Malware attacks both PC and Mac

This month security companies discovered a threat that attacks both Windows PCs and Macs running OS X.

The threat, called JAVA_RHINO.AE by Trend Micro, arrives via infected websites, which means that potential victims won't notice anything amiss unless their security software detects it. It exploits a vulnerability in Java*.

Java is commonly found on both types of computer, which is interesting in itself. Its presence reduces the difference between a PC and a Mac by some way. There are, of course, other very significant similarities that I've mentioned before.

Here is the really interesting part, though. When it runs the threat determines whether it is running on a Mac or a PC and behaves differently depending on what it finds.

In the words of Trend Micro:

"Once it successfully exploits the said vulnerability, it drops and executes the following file:

• On Windows: %User Temp%\file.tmp - detected as TROJ_RHINO.AE

• On Mac OS X: /tmp/file.tmp - detected as OSX_RHINO.AE"

-----
Related news: Security company AlienVault, which is investigating Mac malware at the moment, has found a new Trojan containing a relatively ancient Linux backdoor from 1999.
-----

* UPDATE: I have just noticed that this vulnerability has been included in the Metasploit Framework since November 2011.

Ranked as 'Excellent' (which means that it works very reliably), the exploit is described thus:

"This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)"

Why even experts need antivirus

[This article is written in response to Wired's recent article, Is Antivirus Software a Waste of Money? As is usually the case, when you see a headline posed as a question, the answer is usually "no".]

"I don't run anti-virus, actually," he said, "and I've never had a virus."

"Really?" I asked. "How do you know?"

"I think I'd know," he scoffed.

I had that conversation with the UK head of marketing for an anti-virus company that, while not one of the top brands, is certainly quite well known in Europe. We probably spoke around 2008.

Scroll back to the eighties and possibly even early nineties and he'd probably be at least half right. Viruses might hide for a while but they usually gave away their presence at some stage, possibly by deleting or encrypting files, sending a cheeky message or producing a graphic effect that was hard to ignore.

In the later parts of the nineties things started to change. Malware began to commercialise, and it made sense for these malicious programs to be more subtle. Dialers were one of the first such threats. They resided silently on victims' systems and made phone calls to premium numbers.

Once malware started to hide, the game changed. Without appropriate tools even an expert would not know that a system was infected. Even then, sensible behaviour, such as avoiding pirated software, license key generators and pornography websites was sufficient to avoid most problems.

Halfway through the noughties (around 2005-6) a new approach rendered the classic advice of "be careful" fairly useless.

Criminals started compromising legitimate websites, loading malware from otherwise innocent sites onto visitors' computers. In many cases users would have no idea that this was happening. Even a paranoid expert would have a tough time using the internet in a useful way without exposing their computer to such threats.

Rootkits are also now prevalent. It is hard to detect these threats even with specialised software, let alone some sort of tuned-in, Jedi-like human virus-detector sense.

In Wired's article Is Antivirus Software a Waste of Money? a startup CEO called Dan Guido was quoted as saying, "If it weren’t for [compliance] nobody in the security industry would run [anti-virus]."

I contacted Dan to see if he was happy with the angle of the article. He was, by and large, and claimed that,

"The issue with AV is that their virus detection capabilities only become effective after tens of thousands of people have been compromised with the same virus and days or weeks after that virus was first observed."

Having seen how some anti-malware tackles new attacks, sometimes involving zero day exploits, I don't agree with his blanket statement. He went on to make other very general assumptions about how anti-virus software works. One notable point of view was,

"At the time of infection, every major attack group has procedures that allow it to avoid all the known checks that AV runs through."

In other words, criminals check their malicious software before releasing it, checking to see if anti-virus will catch it. This is certainly true.

Underground versions of VirusTotal-style services exist but I find it hard to believe even the most advanced attacker is capable of running a full end-to-end test to ensure success without alerting the anti-virus vendors.

For example, they must either allow or block cloud service queries. Block these queries and the test is not complete. Allow them and information is fed back about the new threat to the vendor.

I polled a few security professionals, in an admittedly unscientific study, and found that they all used anti-virus. No one believes that anti-virus is a panacea. It's just daft to run without it.

Despite this Lance Spitzner sent me a Twitter message, guessing that maybe experts don't use anti-virus "because most security professionals use a Mac :)" Having been to very many security conferences I have to admit that he has a point.

How the police crack smart phones

It is easy for law enforcement and security services to pull data from a PC, unless the owner has taken some fairly advanced privacy measures. The same is not the case for smart phones.

