banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits Flashback trojan tấn công hơn nửa triệu Mac  XML
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 05/04/2012 11:57:21 (+0700) | #1 | 260830
[Avatar]
conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]
Theo tờ arstechnica, hiện nay đã có khoảng 600 ngàn máy Mac bị Flashback trojan tấn công và xâm nhập:

http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars

Tờ báo cho rằng, theo Sorokin Ivan, chuyên gia phân tích malware của Dr.Web công bố con số trên và US chiếm 57%, Canada chiếm 20% tổng số. Chưa thấy có những phân tích và chứng minh cụ thể về con số nhưng theo blog averysawaba http://averysawaba.blogspot.com/2012/04/over-half-million-macs-infected.html) thì có vài chi tiết kỹ thuật lý thú:

Infection by the Trojan BackDoor.Flashback.39 performed using infected Web sites and intermediate TDS (Traffic Direction System, distribution systems, traffic), wwwecting Mac OS X users to a malicious site. These pages, the specialists of "Doctor Web" found quite a lot - they all contain Java-script, which loads the user's browser Java-applet, which in turn contains the exploit. 


và:
It should be noted that the malware uses a very interesting mechanism for generating addresses of managing servers, allowing, if necessary, dynamically adjust the load between them, switching from one command center to another. After receiving a response management server, BackDoor.Flashback.39 checks passed to the command center at the post match signatures RSA, and then, if the test proves successful, loads and runs on the infected machine payload, as which can be any executable file specified in the resulting Trojan directive.  


Nếu xét về lỗi bảo mật, khi Mac user gõ Username + password cho phép cài software (tốt hay xấu) thì chủ quyền cài sẽ là "root" và nó sẽ được cài. Đây là quyết định của người dùng cho phép cài nhưng về phía Mac, OS phải có một cơ chế kiểm soát xem software được cài là cái gì để warning và cản trở.

Nếu xét về tính chất của loại trojan này thì rất lý thú. Cơ chế lây lan rất giống mớ malware mà HVA vừa phân tích gần đây và quả nhiên đây là một cách rất hữu hiệu. Cơ chế kiểm soát và điều hợp zombies (sau khi nhiễm) lại càng độc đáo. Nếu các botnets này có thể tạo địa chỉ động để quản lý servers và điều chỉnh tải giữa các servers, đổi từ command center này sang command center khác thì quả thật botnets đã đi đến chỗ cực kỳ sophisticated.

Watch out for REAL cyberwar.

PS: f-secure và nhiều AV khác đã công bố cách tháo gỡ malware này. Ví dụ: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 05/04/2012 17:59:56 (+0700) | #2 | 260861
LeVuHoang
HVA Friend

Joined: 08/03/2003 16:54:07
Messages: 1155
Offline
[Profile] [PM]

Nếu xét về lỗi bảo mật, khi Mac user gõ Username + password cho phép cài software (tốt hay xấu) thì chủ quyền cài sẽ là "root" và nó sẽ được cài. Đây là quyết định của người dùng cho phép cài nhưng về phía Mac, OS phải có một cơ chế kiểm soát xem software được cài là cái gì để warning và cản trở.
 

Vì vậy nên theo khuyến cáo thì người dùng chỉ nên tải App từ App Store thôi mà anh?
Về loại trojan này, như trên blog có đề là dịch lại từ 1 bản tiếng Nga của đám Dr. Web nên cũng không mô tả chi tiết vấn đề generating dynamic managing server thế nào.
Theo ý kiến riêng của em, nếu OSX đi theo mô hình của iOS, sandboxing/chroot các ứng dụng thì khả năng nhiễm malware còn thấp hơn nữa và cũng dễ uninstall ra khỏi system hơn là Windows malware.
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 05/04/2012 22:18:50 (+0700) | #3 | 260879
[Avatar]
Ikut3
Elite Member

[Minus]    0    [Plus]
Joined: 24/09/2007 23:47:03
Messages: 1429
Location: Nhà hát lớn
Offline
[Profile] [PM] [Yahoo!]
Mấy hôm nay cũng đọc tin này , nhưng search trên mạng thì chưa thấy 1 vector attack rõ ràng nào cả :-D. không biết có phải vì tinh thần "bất lộ tướng" của apple không.

