Category Archives: Mac Virus blog

iOS support scams – added to resources page

Added to the PC ‘Tech Support’ Cold-Call Scam Resources page today….

Here’s an extract from another Mac Virus article – iOS Support Scams – on tech support scams, this time targeting iOS users:

A new blog by Graham Cluley for Intego actually has some points in common with my most recent blog here (which also involved pop-ups misused by support scammers, particularly in the context of Safari). However, Graham’s article is about iOS, whereas mine related to questions asked regarding OS X and Safari (citing advice from Thomas Reed that also addressed other browsers).

David Harley

New Mac Malware Resource

Well, actually, it’s an old one. It’s at the Mac Virus site I kicked back into life a few months ago, primarily as a blog site.

However, I’ve been under some pressure to restore some of the features of the old Mac Virus site. While I’ll be restoring some (more) of the pre-OSX stuff for its historical interest, I don’t see that as a big priority right now. But as I’ve been talking quite a lot about Mac threats in the past month or two (see http://macviruscom.wordpress.com/2010/05/13/apple-security-snapshots-from-1997-and-2010/ for example), there’s been curiosity about what we’ve been seeing in the way of OS X malware.

Enter (stage left, with a fanfare of trumpets) the Mac Virus “Apple Malware Descriptions” Page at http://macviruscom.wordpress.com/apple-malware-descriptions/. Right now it consists of two descriptions of Mac scareware from 2008, so it’s at a very early stage of development. (It just happens to be those two descriptions because someone asked me about them yesterday.)

Isn’t this stuff available elsewhere, I hear you ask? Of course it is. The point about these descriptions is that unlike most vendor descriptions, they point to various other sources of (reasonably dependable) information, as well as including a little personal commentary. It’s a first cut at attempting to answer the question “if there’s so much Mac malware around, where is it?”

More later…

David Harley CITP FBCS CISSP
AVIEN Chief Operations Officer
Mac Virus Administrator
ESET Research Fellow and Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com
http://amtso.wordpress.com/

NTEOTWAWKI

Given all the hype generated by the ridiculously titled Gawker Article about the so called ‘iPad’ hack, I’m somewhat reluctant to add to any more of the noise over what is really a pretty run of the mill story, but because I’m procrastinating on other jobs, I’ll write something. Warning: this story does involve the shocking exposure of people’s email addresses, said addresses getting revealed when they shouldn’t have been, and yes….er…well, no, that’s about it actually.

Indeed, Paul Ducklin of Sophos wrote a very nice article stating the rather important fact that, every time you send an email, that passes your email out on to the open internet. Of course, that’s not an excuse to have a poorly written web app that will spit out the email addresses of your partner company’s clientele at will. Partner company, I hear you cry, wasn’t this an Apple problem? Yes, indeed, this is absolutely nothing to do with Apple, it’s not an Apple problem, and it’s not a breach of Apple’s security, nor is it a breach of the iPad. In fact, it was solely down to a web application on AT&T’s website. It doesn’t even involve touching an iPad. But, but, you may splutter, isn’t this is an iPad disaster? No. Not even slightly; not once did the ‘attackers’ go near any one’s iPad. The ‘attack’ was purely a script  that sent ICCID numbers (this links a SIM card to an email address) to the AT&T application, in sequence, to see if their database had that number with an email attached – and if so, that came back. That’s right, it’s a SIM card identifier. The only ‘iPad’ part is that the ‘attackers’ spoofed the browser in the requests, to make the app think the request was coming from an iPad.

The upshot is that, as this page rightly points out (thanks to @securityninja for the link)

“There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.”

So, the correct title of that original Gawker article might have been “Badly designed AT&T web application leaks email addresses when given SIM card ID”, but that wouldn’t be “The End Of The World As We Know It”.

In a week where one ‘journalist’ writing here (thanks to @paperghost for the link) claimed that some security people confessing to being ‘hackers’ (whatever that means) “confirms our suspicions that the whole IT insecurity industry is a self-perpetuating cesspool populated by charlatans”, it might be time for the world of the media to turn that oh so critical eye on itself and ask who is really generating the hype in the information security world?

If you’re interested in keeping up with genuine Mac/Apple related security issues, a good resource is maintained here by my good friend David Harley

UPDATE: The original ‘attackers’ have published a response to the furore here. Pretty much confirms what I was saying

“There was no breach, intrusion, or penetration, by any means of the word.”

Andrew Lee
CEO AVIEN/CTO K7 Computing

About those alligators….

I don’t know what Peter Norton  is up to these days. In the anti-virus industry, he’s probably best remembered for (a) the security products marketed by Symantec that still bear his name (though not the famous pink shirt photograph), though he sold his company to Big Yellow about 20 years ago. In researcher circles, he’s also remembered for telling Insight magazine in 1988 or thereabouts that “We’re dealing with an urban myth. It’s like the story of alligators in the sewers of New York. Everyone knows about them, but no one’s ever seen them. Typically, these stories come up every three to five years.” Well, quite a few people put computer viruses in the same category as flying saucers around that time. Commodore, for instance, reacted to questions about Amiga malware by saying that it sounded like a hoax, and moved on (1) to ignoring it altogether.

Not long after that, he lent his name to Symantec’s antivirus product, which I suppose makes it the world’s first anti-hoax software.

I’ve no idea whether there really are or ever were alligators in the sewers of New York, but according to the BBC, Scotland ‘s sewage system has quite a few equally bizarre inhabitants. Notably:

  • A Mexican Kingsnake
  • A goldfish called Pooh
  • An anonymous frog
  • An equally anonymous badger (no, it wasn’t in the company of the frog: what a story that could be…)

 The above were all alive and well, if not as sanitary as one might hope. However, a sheep found in a manhole chamber and a cow found in a storm tank did not survive the experience. Other inanimate objects found included credit cards, a working iron, false teeth, jewelry, and some of the hundreds of thousands of mobile phones that Brits are alleged to flush down the loo. 

It’s not known whether the very smelly aggregation of money mules that is apparently operating out of Scotland and associated with the “London scam” described here is operating out of the same network

(1) Yes, I’m paraphrasing myself. “Viruses Revealed”, Chapter 2, published by Osborne in 2001.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
https://avien.net/blog
http://www.eset.com/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com