Smart phones, such as Android handsets and Apple's iPhone, run operating systems that work in a fairly secure way. The user is unable to gain low-level access to the system, which also makes it hard for hackers and malware to gain a foothold.

This in-built security poses a significant challenge to the police, who have legitimate reasons for cracking open phones belonging to criminals. So how do the instruments of law gain access to phones? By hacking them, of course.

Hacking a phone, by which I mean using one or more tools to exploit a security hole (vulnerability) in the operating system or other low-level software, can be tricky. To make life easier some businesses have made automatic tools available.

Both Micro Systemation and Elcomsoft offer tools to law enforcement that achieve the same goal. They work in essentially the same way, which is to exploit a security hole in order to gain full access to the system. They then dump information down to a computer for analysis.

Micro Systemation published a very clear video that demonstrated its slick system but today (29/03/2012) the video was no longer available. You could try the original link to see if it has been put up again.

Elcomsoft has published a video demonstration that shows its system to be more command-line based. This video is also available below.

[This week there were reports in the mainstream media that new rules proposed by the EU would outlaw hacking tools. Cue security experts complaining that this will prevent legitimate security work.

This argument emerges every time the law changes to catch up with modern crime and terror techniques. I remember unsuccessful predictions being made in 2006 when the Computer Misuse Act was revamped.

My prediction is that penetration testing will not be outlawed, security research will continue unabated and companies like Micro Systemation and Elcomsoft will continue to sell their services to the police.

And the criminals will also continue with their activities too.]

The fake anti-virus business: in pictures

Ever wondered what the point of fake utilities like anti-virus was? Or how online crime really works?

Trend Micro has put together a handy illustration that shows how different criminals work together to steal money from victims.

It's worth noting how the different jobs are split, as is the personal risk of those involved. Plenty of individuals are contributing to the process but only a few are exposed to arrest. These will be the carders and the money mules. You can bet they will be the worst paid of the lot. 

Click on the image to see the larger, readable version.

GPS to Google Maps (the easy way)

I wrote previously about how to extract GPS coordinates from an image and then re-format that data so that it works with Google Maps.

However, there is a much easier way to find the physical location in which a photo was taken if you are prepared to use a handy website instead of installing tools on your computer.

You can even use this technique to analyse a photo stored online, without downloading it!

1. Find an image that you want to assess. Either save it to your hard disk or determine its URL. We'll use a URL.

2. Visit Jeffery's Exif Viewer using a web browser.

3. Either upload the photo from your disk or enter its URL into the appropriate field.

4. Click the View Image button and wait a few seconds.

5. You should now see a resized version of the photo and a table of data. Look closely at the Location box in the table and you should see a list of mapping services, including Google, Yahoo and Bing. Click on the one you want or...

6. For Google Maps simply scroll down a little further and you'll see the image's physical location presented in Google Maps.

The actual GPS coordinates and other metadata appears at the very end of the page, should you need it.

Pirate or puppet?

When you use pirated software or services, are you acting freely or are you being used as a pawn in a larger game?

When the now-failed TV business ITV Digital (aka On Digital) went bust pirates were freely accessing its services using widely-distributed codes. The service failed to make enough money and went under.

The pirates might, in an effort to justify their actions, argue that the services were over-priced. They might claim that information should be free.

They may simply feel that they are going to do what they want and do not care about the consequences.

I have a feeling that any user of 'stolen' services/content would care a great deal if they discovered that they were being manipulated by a large corporation. BBC's Panorama claims to have discovered that this happened in the case of ITV Digital.

The documentary alleges that a News Corporation company called NDS developed a 'hacker' website and encouraged its official owner to distribute set-top access codes for its rival's service.

When ITV Digital implemented counter-measures, the website (www.thoic.com - now closed) was used to distribute information on how to defeat those measures.

If the accusations are correct then those users of the THOIC forums were not only behaving illegally but they were puppets being manipulated by one of the large corporations that they most likely despise.

This same situation could easily apply to some of the media-savvy hacking groups currently making headlines. It is impossible to know who really pulls their strings. It is quite likely that large numbers of members don't even know the answer to that.

The irony is that those who believe they are behaving with more freedom than the rest of us, accessing whatever information and other systems that choose, are not exercising their full right to free choice. They don't have enough information to know whether or not they are working to fulfil someone else's agenda.

They could be unknowing agents of criminals, corporations or even geopolitical adversaries (spies).

It's worth thinking about, before downloading that new, illegal copy of a movie, album or ebook.