Cách đây không lâu, cháu nhớ có lần chú conmale đã nói, cho dù là dùng MAC hay Linux hay gì gì đi nữa, có security đến đâu nhưng không có sự nhận thức rõ ràng từ người dùng thì vẫn bị dính mailware , virus , trojan như thường. Flashback này chính là 1 bằng chứng cho những điều đó

[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 06/04/2012 22:58:27 (+0700) | #4 | 260959
m3onh0x84
Member

[Minus]    0    [Plus]
Joined: 29/11/2007 15:22:21
Messages: 467
Location: lang thang 4 biển
Offline
[Profile] [PM] [WWW] [Yahoo!] [MSN]

Ikut3 wrote:
Cách đây không lâu, cháu nhớ có lần chú conmale đã nói, cho dù là dùng MAC hay Linux hay gì gì đi nữa, có security đến đâu nhưng không có sự nhận thức rõ ràng từ người dùng thì vẫn bị dính mailware , virus , trojan như thường. Flashback này chính là 1 bằng chứng cho những điều đó
 

và còn phải cẩn thận nữa, tớ tắt firewall, av đi 1 thời gian khá lâu để máy nhẹ hơn là dính đạn liền.
1/ LÀM ƠN "Đọc kĩ hướng dẫn sử dụng trước khi dùng".
2/homepage: trước khi hỏi thì LÀM ƠN tìm kiếm. Vì để biết nhiều hơn thì ai cũng phải đọc "VỪNG ƠI MỞ RA"
Hỏi FAQ thì lên asking.vn mà hỏi
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 07/04/2012 07:14:41 (+0700) | #5 | 260970
[Avatar]
conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]

LeVuHoang wrote:

Nếu xét về lỗi bảo mật, khi Mac user gõ Username + password cho phép cài software (tốt hay xấu) thì chủ quyền cài sẽ là "root" và nó sẽ được cài. Đây là quyết định của người dùng cho phép cài nhưng về phía Mac, OS phải có một cơ chế kiểm soát xem software được cài là cái gì để warning và cản trở.
 

Vì vậy nên theo khuyến cáo thì người dùng chỉ nên tải App từ App Store thôi mà anh?
Về loại trojan này, như trên blog có đề là dịch lại từ 1 bản tiếng Nga của đám Dr. Web nên cũng không mô tả chi tiết vấn đề generating dynamic managing server thế nào.
Theo ý kiến riêng của em, nếu OSX đi theo mô hình của iOS, sandboxing/chroot các ứng dụng thì khả năng nhiễm malware còn thấp hơn nữa và cũng dễ uninstall ra khỏi system hơn là Windows malware. 


Đúng vậy nhưng khổ nỗi không phải ai cũng sử dụng app từ app store mới là mệt.

Nếu tất cả các app trên Mac OS X đều được verified kỹ lưỡng trước khi lên AppleStore và mọi người đều install từ AppleStore thì cơ hội malware phát tán trên Mac cực kỳ khó (ngoại trừ chính Apple Store bị compromised).
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 07/04/2012 07:44:35 (+0700) | #6 | 260973
[Avatar]
Ikut3
Elite Member

[Minus]    0    [Plus]
Joined: 24/09/2007 23:47:03
Messages: 1429
Location: Nhà hát lớn
Offline
[Profile] [PM] [Yahoo!]
Hiện tại người dùng có thể sử dụng chức năng Sofware Update từ Apple để cập nhật bản vá lỗi này

Java for OS X 2012-002 delivers improved compatibility, security, and reliability by updating Java SE 6 to 1.6.0_31.
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 18/04/2012 15:08:29 (+0700) | #7 | 261637
[Avatar]
Ikut3
Elite Member

[Minus]    0    [Plus]
Joined: 24/09/2007 23:47:03
Messages: 1429
Location: Nhà hát lớn
Offline
[Profile] [PM] [Yahoo!]
Cập nhật thêm thông tin vụ này

Lỗ hổng flashback trên kia tạm thời người dùng có thể yên tâm sử dụng công cụ Flashback removal cho những máy nào bị nhiễm. Download tại

http://www.f-secure.com/weblog/archives/FlashbackRemoval.zip

Tuy nhiên vừa mới đây đã có thêm 1 dòng Malware khác cũng lợi dụng vào lỗ hổng JAVA (CVE-2012-0507) để mở cổng port các services trên MAC, cho phép attacker tấn công vào hệ thống thông qua đây.

