Monthly Archives: October 2007

MAC users are being targeted in a porn trojan social engineering attack


Miscreants have released a sophisticated Trojan into the wild that targets Mac users, according to Intego, a company that markets security software that runs on OS X.

The malicious Trojan, dubbed OSX.RSPlug.A, is making the rounds on several porn websites. When Mac users try to view some videos, the site feeds them a page that says QuickTime is unable to play the file unless a special codec is installed first. If the user proceeds, a form of DNSChanger is installed that hijacks some web requests sent to eBay, PayPal and some banking websites, according to this write-up <> from Intego.

“The noteworthy part is that someone is targeting the [Mac] OS,” said Randy Abrams, a security researcher at antivirus software provider Eset. “This may mean that the OS is beginning to gain enough users to be attractive to attackers.”

The Trojan installs a root crontrab that makes minute-by-minute queries to check that the doctored DNS server is still active. The websites offer different versions of the malware, most likely to tailor web spoofing to the victim’s particular country. There is no way for victims running 10.4 to see the changed DNS server in the OS X GUI. In 10.5, the DNS server is visible in the Advanced Network preferences, but the added servers are dimmed and can’t be removed manually.

Apple PR representatives didn’t respond to an email seeking comment for this story.

A barrage of spam posted to Mac forums invites readers to visit the malicious websites. The Trojan requires victims to enter the administrative password for their machine, a factor that is likely to mitigate the risk somewhat. Then again, Windows users have for years been tricked into installing malware <> that can wreak havoc on their PCs. We see no evidence that Mac users are any less resilient to social-engineering attacks.


Protected: On News

There is no excerpt because this is a protected post.

Fraudware: IE Defender

I see on one of my mailing lists that there has been an upsurge in reported infections by a fraudware known as IE Defender.

A description of the fraudware (including screenshots) and cleanup instructions can be found here - thankfully it’s easy enough to remove. 

Note the various tricks the product uses to fool victims into purchasing the product – the pop-ups warning of a non-existent infection on computers, the fake info-bar and web browser error page, and the hijacked Google and Yahoo searches with fake results.

While you’re at bleepingcomputer, you should check out the other information that is available there – it’s an excellent resource of descriptions and screenshots of various malware and fraudware, as well as clean-up tools.

Thanks to Lawrence for putting the article together…


IE7 phishing filter success…

Hi all,

According to the latest mail-out by the Windows Team at Microsoft Australia (“Exploring Windows”), the IE7 phishing filter is now preventing nearly one million visits per week to known dangerous websites – that’s one million potential malware infections, one million potential financial thefts, one million potential identity thefts.

The October 2007 mail-out also features my article “Better Browsing“, which is cool.

If you have not upgraded to IE7 yet, why not?  It’s been more than a year, now, since IE7 was first released and I would hope that most sites and add-ons would have been updated by now to work with IE7.

If you have a business application that is preventing you from upgrading, then I encourage you to talk to your vendor about when an upgrade will be made available – IE7′s safety improvements are simply too important in the current Internet threat environment.  Granted, IE7 is not a panacea (look at the recent Adobe / IE7 / Windows XP vulnerability), but in the current environment of iframe exploits, browser-hijacking Flash based advertisements, drive-by downloads and phishing, your users need all the help they can get.

If you would like to subscribe to the Microsoft Australia “Exploring Windows” newsletter you can do so here (you’ll need a passport ID).


Google: another sign of the next Evil Empire?

Check this out:

During the first hour or so, I needed to search for something. Live Search was the only provider, as would be expected. Sometime later, I decided to add Google as a search option. But when I clicked on the Microsoft link to “find more providers,” IE 7 went to a Google search page. I also found Google to have been added as a second search option, but not by me. The redirection meant that I couldn’t directly add other search providers. I had two choices: Google and Windows Live Search.

Does this strike anyone else as strange coincidence? Google becomes a second search provider, and redirection to a Google search page prevents the addition of more providers?

Google has loudly squawked about IE 7 search—that Microsoft leveraged its monopoly in an anti-competitive way. I don’t agree. Windows XP users upgrading to IE 7 keep their IE 6 search defaults. For Vista, the OEM decides the search defaults. On Dell PCs, Google is the default. In addition, IE 7′s feature for adding more search providers is strikingly similar to Firefox. If it’s good enough for Firefox, surely IE 7 is good enough, too.

I long have believed that Google accused Microsoft of what it is guilty [of]: cutting deals where it is the exclusive search provider. Microsoft won’t do that because of its monopoly. Microsoft got into legal trouble for exclusive deals during the browser wars with Netscape. Those days are gone. Microsoft goes for choice in search (at least so far), contrary to Google allegations.”