[This situation reminds me about a story once told to me by a fairly well-known anti-virus company. It had put a license code for a significant length of time (say nine months or more) on the cover disc of a magazine I once worked for.

Some individuals had leaked this code to an internet forum and the anti-virus vendor had seen a large jump in user numbers. This was in the tens of thousands - I think about 30k. Those who distributed the code obviously felt that they had got one over on "the man".

This attitude became more evident when the company decided to 'leak' more of its codes to the internet on purpose. The forum distributed these semi-legitimate codes for a while before realising that it was being influenced by the company it was trying to rip off. It then removed the codes from its site, unhappy that it was being tricked.

I suppose that the thrill of stealing disappears once you know that the apparent victim is glad that you are a potential customer merely sampling the goods.]

Video: Microsoft raids hosting company

The first 45 seconds are the most interesting to my mind, mainly because you see the raid, albeit one without much physical resistance.


The rest of the footage is only interesting if the idea of internet crime is news to you.

How many dollars is a 'Like' worth?

Criminals are selling Facebook recommendations (by clicking the Like button) for $27 per 1,000 'Like's.

Companies that wish to increase their visibility by promoting their profiles can pay individuals or groups to click the Like button using multiple accounts.

The particularly sinister part to this story is that the criminals don't set up lots of their own accounts. They have found it more efficient to take over victims' accounts and abuse those instead.

In a post on Kaspersky Labs' blog, which actually focusses on a security issue with Google Chrome extensions, Fabio Assolini notes that an extension called Trojan.JS.Agent.bxo is hosted on the official Google Chrome Web Store.

The malicious extension gains control of the victim's Facebook profile. Among other features, including the inevitable ability to spread itself, "the script also has commands to use the profile of the victim to 'Like' some pages."

The reason for this ability is to make money. Fabio includes a screenshot from a website that clearly offers a Likes-for-cash service.

Howto: Use GPS coordinates with Google Maps

UPDATE: This article is for those who want to extract GPS coordinates from an image and plot the location in Google Maps. If you just want a quick and easy way to visualise an image's location, and you don't want to install any tools, I've now published a faster method (27/03/2012).

If you have a set of GPS coordinates that you want to convert into a real location here are some handy tips. The first one is not to use Windows Explorer in Windows 7 to obtain the coordinates!

Find the coordinates

Let's say that the coordinates have come from an iPhone, perhaps embedded in an image. You could use Windows 7 to find them, but you'll see incomplete data.

For example:

An image's Properties may
reveal some metadata, including
partial GPS coordinates

This tells us that the image was taken at the following coordinates.

Latitude 19; 26; 13.19999999999...
Longitude 99; 8; 27.59999999997671

As we will see, this is actually so misleading as to be wrong.

Find the polarity

We need to know the polarity of the Longitude and Latitude. Unfortunately Windows 7 doesn't show you this crucial piece of information. As a result, in this example both values above are reported as being positive values - but actually they should not be.

You can discover this information using an image viewer capable of reading Exif data or using a tool like ExifTool.

Here is part of ExifTool's output, which is much more helpful than Windows 7's output:

GPS Latitude: 19 deg 26' 13.20" N
GPS Longitude: 99 deg 8' 27.60" W

If the Longitude value (99) was East (E) then the polarity would be positive (+), as reported by Windows Explorer. In this example it is West (W) so the polarity should be negative (-).

With Latitude you are looking at possible North (N) and South (S) values, which are positive and negative respectively. In this example the value is positive so Windows gets it right by accident.

To summarise:

Longitude (E): +
Longitude (W): -
Latitude (N): +
Latitude (S): -

Using Google Maps

Thus far we have some coordinates, as reported by Windows. We also have the polarity as reported by ExifTool:

Latitude 19; 26; 13.19999999999...
Longitude 99; 8; 27.59999999997671

Latitude: N
Longitude: W

You should be able to enter these figures into Google Maps and see where the photo was taken, but you need to make a few small changes first.

We'll shorten the last figures on each line to make things neat but the most important thing is to express the values in degrees, minutes and seconds. To do this replace each semicolon with a space like this:

Latitude 19 26 13.20
Longitude 99 8 27.60

Next, take the second figure from each set of values and add an apostrophe mark to show which figure is in minutes:

Latitude 19 26' 13.20
Longitude 99 8' 27.60

Suffix the final figure with a quote mark, to define the seconds and make the second set of values (Longitude) negative if its polarity is W:

Latitude 19 26' 13.20"
Longitude -99 8' 27.60"

Finally, express the coordinates in one line, without the Latitude and Longitude labels:

19 26' 13.20" -99 8' 27.60"

Alternatively you can state the coordinates using the North and West labels (but remove the minus sign) like this:

19 26' 13.20" N 99 8' 27.60" W

Paste either of the above sets of coordinates directly into the Google Maps search box and you will see the location on a map or satellite photo.