Reports of new Mac malware variants exploiting CVE-2012-0507 surfaced last week. The Java vulnerability is the same one used by Flashback to infect more than 600 thousand Macs.

The first new threat was analyzed by the folks at Trend Micro. The Java applet for Mac actually exploits CVE-2012-0507, and if successful, the payload is the same malware that AlienVault Labs discovered last month (being used in targeted attacks against human rights NGOs).

The second threat seems to be a completely new piece of malware at first. However, succeeding samples that have been collected reveal that the malware is also being dropped by the same word documents exploiting MS09-027/CVE-2009-0563, used to drop Backdoor:OSX/Olyx.C and Backdoor:OSX/MacKontrol.A. Which was also reported by AlienVault last month.

Both malware seem to be active at the moment and are controlled manually as observed by ESET and Kaspersky respectively. Both use the same malicious Java class dropper component. MD5: 5a7bafcf8f0f5289d079a9ce25459b4b

F-Secure antivirus detects these threats as Backdoor:OSX/Olyx.B and Backdoor:OSX/Sabpab.A.

MD5: 78f9bc441727544ebdc8374da4a48d3f – Backdoor:OSX/Olyx.B (also known as Lamadai.A)
MD5: 40c8786a4887a763d8f3e5243724d1c9 – Backdoor:OSX/Sabpab.A (also known as Lamadai.B)
MD5: 3aacd24db6804515b992147924ed3811 – Backdoor:OSX/Sabpab.A

These malware variants are being used in targeted attacks against Tibetan focused NGOs and are therefore very unlikely to be encountered "in-the-wild" by day to day Mac users. If you're a Mac using human rights lawyer however… your odds of exposure are another matter entirely. If you don't it already, now is the time to install antivirus on your Mac.

 


Backdoor osx olyx
http://www.f-secure.com/v-descs/backdoor_osx_olyx_c.shtml
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 19/04/2012 07:46:27 (+0700) | #8 | 261686
[Avatar]
conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]
Chưa thấy nơi nào có cái technical analysis cho đến nơi đến chốn nhưng đọc chung chung thì thấy có khá nhiều điểm phi lý, ví dụ:

"It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute."

Làm sao những site pretends là "Adobe Flash Player" có thể intercept máy để force người dùng update đồ dỏm?

Muốn trigger cái Java Applet, ngườu dùng phải access một URL nào đó và những sites đó là site nào? Cho đến nay vẫn không có những thông tin cụ thể và chính xác.
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 19/04/2012 14:14:39 (+0700) | #9 | 261700
[Avatar]
bolzano_1989
Journalist

[Minus]    0    [Plus]
Joined: 30/01/2007 12:49:15
Messages: 1406
Offline
[Profile] [PM]

conmale wrote:
Chưa thấy nơi nào có cái technical analysis cho đến nơi đến chốn nhưng đọc chung chung thì thấy có khá nhiều điểm phi lý, ví dụ:

"It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute."

Làm sao những site pretends là "Adobe Flash Player" có thể intercept máy để force người dùng update đồ dỏm?

Muốn trigger cái Java Applet, ngườu dùng phải access một URL nào đó và những sites đó là site nào? Cho đến nay vẫn không có những thông tin cụ thể và chính xác. 


Đoạn anh conmale trích ở trên được viết không đầy đủ nên dễ gây bối rối cho người đọc. Đầu tiên là chúng sẽ thử exploit Java JRE/JDK/SDK/JavaFX nhờ các working exploit (malware Flashback được phát tán quá nhanh với số lượng lớn là nhờ điểm này), sau đó nếu không khai thác được thì chúng mới dùng Social Engineering với người dùng, giả làm các bản cập nhật phần mềm.

