Online Virus / Malware News

Three weeks ago a ‘mysterious’ new jailbreak technique was posted to jailbreakme.com. Research to date indicates that this technique leverages two distinct vulnerabilities to gain access to devices. The first issue exploited is a FreeType CFF font handling issue, exploitable via MobileSafari. The second issue exploited is an IOSurface framework issue that allows for privilege escalation to root, and eventual complete compromise of devices.

Fortunately for many, Apple has released an update that addresses both issues (HT4291, HT4292). This update should prevent both malicious attackers from exploiting these vulnerabilities, as well as prevent the jailbreak technique from continuing to work (for devices with the update installed).

Great news on the vulnerability front, no doubt. But are 25+ million iPhones truly safe again? Maybe.

Like many iPhone users, I “jailbreak” my iPhone. I do this for many reasons, but mainly for console-level access and the darn cool infosec tools that are available through Cydia. Like many iPhone users, I was quite happy when the Electronic Frontier Foundation (EFF) was able to get jailbreaking included under “fair use” within the Digital Millennium Copyright Act. Like many iPhone users, I was also very happy to learn that Dev-Team would soon make remote jailbreaking possible by simply visiting their jailbreakme website. Alas my happiness was not to last.

While still at Defcon, I saw through Twitter that one exploit or another was being used to remotely jailbreak the iPhone. (I believe the first tweets I saw were from Brian Krebs.) I then saw posts from VUPEN that several flaws were being exploited. From their advisory:

Technical Description

http://www.vupen.com/english/advisories/2010/1992

Did you notice the line “VUPEN is not aware of any vendor-supplied patch”? In the security business we call those zero-day vulnerabilities. We call code that takes advantage of zero-day vulnerabilities zero-day exploits. (I have not seen confirmation from Apple that these are in fact zero-day vulnerabilities, so keep that in mind).

I hope I am not the only one who is bothered by this because it begs the question “What else can this be used for?” Vulnerabilities with reliable exploit code tend to get reused and repurposed for other attacks/malware/uses. Just look at the .LNK vulnerability that Microsoft fixed yesterday via an out-of-band patch. It originally targeted power-plant control systems as the Stuxnet worm and then appeared in more mainstream malware because it was an unpatched vulnerability with working exploit code. Read this article in The Register for a real nice breakdown of it.

This should serve as a wake-up call for anyone with a mobile device: Remote exploitation is real and here to stay. For now these vulnerabilities are being used only (as far as we know) to jailbreak iPhones, but they could be used to do many other things to iPhones and their owners around the world.

All over the world, individuals and many organized crime and mafia groups have found that the Internet can help them make a lot of money. Others are motivated by ideology: Manipulated by or acting in accordance with an ethos, they conduct illegal activities against institutions or individuals they consider the “enemy.” Far removed from the isolated individuals acting simply irresponsibly or for amusement, these two groups constitute the double threat we know today as cybercrime and hacktivism.

Last week we published a new report that looks, in great depth, at this phenomenon. The main goal is to explain how these organized groups have become established and what the extent of their activities are. In the first part of this report, after offering some definitions, we present some of the major participants who simply cannot be ignored. The second part deals with various topics including cybercrime and hacktivism, economics, politics, culture, and others. Each topic is illustrated with examples found in the news. Through other examples, the third part of the document deals with prices and the return on investment criminals can expect.

Chinese, Japanese, and Brazilian Portuguese versions are also available from the McAfee Labs Technical White Papers web page.

I received an interesting IM from a friend via BlackBerry Messenger [BBM] this weekend. She was worried that it could do damage to her shiny new BlackBerry and, as she knew I work for McAfee, she forwarded it to me for my opinion.

As soon as I read it, I knew it was a hoax and told her just to delete it.

It didn’t really surprise me that these Hoaxes are now being spread via BBM as the devices are becoming increasingly popular. I’m sure all of you have received the usual one via E-mail about a Virus which burns the whole hard disc C of your computer , well now I believe you will be seeing them on your BlackBerry.

I don’t want to take the usual route of blaming Social Networks sites but I believe they are the cause for this new wave of Hoaxes. The problem with Social Networks is that it enables almost anyone to be able to add you on several different IM’s by just visiting your page if you do not set your privacy settings correctly.

The new BBM also enables you to add new users by taking a picture of a barcode which is uniquely created for your BlackBerry pin. This makes it incredibly easy for people who you don’t know to add you to their contact list, which leaves you open to receiving more Hoaxes or Spam messages.

I have personally seen lots of these barcodes on several Social networks and forums and warn those who read this blog not to do the same and only share their PIN with contacts they trust.

Users should be careful who they accept as contacts, as you may start to see a lot more of these Hoaxes or even Spam in your BBM inbox.