Last week we spoke about the Boonana cross-platform malware, using a malicious Java applet to deliver a cross-platform attack that attempts to download further malware to computers running Windows, Unix and Mac OS X.
Since then some we have seen variants of the original Boonana attack. The samples we have seen have been functionally the same, with the hackers behind them seemingly having obfuscated their code to try and waltz around detection.
Their attempts haven’t been good enough to get past Sophos’s products so far (including our new free anti-virus for Mac home users), and we haven’t had to update our generic detection method.
In the samples we have analysed to date, the attack specifically targets Windows and Mac OS X systems, and just happens to infect other platforms that run Java. Depending upon the flavour of Unix, it doesn’t usually complete its ‘life cycle’ if you’re not running Windows or Mac OS X systems.
Of course, we will update our detection of Troj/Boonana should we see new variants that require it.
In the meantime, watch this video I made last week demonstrating the original version of this attack on Windows, Mac OS X and Ubuntu:
What is the Windows Shortcut Exploit?
The Windows Shortcut Exploit, also known as CPLINK, is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link, known as an .lnk file, to run a malicious DLL file. The dangerous shortcut links can also be embedded on a website or hidden within documents.
Since confirmed by Microsoft, there exists a vulnerability in versions of Windows which allows a maliciously-crafted Windows shortcut file (.lnk) run a malicious DLL file, simply by being viewed on a USB stick.
Furthermore, the attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay are disabled. The Microsoft Security Response Center (MSRC) says that the security hole can also be remotely exploited via WebDAV and network shares.
You can watch the following YouTube video where Chet shows the attack in action:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
In this case, the DLL executed carries a rootkit – helping hide the infection from prying eyes.
What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal. The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.
In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay.
There is a real risk that more malware will take advantage of the zero-day exploit now the code is “out there”, taking things to a whole new level.
So far, Microsoft has not made a patch available for the problem and has given no timeline as to when a proper fix will be available. However, I’m sure they are feverishly working on a security update for this critical vulnerability.
How to detect virus files?
Virus files now a days are more improved and hard to find than earlier, now some files have nice icon so user cant imagine that file is virus or unwanted. Normal Properties of virus or infected files, that always tries to connect internet and get other unwanted softwares or files to the victims computer.
Some Trojan files like Sality.AA copies its file to windows\system32 with same file size, so it can identify easily, some may in hidden, and creates files in all folder with same name as folder. For Example, i have a folder in C:\myfolder, when this trojan infect the system, creates files in that folder with name myfolder.exe with size ~499 KB, if we open that file nothing opens but system will get busy. Like that so many files where created in those Drives and folders.
A British scientist says he is the first man in the world to become infected with a computer virus.
Dr Mark Gasson from the University of Reading contaminated a computer chip which was then inserted into his hand.
The device, which enables him to pass through security doors and activate his mobile phone, is a sophisticated version of ID chips used to tag pets.
In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems.
If other implanted chips had then connected to the system they too would have been corrupted, he said.
Dr Gasson admits that the test is a proof of principle but he thinks it has important implications for a future where medical devices such as pacemakers and cochlear implants become more sophisticated, and risk being contaminated by other human implants.
“With the benefits of this type of technology come risks. We may improve ourselves in some way but much like the improvements with other technologies, mobile phones for example, they become vulnerable to risks, such as security problems and computer viruses.”
However, Dr Gasson predicts that wider use will be made of implanted technology.
“This type of technology has been commercialised in the United States as a type of medical alert bracelet, so that if you’re found unconscious you can be scanned and your medical history brought up.”
Professor Rafael Capurro of the Steinbeis-Transfer-Institute of Information Ethics in Germany told BBC News that the research was “interesting”.
“If someone can get online access to your implant, it could be serious,” he said.
Professor Capurro contributed to a 2005 ethical study for the European Commission that looked at the development of digital implants and possible abuse of them.
“From an ethical point of view, the surveillance of implants can be both positive and negative,” he said.
“Surveillance can be part of medical care, but if someone wants to do harm to you, it could be a problem.”
In addition, he said, that there should be caution if implants with surveillance capabilities started to be used outside of a medical setting.
However, Dr Gasson believes that there will be a demand for these non-essential applications, much as people pay for cosmetic surgery.
“If we can find a way of enhancing someone’s memory or their IQ then there’s a real possibility that people will choose to have this kind of invasive procedure.”
Dr Gasson works at the University of Reading’s School of Systems Engineering and will present the results of his research at the International Symposium for Technology and Society in Australia next month. Professor Capurro will also talk at the event.
By Rory Cellan-Jones, http://news.bbc.co.uk
Video Source : Websense Security Labs
If you got some posts from your friends in your facebook wall that says “YOUR NAME, THIS IS WITHOUT DOUBT THE SEXIEST VIDEO EVER! …” with a link “Candid Camera Prank! [HQ]“, like this picture.
If you click on the link then “Allow” it will get your private information and posts at all your friends wall the same message, see this picture.
To protect your self when you receive the same message in your wall, don’t click on the link and click on Remove button on the right.
Take Care, Virus Experts Team.
This McAfee Antivirus Plus provided by EMC-IOMEGA,no need product key and download software client and run the installer only.
Go to this web page and click ‘Download’ icon,then enter in your name,email and password,click ‘I Agree’.
A print receipt set up for you and click ‘Download’.You need go to your email inbox and getting email sending by McAfee,click the activation link.
Click ‘Download’ icon after success activate the link,follow the instruction to process and you will getting McAfee Antivirus Plus for six months.
Source : techgravy.net
Pinhead or HellRTS? What’s in a name?
Mac malware is making the headlines again – this time in the form of a remote access trojan which has been given the name OSX/HellRTS.D by French security firm Intego.
The folks at Intego blogged about the new Mac threat they discovered, which when run on a Mac OS X computer can allow remote hackers to gain access.
Users of Sophos Anti-Virus for Mac are protected, as we detect the malware as OSX/Pinhead-B, but presently it looks like this is not considered a serious threat and we have received no reports of infections from customers.
It does, however, appear to have been distributed disguised as iPhoto, the photo application which ships on modern Mac computers. This is clearly an attempt to fool victims via a social engineering trick into installingt the malicious code on their computers.
As always, be careful about the origin of applications you run on your computer, and keep your protection up-to-date. As many Mac users do not presently run any anti-virus software at all, they could be considered a soft target for more attacks like this in the future.
There’s a lot less malicious software for Mac computers than Windows PCs, but the fact that so many Mac owners don’t take security seriously enough might encourage an increasing amount of crime on their platform going forward.
By Graham Cluley, Sophos