Anh conmale có thể xem 3 bài phân tích sau:

Flashback Mac Trojan Horse Infections Increasing with New Variant - The Mac Security Blog
http://www.intego.com/mac-security-blog/flashback-mac-trojan-horse-infections-increasing-with-new-variant/

New Flashback Variant Changes Tack to Infect Macs - The Mac Security Blog
http://www.intego.com/mac-security-blog/new-flashback-variant-changes-tack-to-infect-macs/

Flashback Mac Malware Uses Twitter as Command and Control Center - The Mac Security Blog
http://www.intego.com/mac-security-blog/flashback-mac-malware-uses-twitter-as-command-and-control-center/

How this malware infects Macs

This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.




It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. It does this to avoid detection. It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected. 


The new version of the Flashback malware installs after Mac users visit infected web sites. In Intego’s tests, the installation procedure was somewhat odd, as web sites display a spinning gear for some time, before finally displaying a password request dialog pretending to be from Software Update, Apple’s tool for downloading and installing software.



Flashback forces Safari to quit, installs a file at /tmp/Software Update, then installs two invisible files in Safari’s resources, taking advantage of the root rights it obtained when the user entered his or her administrator’s password.

Next, Flashback injects code in Safari when the browser is launched.
 


Và phần thú vị nhất, con đường dẫn đến Flashback smilie :
In addition, it is now clear that the Flashback malware has been created by the same people who were behind the Mac Defender fake antivirus which infected many Mac users beginning in May, 2011.

Websense Security Labs published a blog post pointing out that tens of thousands of WordPress blogs were infected by code that wwwected them to web sites serving fake antiviruses, including Mac Defender. Sucuri Security narrowed this down to a plugin called ToolsPack, which installs a backdoor on servers where it is installed. But David Dede of Sucuri Security said, “Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks.”

Intego has examined some of the WordPress blogs infected with this code and found that they wwwect Mac users to sites that serve the Flashback malware. It is important that people running WordPress sites ensure that their installation is up to date, that they have secure passwords, and that they especially don’t use this ToolsPack plugin. 


Kết quả phân tích được công bố ở McAfee blog bởi David Marcus:
Variant of Mac Flashback Malware Making the Rounds | Blog Central
http://blogs.mcafee.com/mcafee-labs/variant-of-mac-flashback-malware-making-the-rounds
As of this writing, this Trojan is targeted at vulnerable Java plug-ins related to the CVE-2012-0507 vulnerability. When a user visits a compromised page, it often uses an iframe tag that wwwects the user to another malicious page, where the actual exploit is triggered by the malicious Java applet.
OSX/Flashfake (the official detection name) is dropped by malicious Java applets that exploit CVE-2012-0507. On execution, the malware prompts the unsuspecting victim for the administrator password. Regardless whether the user inputs the password, the malware attempts to infect the system; entering the password only changes the method of infection.
The Trojan may arrive as the PKG file comadobefp.pkg and comes disguised as a Flash player installer:




It prompts the user for administrative rights:




Once the malware package is successfully installed, it tries to make contact with its remote sites to download any necessary configuration files:




Another characteristic of this malware is that it checks whether a firewall is installed on the target system. If one is found, it will remove the installation. (Other versions of Flashback are delivered via the sinkhole exploit.) 


Về lỗ hổng bảo mật CVE-2012-0507, anh chị em có thể vào xem
Oracle Java Critical Patch Update - February 2012
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
Chú ý là lỗ hổng bảo mật CVE-2012-0507 được Oracle ghi nhận là "may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password".

Ở video demo sau anh chị em sẽ thấy người dùng chỉ cần duyệt website chứa mã tấn công, không cần bất kỳ thao tác nào khác của người dùng để máy tính của họ bị kiểm soát bởi kẻ tấn công:
CVE2012-0507 Java AtomicReferenceArray Type Violation Vulnerability Metasploit Demo - YouTube
http://www.youtube.com/watch?v=25CcRw-6hVQ

conmale wrote:

Muốn trigger cái Java Applet, ngườu dùng phải access một URL nào đó và những sites đó là site nào? Cho đến nay vẫn không có những thông tin cụ thể và chính xác. 

