Online Virus / Malware News

Three weeks ago a ‘mysterious’ new jailbreak technique was posted to jailbreakme.com. Research to date indicates that this technique leverages two distinct vulnerabilities to gain access to devices. The first issue exploited is a FreeType CFF font handling issue, exploitable via MobileSafari. The second issue exploited is an IOSurface framework issue that allows for privilege escalation to root, and eventual complete compromise of devices.

Fortunately for many, Apple has released an update that addresses both issues (HT4291, HT4292). This update should prevent both malicious attackers from exploiting these vulnerabilities, as well as prevent the jailbreak technique from continuing to work (for devices with the update installed).

Great news on the vulnerability front, no doubt. But are 25+ million iPhones truly safe again? Maybe.

Malware has reached its highest levels, making the first six months of 2010 the most active half-year ever for total malware production. At the same time, spam leveled out, with only 2.5 percent growth from last quarter.

Malware continued to soar in the second quarter, as there were 10 million new pieces cataloged in the first half of this year. Consistent with last quarter, threats on portable storage devices took the lead as the most popular malware, followed by fake anti-virus software and social media malware. With approximately 55,000 new pieces of malware appearing every day, globally AutoRun malware and password-stealing Trojans round out the Top 2 malware threats.

“Our latest threat report depicts that malware has been on a steady incline in the first half of 2010,” said Mike Gallagher, senior vice president and chief technology officer of Global Threat Intelligence for McAfee. “It’s also obvious that cybercriminals are becoming more in tune with what the general public is passionate about from a technology perspective and using it to lure unsuspecting victims. These findings indicate that not only should cybercrime education be more widespread, but that security organizations should move from a reactive to a predictive security strategy.”

After reaching its highest point in the third quarter last year, with nearly 175 billion messages per day, spam rates have hit a plateau. Cybercriminals took advantage of the hype surrounding the FIFA World Cup in South Africa, and used various methods to promote scams and search-engine “poisoning.” Globally, the most popular types of spam varied from country to country with some interesting findings. For instance, delivery status notifications, or nondelivery-receipt spam, were the most popular in United States, Italy, Spain, China, Great Britain, Brazil, Germany, and Australia. Malware spam, or anything that comes with a virus or Trojan attachment urging you to visit an infected website, was the most popular in Colombia, India, South Korea, Russia, and Vietnam. Argentina had the most variety in spam, with 16 topic areas, ranging from drugs to “lonely women” to diplomas. Italy came in with the least variety, with just six types of widely popular spam.

Attackers leveraged major events such as the World Cup and Middle East conflicts to poison Internet searches, although the BP oil spill in the Gulf of Mexico was surprisingly absent from the Top 20 toxic search terms. McAfee Labs also saw a resurrection of two “dead” botnets: Storm Worm and Kraken, once considered to be among the biggest botnets on the planet, are again on the rise.

For a full copy of the McAfee Threats Report, Second Quarter in nine languages, please visit: http://www.mcafee.com/us/threat_center/white_paper.html

Like many iPhone users, I “jailbreak” my iPhone. I do this for many reasons, but mainly for console-level access and the darn cool infosec tools that are available through Cydia. Like many iPhone users, I was quite happy when the Electronic Frontier Foundation (EFF) was able to get jailbreaking included under “fair use” within the Digital Millennium Copyright Act. Like many iPhone users, I was also very happy to learn that Dev-Team would soon make remote jailbreaking possible by simply visiting their jailbreakme website. Alas my happiness was not to last.

While still at Defcon, I saw through Twitter that one exploit or another was being used to remotely jailbreak the iPhone. (I believe the first tweets I saw were from Brian Krebs.) I then saw posts from VUPEN that several flaws were being exploited. From their advisory:

Technical Description

http://www.vupen.com/english/advisories/2010/1992

Did you notice the line “VUPEN is not aware of any vendor-supplied patch”? In the security business we call those zero-day vulnerabilities. We call code that takes advantage of zero-day vulnerabilities zero-day exploits. (I have not seen confirmation from Apple that these are in fact zero-day vulnerabilities, so keep that in mind).

I hope I am not the only one who is bothered by this because it begs the question “What else can this be used for?” Vulnerabilities with reliable exploit code tend to get reused and repurposed for other attacks/malware/uses. Just look at the .LNK vulnerability that Microsoft fixed yesterday via an out-of-band patch. It originally targeted power-plant control systems as the Stuxnet worm and then appeared in more mainstream malware because it was an unpatched vulnerability with working exploit code. Read this article in The Register for a real nice breakdown of it.

This should serve as a wake-up call for anyone with a mobile device: Remote exploitation is real and here to stay. For now these vulnerabilities are being used only (as far as we know) to jailbreak iPhones, but they could be used to do many other things to iPhones and their owners around the world.

Today we announced our McAfee® Family Protection iPhone®, iPod touch® and iPad™ Edition. McAfee now provides strong parental controls to keep young people safe when they are browsing the Internet on an Apple mobile device. McAfee released McAfee Family Protection for the PC in June 2009.

According to data released by Admob in 2010, 65 percent of iPod touch users and 13 percent of iPhone users are below the age of 17. According to The Internet Safety Technical Taskforce in a December 2008 survey, twice as many kids own an Internet-enabled mobile device versus a computer.

McAfee® Family Protection iPhone, iPod touch and iPad Edition offers website and search filtering. The program will automatically block age-inappropriate sites, such as known pornography web sites, as well as filter Google search results. It also includes location tracking for Apple devices that are equipped with GPS technology.

Parents can also view usage statistics, including visited websites and access times, as well as add and remove custom websites while having the option to remotely disable all Web browsing.

From McAfee Chief CyberSecurity Mom, and my pal, Tracy Mooney:

“Many parents don’t consider online dangers when providing their kids with an iPod touch or passing on their old iPhones to them. Even if they are trying to monitor on a regular basis, it’s nearly impossible to know what they’re searching for,” said Mooney. “I’ve tried to be vigilant about checking in from time to time to see what my kids are doing online, but I know that my kids have more access now than ever with their mobile device. This product will help parents be at ease when they are equipping their kids with the latest technology.”

McAfee Family Protection iPhone, iPod touch, and iPad Edition is available for download now at the iTunes App Store and McAfee.com. For more information about McAfee mobile please visit the McAfee Mobile site.

The news that Google is supposedly dropping Microsoft Windows is spreading like wildfire all over the Internet today. Without getting into any “which OS is better or more secure” holy war, let’s review some facts to see if this “decision” has any basis in reality. (I caution readers to remember this is not confirmed, even if it is true.)

The supposed cause of this change is Operation Aurora, the attack that affected Google and many other companies. From the McAfee Labs Threat Center:

“Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.”

What many people fail to realize is that Operation Aurora was not really about any technical issues.

But you may ask “Marcus, how can you possibly say that? Have you gone mad? Aurora 0wned multiple computers on multiple networks! They were all running that evil Microsoft Windows. Surely removing Windows will solve all the problems!”

These objections are not even close to the real issue. Sure, the attackers used a very effective zero-day vulnerability. And, certainly, they used lots of evasion techniques in delivering the payload? But the real vulnerability has not been discussed.

People were the weak link.

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.

Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.

When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system.

If determined attackers and gatherers of intelligence invest the time to get to know their targets–their behaviors, likes, dislikes, technical backgrounds, job roles, etc.–the actual exploit is trivial. All they have to do is get their victims to click a link. The more they know about their targets, the more likely users will click it.

Social engineering and intelligence gathering trumps technology every time. It always has and always will.