Google Maps can find a location
using GPS coordinates

Note: To extract coordinates from Google Maps right-click on a location and choose 'What's here?' from the drop-down menu. The search box will now contain the coordinates of that location.

0-day a criminal or media obsession?

[0-day (ō dā) n. 1. A generally undisclosed security hole in software.]

1. Do criminals, spies and cyber-warriors want to know about zero day (0-day) vulnerabilities?

- Undoubtedly.

2. Do they spend vast amount of time seeking them out and developing exploits?

- Doubtful.

Which of  the two statements above is more exciting for a journalist to follow up on?

I'd say the first. The concept of shady organisations knowing something that no one else does, and then using that knowledge to perform movie-style techno-magic is intriguing.

The truth, depending on who you talk to and believe, is altogether more mundane.

Earlier this year, at the Kaspersky Threatpost Security Analyst Summit, I was talking to Greg Hoglund about targeted attacks. You might imagine that this type of attack would be at the cutting edge of malware. However, Greg said that, "a lot of what we see is not 0-day. The victims aren't patching."

(left to right) Greg Hoglund, Simon Edwards,
Paul Judge, Karthik Raman and Terry McCorkle

This makes complete sense when you understand that criminals and others are having plenty of success using fairly well-known threats. Why run when you are not being chased?

Dancho Danchev has compiled a sound analysis of the situation in his article Seven myths about zero day vulnerabilities debunked.

[How many people have to know about an 0-day before it's not an 0-day any more?]

Blogger and Google+

This morning Blogger asked me if I wanted to combine the account with my Google+ account.

I've largely ignored Google+ since it become obvious that TweetDeck, the tool I use for monitoring the limited number of social media networks I sign up to, was probably never going to support posting to Google+. After all, Twitter owns TweetDeck now and why would it add support for the competition?

However, there is now the possibility of having blog posts sent automatically to Google+. That is actually more convenient than pasting a headline and short comment into Twitter.

[You know, three years ago I would have read the above and just gone, "what?!" I don't know if I was better off in those days...]

Art critic vs. security consultant

An artist has produced an oil painting "inspired by three viruses that were in
the news at the time."

Bratsa Bonifacho’s Horty MyParty is Weird and CoolNow is a red and blue montage of letters and punctuation marks.

The characters are disfigured, disoriented and generally jumbled, although they retain their rigid position in a grid.

I suppose we might imagine an image of a computer program suffering some corruption.

Ann Rosenberg, a Vancouver-based critic and curator, wrote an article about the piece but was unable to discover information on the viruses that the work refers to:

"I have not found any evidence of them. But Googling up Horty and his putative party has been a visual treat and a mental roller-coaster."

However, Sophos' Graham Cluley has found the relevant details, stating that:

"it is apparently inspired by a number of viruses from yesteryear including VBS/Horty (which claimed to offer pornographic content of adult film star Jenna Jameson), 2002's MyParty email worm, and the CoolNow MSN Messenger worm."

Cluley acknowledges that he has less of a clue about art than viruses, though, and takes what I interpret to be a mocking tone when he says:

"Golly. What a chance I missed entering the field of computer security rather than art criticism. A layman like me wouldn't have understood that Bonifacho "communicates and expresses essentially non-verbal thoughts and emotions abstractly, within the discipline of formalism - through colour and shape, gesture and surface.." unless I had visited his website."

Targeted adverts strip your privacy

Targeted advertising walks a fine line between being useful and being creepy. As I wrote a while back, one close experience of targeted advertising raised my hackles and I imagine the same goes for others too.

Now it seems that adverts served from Android apps could be even more intrusive than those found on some websites.

Bit9 has written an article about how this can compromise both your privacy and even your device. Summarising a paper by Xuxian Jiang, the piece notes that adverts sometimes track users' GPS coordinates, while one particularly insidious example could be controlled remotely.

"The most concerning factor was the unsafe fetching and loading of dynamic code without user permission or control. Out of these ad libraries, 48,319 tracked GPS location; 18,575 tracked the identity of the phone; and 4,190 let advertisers track users via GPS. Not only were these apps pulling information like GPS/location data, but they were also attributed with aggregating personal information, call logs, account information, and phone numbers. One actually downloaded suspicious payloads, which allowed the host app to be remotely controlled by the ad in question."