Thông tin về các website bị nhiễm mã độc này thường được giữ kín smilie , muốn biết thì chỉ có cách hỏi thăm hoặc tự điều tra thôi anh smilie .
Kiểm tra các file bạn nghi ngờ có virus:
http://goo.gl/m3Fb6C
http://goo.gl/EqaZt
http://goo.gl/gEF8e
Nhận mẫu virus qua FB: http://goo.gl/70Xo23
HVA Malware Response Team: kiemtravirus@gmail.com
Trợ giúp diệt virus: http://goo.gl/2bqxY
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 19/04/2012 14:44:25 (+0700) | #10 | 261701
[Avatar]
bolzano_1989
Journalist

[Minus]    0    [Plus]
Joined: 30/01/2007 12:49:15
Messages: 1406
Offline
[Profile] [PM]
Người dùng có thể vào trang sau để kiểm tra máy tính có bị nhiễm Backdoor.Flashback.39! theo Dr.Web:
Dr.Web Anti-Flashback
https://www.drweb.com/flashback/?lng=en
Kiểm tra các file bạn nghi ngờ có virus:
http://goo.gl/m3Fb6C
http://goo.gl/EqaZt
http://goo.gl/gEF8e
Nhận mẫu virus qua FB: http://goo.gl/70Xo23
HVA Malware Response Team: kiemtravirus@gmail.com
Trợ giúp diệt virus: http://goo.gl/2bqxY
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 19/04/2012 16:14:24 (+0700) | #11 | 261708
[Avatar]
bolzano_1989
Journalist

[Minus]    0    [Plus]
Joined: 30/01/2007 12:49:15
Messages: 1406
Offline
[Profile] [PM]
Ngoài nguồn website bị nhiễm mã độc là các blog WordPress được nêu ở trên, Doctor Web phát hiện nhiều nguồn lây nhiễm Flashback khác, trong đó gần đây nhất có 10 website sau bên cạnh trang dlink.com và hơn 4 triệu trang web đã bị thỏa hiệp khác:
Code:
godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu


http://news.drweb.com/show/?i=2341lng=en

Systems get infected with BackDoor.Flashback.39 after a user is wwwected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web's virus analysts discovered a large number of web-sites containing the code. The recently discovered ones include:

godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu
According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com. 


Similarly to the older versions, the launched malware first searches the hard drive for the following components:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app
If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders' statistics server and sends consecutive queries at control server addresses.

It should be noted that the malware utilizes a very peculiar routine for generating such addresses. It can also switch between several servers for better load balancing. After receiving a reply from a control server, BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server.

Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web's analysts employed the sinkhole technology to wwwect the botnet traffic to their own servers and thus were able to count infected hosts.

Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback modification. 


Flashback Cleanup Still Underway—Approximately 140,000 Infections | Symantec Connect Community
http://www.symantec.com/connect/blogs/flashback-cleanup-still-underway-approximately-140000-infections

Command-and-control (C&C) servers

The graphic below lists the upcoming C&C servers that are to be contacted by OSX.Flashback.K over the coming week.
lianbmuht02%elcitra/1315122/egami/weiv/resworbegami/tcennoc/moc.cetnamys.www//:ptth

Payload C&C server

The Flashback payload is considerably larger than the initial stage downloading component. Analysis is ongoing; however, one of the new features of the Trojan is that it can now retrieve updated C&C locations through Twitter posts by searching for specific hashtags generated by the OSX.Flashback.K hashtag algorithm.
Kiểm tra các file bạn nghi ngờ có virus:
http://goo.gl/m3Fb6C
http://goo.gl/EqaZt
http://goo.gl/gEF8e
Nhận mẫu virus qua FB: http://goo.gl/70Xo23
HVA Malware Response Team: kiemtravirus@gmail.com
Trợ giúp diệt virus: http://goo.gl/2bqxY
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 20/04/2012 07:31:35 (+0700) | #12 | 261744
[Avatar]
conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]
Cảm ơn bolzano_1989 đã cung cấp những thông tin rất hữu dụng.
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 20/04/2012 11:09:17 (+0700) | #13 | 261756
[Avatar]
bolzano_1989
Journalist

[Minus]    0    [Plus]
Joined: 30/01/2007 12:49:15
Messages: 1406
Offline
[Profile] [PM]
http://blog.eset.com/2012/04/13/fighting-the-osxflashback-hydra
Flashback evolved a lot in the last few months. The authors moved fast and added obfuscation and fallback methods in case the main C&C server is taken down. The dropper now generates 5 domain names per day and tries to get an executable file from those websites. The latest variants of the dropper and the library encrypt its important strings with the Mac hardware UUID. This makes it difficult for researchers to analyze a variant reported by a customer if they don’t also have access to the UUID.

