Apple updates definitions to prevent “iWorm” botnet malware on Macs

Among other items, the XProtect list now includes several iWorm variants.
Andrew Cunningham

In case you missed it over the weekend, MacRumors reports that Apple has updated OS X's built-in XProtect malware definitions list to include the Mac.BackDoor.iWorm malware we reported on late last week. The iWorm malware allegedly managed to infect more than 17,000 Macs worldwide, and it was apparently using a (now closed) Minecraftserverlists board on reddit to distribute the IP addresses of control servers to infected Macs.

XProtect was first introduced to OS X in Snow Leopard in response to the MacDefender malware that managed to infect some OS X systems back in 2011. While the complete list is only 40 items long as of this writing, OS X silently checks for XProtect updates daily, and Apple also uses the list to mandate the usage of up-to-date versions of Java and Flash. While XProtect doesn't do anything to clean existing infections, it can prevent new ones by telling users explicitly that they're attempting to install known malware.

Dr. Web, the antivirus vendor that first reported the existence of both the malware and the botnet, recommends that you buy its products to scan for and delete malware that may already be on your computer—researchers at antivirus companies can get the word out about new vulnerabilities, but they don't do it out of the goodness of their hearts. Developer Jacob Salmela has some instructions that can help you delete the malware manually.

Read on Ars Technica | Comments

Bugzilla 0-day can reveal 0-day bugs in OSS giants like Mozilla, Red Hat

C

Security firm Check Point Software Technologies used a flaw it discovered in the Perl programming language to hack into the popular Bugzilla bug-tracking system and add four users to the administrator group, giving them power to see the details of undisclosed vulnerabilities.

The bold demonstration, detailed in a private bug report made public on Monday, took advantage of a new class of flaws discovered by Check Point in the Perl programming language, allowing the organization to craft specific strings of text that essentially fooled Bugzilla's user database. Check Point created administrator accounts for mozilla.com, mozilla.org, bugzilla.org, and bugzilla.bugs in the system.

"This is not an SQL injection attack, this is something rather new," Shahar Tal, security research team leader at Check Point, told Ars. "This is part of research that we have been working on for a couple of months on a specific Perl issue. Bugzilla is a good example and sample, but it is not the only project that we were able to find vulnerabilities in."

Read 8 remaining paragraphs | Comments

FDA: Medical device cybersecurity necessary, but optional

The US Food and Drug Administration released guidance last week in which it suggested that medical-device manufacturers consider the dangers of hacking in the design of their products, while not requiring countermeasures.

The nine-page document informs companies of the agency's "current thinking" on the topic of cybersecurity. In it, the FDA recommended that companies assess any dangers on the intentional or unintentional misuse of a device in their design stage. In addition, medical devices and systems should detect and log attacks and allow technicians to react to such attacks, whether through patching a vulnerability or other action.

"The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information," the agency stated, adding that "manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks."

Read 6 remaining paragraphs | Comments

White hat claims Yahoo and WinZip hacked by “shellshock” exploiters

Not the actual exploit.

A security researcher claims to have uncovered a botnet being built by Romanian hackers using the “Shellshock” exploit against servers on a number of high-profile domains, including servers at Yahoo and the utility software developer WinZip. Jonathan Hall, president and senior engineer of technology consulting firm Future South Technologies published a lengthy explanation of the exploits and his communications with the exploited on his company’s website this weekend and said that Yahoo had acknowledged finding traces of the botnet on two of its servers.

Hall found the botnet, he said, by tracking down the source of requests that probed one of his servers for vulnerable CGI server scripts that could be exploited using the Shellshock bash vulnerability. That security flaw allows an attacker to use those vulnerable server scripts to pass commands on to the local operating system,  potentially allowing the attacker take remote control of the server. Hall traced the probes back to a server at WinZip.com. He then used his own exploit of the bash bug to check the processes running on the WinZip server and identified a Perl script running there named ha.pl.

After extracting the contents of the script, Hall discovered that it was an Internet Relay Chat (IRC) bot similar to ones used to perform distributed denial of service attacks on IRC servers. However, as he examined it more closely, he found that it “appeared to focus more on shell interaction than DDoS capabilities,” he wrote. According to Hall, it takes remote control of the server, while using its IRC code to report back to an IRC channel (called, creatively, #bash). The code was also heavily commented in Romanian.

Read 6 remaining paragraphs | Comments