The paper itself summarises the functions available in a number of ad libraries, which app developers can embed into their programs. Some are able to initiate phone calls, send text messages and even load classes. The vast majority were capable of reading the device's location data (i.e. GPS coordinates).

I am sure that some companies will be able to work out how to provide a useful targeted advertising service. I'm just yet to see one.

Android "most attacked" mobile operating system

Tom's Guide reports that the Android operating system is now under heavy attack in comparison to other mobile platforms.

When the article mentions 'threats' it means individual Trojans in almost all cases. Viruses and worms don't really feature at all in recent years.

"The number of threats directed at Android in 2011 was a sharp increase from only 9 threats in 2010 -- only trumped by the number of threats for Symbian in 2006 (188) and 2005 (125). Since 2004, F-Secure listed a total of 710 security threats for mobile device. 525 of those affect Symbian, 125 Android, 40 PocketPC, 18 J2ME and 2 iOS. The vast majority of all mobile threats were trojans (519 overall, 136 in 2011). Viruses (56 total) have not been seen since 2007 and worms (38 total) appear to have been abandoned as well."

It will be interesting to see if/when the latest Windows mobile operating system appears on the chart.

Basic QR code safety

McAfee has issued some basic security advice regarding QR codes. It's a very short article with a minimal amount of marketing content.

It should no longer be a surprise that QR codes are potentially dangerous. They can be used to offend*, defraud or even compromise the security of your phone, PC or tablet.

I've published a few pieces on QR codes here.

McAfee makes the following sensible points:

• Be suspicious of QR codes that offer no context explaining them. Malicious codes often appear with little or no text.
• If you arrive on a website via a QR code, never provide your personal or log in information since it could be a phishing attempt.
• Use a QR reader that offers you a preview of the URL that you have scanned so that you can see if it looks suspicious before you go there.
• Use complete mobile device security software, like McAfee® Mobile Security, which includes anti-virus, anti-theft and web and app protection and can warn you of dangerous websites embedded in QR codes.

* Could a QR code offend someone? How about if you encoded a QR code for a shock site and stuck it on a billboard advertising something more attractive? When someone scans it in and they will (or should) be offended pretty fast!

Renew anti-virus with massive discounts

I've noticed that it's very easy to save a lot of money when renewing anti-virus software.

Earlier today I renewed my home anti-virus product of choice. Instead of £30 it cost me less than £10. I didn't use any illegal cracking techniques or serial code generators. Here's how you can save money too...

If you follow the usual instructions or procedures provided by the vendor, such as clicking a 'Renew' button and entering credit card details into the official website, you'll end up spending the maximum amount of money. Don't do this.

You could simply re-buy the software from an online store like Amazon, and you'll usually get a reasonable discount, perhaps 20 per cent off. You can even find good deals in the remaining high street shops. If you see a good deal then this is a risk-free approach.

However, the really killer deals become available when you realise that most of the popular vendors allow you to upgrade from one version to another for free, as long as you have a valid license. This is what I do.

In many cases you can buy last year's version of the software and use the license key to renew the current version. You can find discounts of 60 per cent or more.

Let's say that your licence for Acme Internet Security 2012 is about to elapse. You could:

1. Renew using the official route. This would cost £24.99.
2. Buy a boxed version of Acme Internet Security 2012 from Amazon and type in the license code. This costs £19.99 (20% discount) .
3. Buy a boxed version of Acme Internet Security 2011 from Amazon and type in the license code. This costs £9.99 (60% discount).

Assuming that Acme allows users to upgrade from the 2011 version to the 2012 version (which is how many vendors operate), option three would save you two thirds of the standard price.

The dangers of hidden data

Download this issue of
Secureview for free

Whether it's nuclear war secrets or embarrassing photos you never thought would see the light of day, information has a way of finding its way into the wrong hands, time and time again.

In an article that covers weapons of mass destruction, nuclear submarines, formula one cars and personal photos, I examine why data is leaked and explore ways to avoid it.

The full feature is available in the latest edition of Kaspersky Labs' Secureview magazine, which is available for free to download.

There is also a bluffer's guide/Devil's Dictionary-style definition of mobile encryption in the Crib Notes page at the back of the magazine.

Secureview is usually distributed in PDF format but those fortunate enough to have attended the RSA Conference 2012 (USA) had the opportunity to pick up a printed copy from Kaspersky's stand.