The redirection of “add more search providers” to block out all competitors and allow only Google is not something I have heard of before, and it worries me.  Don’t get me wrong – I haven’t got a lot of respect of Joe – some of the stuff he has said over the years has been utter bullshit.. but if he is saying that he has been hijacked by Google, whether it be by his own mistake or Google doing the wrong thing… well, if Joe, a supposed professional, is confused.. where the hell does this leave the vast majority of users who are naivettes?

Joe is not the only person to experience problems where Google seems to be a player.  Read here.

I click on the expander icon to the right of the search box.
I click “Change Search Defaults.”
I only saw Google in the list, so I clicked “Remove” – this doesn’t work as I need to find another search provider first, Microsoft tells me.
I click on “Find more providers…” at the bottom of the dialog.
The dialog closes… and nothing happens.

And here, by Pierre at May 23, 2007 12:45 AM :

everything was fine until I clicked find more providers. I get sent to a Google search page.{searchTerms}&{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7. I do not want anything related to google, but google won’t let me change it. How do I force another search provider around the evil google? :)

I know that Gateway has ties with Google.. cite this link.

It has been a long time since I have believed that Google truly intend to abide by their “do no evil” mantra (my apologies if I have not got the mantra quite right).

Oh, and did you hear about the latest scandal about Google’s oops MySpace’s Tom Anderson lying about his age for all these years?  I have this rule, you see for when I interact with people… and that rule is “if I can’t trust you with the little things, I can’t trust you with the big things”.  Ok, so for me, *age* is a little thing, although for Tom it seems to have been a big thing… but, if the guy is willing to build an entire personality based on a 3 year time difference, and seemingly doesn’t have a problem wiith that… then how can I trust him to walk the hard road when faced with something *really* important.

Admin announcement

The signal to noise ratio with regard to trackbacks and pings has gotten so bad that I have (reluctantly) disabled Trackbacks.  So much crap was coming through, so often, that I had no choice.  The spammers have finally worked out that, at least for CS, even if comments are all set to ‘must be approved’, trackbacks and pings are still automatically published.

It sucks, but such is life.  Until such time as Telligent wake up to themselves, drag their sorry asses into the real world, and give us the ability to manage trackbacks like we can manage comments, then the status quo will have to remain.



On Leopard,Part 4

OK, the first of the Leopard How-To”s is now posted: Connecting a Macintosh running Mac OS 10.5 to an SBS 2003 Server is now online. There are some key differences between this version of the Mac OS and previous versions, but nothing really earth-shattering. In fact, it”s quite a bit easier to get the Mac connected. In fact, if it weren”t for SMB signing, it would really be a piece of cake. Oh well.

I”ve run into a couple of other interesting hiccups related to Leopard installation, and I”ll be posting about those as well when I get more concrete information about the issues.

In the meantime, as I did when Vista came out, I”m recommending that people hold off from installing Leopard on their exsting systems, especially on a business-critical machine. Give the bleeding edge folks a little time to ferret out some of the issues that didn”t come up in beta testing and get fixes or workarounds before trying to install. I”m probably going to stick with my recommendation that a clean install is a good install for Leopard as well. More on that as information becomes available.

Panda Labs: a new way of social engineering

I recommend that you read the following article on the Panda Labs site, published last Friday.  It is a great example of how the low-lifes are thinking outside the box and coming up with very clever ways to get around our various online protections (in this case, captcha).

FSDeveloper live again

After a day of hard working we have finished the move of the FSDeveloper website to the new server. Take a look at this post by Nick for a little more background info.

Once the DNS change has taken effect you should get the new site now. There are some minor things that still need fixing, for example not all downloads have been added back again. But we will continue working on that tomorrow. If you find any other problems, just let us know of course. facelift

Logo1As you may or may not be aware, Arno, Alex and I have been preparing the face-lifted site for a while now.

The move is not only a face-lift and new logo, but a launch of new features and improved bandwidth capability.   This is to allow for the fact that the ACES development team will be working more with the community on our site and that means the ability to cater for more users was needed.   The good news is gave us a great deal on the hosting and we are essentially unlimited now with growth capacity!

So, come visit…   and you too can work with like minded developers and the Microsoft ACES development team when they pop in!   ACES members have the  Aces logo next to their name on the forum, and MVP’s have the Mvp logo – just in case you need to pick us out ;)

Come visit and tell your friends!

(Note that you will have to wait for the DNS to update to see the new site!)

Recent Comments