Trojan-Downloader:OSX/Flashback.C
Source: F-Secure.com
| Detection Names : | Trojan-Downloader:OSX/Flashback.C |
| Category: | Malware |
| Type: | Trojan-Downloader |
| Platform: | OS X |
Summary
Disinfection
Manual Removal Instructions
- Scan the whole system and take note of the detected files
- Remove the entry
- <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>%path_of_detected_file_from_step_1%</string></dict>
From:
- /Applications/Safari.app/Contents/Info.plist
- /Applications/Firefox.app/Contents/Info.plist
- <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
- Delete all detected files
Additional Details
Trojan-Downloader:OSX/Flashback.C poses as a Flash Player installer and connects to a remote host to obtain further installation files and configurations.
Screenshot of the Trojan-Downloader:OSX/Flashback.C installer.
To complete its installation/infection, Flashback.C requires the user to key in the administrator password.
On installation, the installer first checks if the following file is found in the system:
- /Library/Little Snitch/lsd
Little Snitch is a firewall program for Mac OS X. If the program is found, the installer will skip the rest of its routine and proceed to delete itself.
If the trojan is cleared to proceed, it connects to a remote host, identified as http://[…]93.114.43.31/counter/%encoded_strings%, with the decoded string following this format:
- %Hardware_UUID% | %machine_architecture% | %kernel_version% | %encoded_md5%
The %encoded_md5% is the hash of the following:- %hardware_UUID%Jiangxi
As of this writing, the remote host is up but it does not push anything.
Payload
Installation files and configuration returned by the host is encrypted using RC4, where the MD5 hash of the Hardware UUID of the infected system is used as the key. The decrypted content follows this format:
- %encoded_payload_filename% | %encoded_payload_content%
The installer drop copies of the payload to the following locations:
- /Applications/Safari.app/Contents/Resources/%payload_filename%
- /Applications/Firefox.app/Contents/Resources/%payload_filename%
A DYLD_INSERT_LIBRARIES environment variable is also added to the targeted browsers as launch point. This is done by inserting a LSEnvironment entry to the corresponding Info.plist of the browsers.
Example:
- The following line is inserted into “/Applications/Safari.app/Contents/Info.plist”:
- <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string></dict>
- <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
- The following line is inserted to “/Applications/Firefox.app/Contents/Info.plist”:
- <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Firefox.app/Contents/Resources/%payload_filename%</string></dict>
- <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
The installer then restarts running instances of Safari and Firefox in order to take the payload into effect.
The installer also disables the built-in anti-malware feature in Mac OS X. It unloads the XProtectUpdater daemon, and then wipes out the following files:
- /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
- /usr/libexec/XProtectUpdater
iPhone hack lets you eavesdrop on PC typing
A research team has developed a hack where iPhones can be used to detect what is being typed on nearby keyboards
Researchers at the George Institute of Technology have turned an iPhone into a spy tool with a hack that allows the phone to determine what is being typed on keyboards nearby.
The typing detection works by “using a smartphone accelerometer – the internal device that detects when and how the phone is tilted – to sense keyboard vibrations as you type to decipher complete sentences with up to 80% accuracy,” according to the Institute.
Source: MyBroadBand.co.za
Seminar Invite: NSA’s View of Wireless Security Risks – Nov. 9th
DATE: Nov. 9, 2011 | LOCATION: Tysons Corner, VA
Wireless technology is exploding in popularity. Businesses are not only migrating to wireless networking, they are steadily integrating wireless technology into their wired infrastructure. This explosion has given momentum to a new generation of hackers who specialize in inventing and deploying innovative methods of hijacking wireless communications.
Hackers armed with tools such as file2net, MDK3, Aircrack-ng, Karma, Karmetasploit, Jasager, JasagerPwn, Satanic AP, Scapy, sslstrip, Sidejacking, Firesheep, Interceptor are launching attacks on networks that a year ago were said to be unbreakable. Adding to the confusion is the increase in rogue wireless devices including stealth rogues, soft APs, wireless-enabled laptops and smart-phones, and neighboring wireless networks that bleed over combining hostile rogues with friendly or unconnected networks.
Attend this complimentary live seminar hosted by Motorola AirDefense Solutions featuring experts from the National Security Agency (NSA) where they demonstrate today’s current wireless hacking tools and techniques and best practices that organizations can adopt to secure wireless networks.
SEMINAR AGENDA
| NSA’s View of Wireless Security Risks Michael Stone, Chief – Applied Mitigations, Information Assurance Directorate (IAD), National Security Agency (NSA) |
|
| • | Overview of secure WLAN initiatives |
| • | Vulnerabilities/risks addressed by various security components |
| Next-Generation Wireless LAN Risks & Defenses Kent Woodruff, Chief Security Analyst, Motorola AirDefense |
|
| • | Evolving wireless LAN threats & attack sophistication |
| • | Common WLAN attacks demonstrated – PSK cracking, Stealthy Rogues, JasagerPwn (with Metasploit, fakeupdate and sslstrip), Sidejacking, FakeAP with Airbase-ng and mdk3, Scapy |
| • | Best practices for wireless LAN security & compliance |
| Live Q&A | |
 |
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||||||
 |
|||||||||||
|
|||||||||||
Security Configuration Management – The Keys to the Digital Kingdom
IT security configurations serve as the keys to the digital kingdom of your organization’s IT infrastructure and its valuable data. Yet if you examined almost any enterprise organization, you’d find poor configuration settings. What’s more, you’d find little or no integration between configuration solutions and other IT security controls, when they can so clearly be leveraged to increase defensive posture.
Why is managing security configurations so difficult, and what can IT security do about it?
Join IANS faculty member, Diana Kelley on Wednesday, October 26th at 10AM Pacific (1PM Eastern) and learn:
- How hardened configuration files protect your organization’s valuable data by denying hackers the keys to get in
- Examples of poor configuration, including complex configuration errors, and their consequences
- Which capabilities define security configuration management (SCM), and a practical approach to implementation
Register for this webcast, then listen and learn how you can use SCM to protect your digital kingdom.
WEBCAST:
SCM – The Keys to
the Digital Kingdom
DATE: Wednesday, October 26th, 2011
TIME: 10 AM Pacific
1 PM Eastern
Thomas Ryan Outed As Occupy Wall Street Snitch
Gawker introduces Thomas Ryan, a man who worked as a snitch for the NYPD and FBI to keep authorities abreast of Occupy Wall Street’s activities and plans.
Ryan got emails sent to members of one of Occupy Wall Street’s mailing lists and sent them to law enforcement members and others interested in what organizers were up to, according to Gawker.
Cyber Security DC Live Oct 14 2011
In case you missed it, check out last week’s Facebook Live cybersecurity panel discussion featuring Facebook Chief Security Officer Joe Sullivan, National Cyber Security Alliance Executive Director Michael Kaiser and Facebook Security Guide co-author Linda McCarthy:
Cyber Security DC Live Oct 14 2011
www.livestream.com
Cyber Security DC Live Oct 14 2011on Facebook DC Live on Livestream – Watch live streaming Internet TV. Broadcast your own live streaming videos, like Facebook DC Live in Widescreen HD. Livestream, Be There.