The fallback mechanism that Flashback uses when it is unable to contact its C&C servers is quite interesting. Each day, it will generate a new Twitter hashtag and search for any tweet containing that hashtag. A new C&C address can be provided to an infected system this way. Intego reported this last month, but the latest version uses new strings. Twitter has been notified of the new hashtags and are working on remediations to make sure the operator of the botnet cannot take back control of his botnet through Twitter. 


ESET cũng chỉ ra cách đếm số máy bị nhiễm malware Flashback dựa trên Mac hardware UUID của các hãng khác có thể sẽ cho ra con số thấp hơn so với thực tế do nhiều máy Mac OS X có thể có cùng 1 UUID.
When it comes to disclosing a realistic number of unique infected hosts, we strive to be as accurate and objective as possible. Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs. Our data indicates many UUIDs that connected to our sinkhole (a server we set up to capture incoming traffic from bot-infected machines trying to communicate with their command-and-control servers), came from a big range of IP addresses, indicating that there may be UUID duplicates. Virtual Machines or so-called Hack-intosh installations may explain this.

When browsing Hack-intosh forums, we found out that everyone who is using the fourth release candidate of a special distribution has the same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even discuss ways to arbitrarily modify it.

Oddly enough, we found this UUID connected to our sinkhole from 20 different IP addresses. This indicates that those who considered UUID to count the number of distinct infected hosts probably have underestimated the botnet size. 
Kiểm tra các file bạn nghi ngờ có virus:
http://goo.gl/m3Fb6C
http://goo.gl/EqaZt
http://goo.gl/gEF8e
Nhận mẫu virus qua FB: http://goo.gl/70Xo23
HVA Malware Response Team: kiemtravirus@gmail.com
Trợ giúp diệt virus: http://goo.gl/2bqxY
[Up] [Print Copy]
  [Announcement]   Flashback trojan tấn công hơn nửa triệu Mac 20/04/2012 13:31:50 (+0700) | #14 | 261760
[Avatar]
bolzano_1989
Journalist

[Minus]    0    [Plus]
Joined: 30/01/2007 12:49:15
Messages: 1406
Offline
[Profile] [PM]
Mình thấy Apple có lối hành xử rất kém với cộng đồng bảo mật whitehat hacker, có vẻ như họ không muốn thế giới biết về những điểm kém trong bảo mật của họ.
Trước đây là tước giấy phép iOS Developer Program của chuyên gia, hacker Charlie Miller:

Apple Exiles A Security Researcher From Its Developer Program For Proof-of-Concept Exploit App - Forbes
http://www.forbes.com/sites/andygreenberg/2011/11/07/apple-exiles-a-security-researcher-from-its-developer-program-for-proof-of-concept-exploit-app/

Apple just sent a clear message to malicious hackers and security researchers alike: Keep your hands off the App Store.

Just hours after security researcher Charlie Miller told me about a new, potentially dangerous bug he’d found in Apple’s iOS operating system that allows unapproved code to be run on iPads and iPhones, he received an email from Apple, nixing his license as an Apple developer.

“This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple,” the email read. “Effective immediately.”

Miller had, admittedly, created a proof-of-concept application to demonstrate his security exploit, and even gotten Apple to approve it for distribution in Apple’s App Store by hiding it inside a fake stock ticker program, a trick that Apple wrote violated the developer agreement that forbid him to “hide, misrepresent or obscure” any part of his app. But the researcher for the security consultancy Accuvant argues that he was only trying to demonstrate a serious security issue with a harmless demo, and that revoking his developer rights is “heavy-handed” and counterproductive. “I’m mad,” he says. “I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”
Apple didn’t immediately respond to my request for comment.

Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th. 


Bây giờ thì là "đá bát" với cộng đồng bảo mật đã giúp mình:

Apple Snubs Firm That Discovered Mac Botnet, Tries To Cut Off Its Server Monitoring Infections - Forbes
http://www.forbes.com/sites/andygreenberg/2012/04/09/apple-snubs-firm-who-discovered-mac-botnet-tries-to-cut-off-its-server-monitoring-infections/

Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets. And according to the firm that discovered this new outbreak, it could use a lesson in teamwork.

Boris Sharov, chief executive of the Moscow-based security firm Dr. Web says he learned Monday from the Russian Web registrar Reggi.ru that Apple had requested the registrar shut down one of its domains, which Apple said was being used as a “command and control” server for the hundreds of thousands of PCs infected with Flashback. In fact, that domain was one of three that Dr. Web has been using as a spoofed command and control server–what researchers call a “sinkhole”–to monitor the collection of hijacked machines and try to understand their behavior, the technique which allowed the firm to first report the size of Apple’s botnet last week.

They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users,” says Sharov. “This seems to mean that Apple is not considering our work as a help. It’s just annoying them.

Sharov believes that Apple’s attempt to shut down its monitoring server was an honest mistake. But it’s a symptom of the company’s typically tight-lipped attitude. In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn’t received a response. “We’ve given them all the data we have,” he says. “We’ve heard nothing from them until this.

I’ve contacted Apple for comment, but haven’t yet heard back from the company either.

In Apple’s defense, it may not have recognized Dr. Web as a credible security firm when the company contacted Apple earlier this month–I hadn’t heard of the firm either until its discovery and analysis of the Flashback botnet. But the better-known security firm Kaspersky confirmed Dr. Web’s findings on Friday. A Kaspersky representative said it hadn’t contacted Apple with its findings and hadn’t had any direct communication with Apple, and Kaspersky researcher Kurt Baumgartner wrote in a statement that “from what we’ve seen, Apple is taking appropriate action by working with the larger internet security community to shut down the Flashfake [also known as Flashback] C2 domains. Apple works vigorously to protect its brand and wants to rectify this.” Kaspersky wouldn’t offer more details on how Apple is working with the security community.

 


Update: Apple now says it will release a Flashback removal tool and is “working with ISPs worldwide” to disable the botnet’s command and control servers.

Locating and shutting down command and control servers is typical practice for a company trying to behead and cripple a botnet targeting its computers. Sharov says that Dr. Web has worked with Microsoft several times in the past on those efforts. But Apple, which has never dealt with a botnet the size of the Flashback infection, has fewer ties to firms like Dr. Web, Sharov says. “For Microsoft, we have all the security response team’s addresses,” he says. “We don’t know the antivirus group inside Apple.”

Sharov, like others, criticizes Apple for its delay in issuing a patch for a security vulnerability in Java that the Flashback malware exploited to invisibly install itself on Macs when users visit infected web pages. The bug was patched by Oracle in February, but Apple didn’t fix the flaw until earlier this month. “Their response should have been much earlier when they should have updated their Java,” says Sharov. “Now calling registrars to shut down domains is not as important. The infection has already taken place. There are dozens of domains [controlling] the botnet. Shutting down one does nothing.

 


Apple’s less-than-diplomatic handling of Dr. Web’s work wouldn’t be the first time it’s raised the hackles of the security research community. When well-known Apple researcher Charlie Miller created a proof-of-concept app demonstrating a flaw in Apple’s security restrictions, the company responded by revoking his developer’s license.

Sharov says he can understand Apple’s brusque response to his researchers’ work. “These are not pleasant days for them,” he says. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.” 
Kiểm tra các file bạn nghi ngờ có virus:
http://goo.gl/m3Fb6C
http://goo.gl/EqaZt
http://goo.gl/gEF8e
Nhận mẫu virus qua FB: http://goo.gl/70Xo23
HVA Malware Response Team: kiemtravirus@gmail.com
Trợ giúp diệt virus: http://goo.gl/2bqxY
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|