"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. - Gene Spafford"

RSS

Security News Feeds
F-Secure Antivirus Research Weblog
Weblog of F-Secure Antivirus Research Team

F-Secure Antivirus Research Weblog
  • Mac Spyware Bait: Lebenslauf für Praktitkum
    As a follow up to yesterday's Kumar in the Mac post… have you received e-mail attachments such as this?

    Lebenslauf für Praktitkum

    Attachments:

      •  Christmas_Card.app.zip
      •  Content_for_Article.app.zip
      •  Content_of_article_for_[NAME REMOVED].app.zip
      •  Interview_Venue_and_Questions.zip
      •  Lebenslauf_für_Praktitkum.zip

    If so, you may be the target of a spear phishing campaign designed to install a spyware on your Mac.

    Here's a list of binaries signed by Apple Developer "Rajinder Kumar".

    Detected as Trojan-Spy:OSX/HackBack.B:

      •  1eedde872cc14492b2e6570229c0f9bc54b3f258
      •  6737d668487000207ce6522ea2b32c7e0bd0b7cb
      •  a2b8e636eb4930e4bdd3a6c05348da3205b5e8e0
      •  505e2e25909710a96739ba16b99201cc60521af9
      •  45a4b01ef316fa79c638cb8c28d288996fd9b95a
      •  290898b23a85bcd7747589d6f072a844e11eec65 — mentioned in yesterday's post.

    Detected as Backdoor:OSX/KitM.A (includes screenshot feature):

      •  4395a2da164e09721700815ea3f816cddb9d676e

    Though the spear phishing payloads are not particularly "sophisticated", the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework.

    Be vigilant.

    More information:
    Mac Spyware Found at Oslo Freedom Forum
    Big Hangover

    On 23/05/13 At 10:12 AM



  • Mac Spyware: OSX/KitM (Kumar in the Mac)
    There's another case of Backdoor:OSX/KitM.A in the wild.

    A German-based investigator reached out to us yesterday regarding OSX/KitM. (We wrote about it last week.) KitM stands for "Kumar in the Mac", which is our designation for spyware — related to OSX/Filesteal a.k.a. OSX/HackBack — that is signed using an Apple Developer ID in the name of Rajinder Kumar. The Developer ID has since been revoked by Apple.

    This latest version of OSX/KitM used a Romanian C&C server called liveapple.eu during the period of attack, December 2012 to early February 2013. The spear phishing used an attachment called Christmas_Card.app.zip. (Remember, the attack started in December.)

    So, that brings us to this bit of advice for those of you who might be targets.

    This is the default "Gatekeeper" security setting:

    Mac, Security & Privacy
    Mac App Store and identified developers

    This is the setting that you want, unless you're actively installing software:

    Mac, Security & Privacy
    Mac App Store

    This is the prompt that results when OSX/KitM attempts to install with the stricter setting:

    Kumar's Christmas Card

    If you're running OS X Mountain Lion or Lion v10.7.5 — adjust your settings as an extra layer of precaution.

    SHA1: 290898b23a85bcd7747589d6f072a844e11eec65

    On 22/05/13 At 12:45 PM



  • Big Hangover
    The Mac spyware discovered at the Oslo Freedom Forum last week is apparently connected to larger espionage efforts — and those efforts look to be connected to India.

    Yesterday, the folks from Norman released their Hangover Report.




    Snorre Fagerland has confirmed a connection to the C&Cs used by Backdoor:OSX/KitM.A.

    Also related, from the folks at ESET: Targeted information stealing attacks in South Asia use email, signed binaries

    Apple has reportedly revoked the Developer ID used by KitM.A.

    On 21/05/13 At 01:35 PM



  • BBC News: LulzSec Hacker Interview
    BBC News has a 13 minute report that's worth a view.

    LulzSec hacker: Internet is a world devoid of empathy

    LulzSec hacker: 'Internet is a world devoid of empathy'

    On 17/05/13 At 12:54 PM



  • LulzSec Sentencing in UK
    LulzSec Twitter

    LulzSec – the rockband of hacker groups – had three of their six members sentenced today in London.

    LulzSec made headlines during their "50 days of Lulz" in May-June 2011, during which they attacked Fox, PBS, Sony, Nintendo, Sega, Minecraft, Infragard, NHS, US Senate, SOCA and CIA. They also recorded and published a conference call between US and European law enforcement officials, discussing police tactics against LulzSec.

    LulzSec was different from most other attackers, as they weren't doing their attacks to make money or to protest. They did it for Teh Lulz. Also, they had no sense of self-preservation, which led to taking them down.

    LulzSec had 6 core members:

    The first three were sentenced today.

    • Jake Davis got a 24 month sentence. He will serve 12 months in a young offenders institute
    • Mustafa Al-Bassam got a 20 month sentence, suspended for two years and 300 hours of community work.
    • Ryan Ackroyd got a 30 month sentence. He will serve 15 months.

    A botnet master associated with Lulzsec was sentenced at the same time: Ryan Cleary (aka Viral). He got a 32 month sentence. He will serve 16 months.

    Sabu was arrested in June 2011. He pleaded guilty and has been working with FBI since. He's yet to be sentenced.

    Darren Martyn was indicted in March 2012. He's yet to be sentenced.

    So, five of the LulzSec six has been caught. The remaining mystery is the 6th member: Avunit.

    Who was Avunit? How come none of the other members have given him up?

    We have no idea who Avunit is. We have no identity. We don't even know which continent he is from.

    P.S. Obligatory nyan.cat.





    On 16/05/13 At 01:32 PM

[ Back ]