Mac iWork Virus/Trojan FUD

A curious falsehood has surrounded Mac computers over the last decade, as they have resurged onto the market.  People believe that Macs are immune to the malware, viruses, and worms that have wrought havoc on PCs.  (correction there are far fewer viruses for mac then pc¹)

In reality, OS X is not much more or less secure than Windows Vista — rather it is Apple’s small market share that has protected it.  (correction linux has a smaller market share then apple yet has far more viruses²) Since Mac attacks would have to be custom-made, there just hasn’t been much interest among Black Hats to attack them.  Kevin Haley, a director of security response at Symantec, states, “The bad guys generally go toward the biggest target, what will get them the biggest bang for their buck.”( never trust symantic on anything virus related as they often feed the FUD it is how they sell software)

However, with surging market share and pop icon status, the Macs are suddenly finding themselves under attack.  On the heels of Apple’s announcement that customers should get an antivirus program, Apple has been attacked by what [some] are some calling OS X’s first official trojan virus. (this is not a Trojan virus it is a Trojan, this requires the user to enter their user name and password) The trojan, dubbed “iBotnet”, has snuck its way into several thousand Macs.  The virus is written specifically for Mac computers and does not affect Windows machines.

The new virus infects users’ computers via pirated copies of Mac software iWork, which have been floating around P2P networks.  It was first reported in January, and unlike other viruses, like the Conficker worm, is relatively harmless due to the small number of infected machines (precluding effective denial of service attacks) and user role in infection.

States Paul Henry, a forensics and security analyst at Lumension Security in Arizona, “We all knew it was going to happen.  It was just a matter of time, and, personally, I think we’re going to see a lot more of it.”

While the new virus is the first to only target Macs, it’s not the first botnet to consist of some Mac machines.  Jose Nazario, a senior security researcher with Arbor Networks, states, “This isn’t the first botnet that’s been built using Mac computers.  This is an interesting one in that it’s a little more flexible and includes some new features. … It’s getting a lot of press mostly because it’s Mac and people are talking about how Macs are immune to malware — and, sure enough, they’re not.”

In a statement, Apple responds, “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.”( mac is actually pretty slow to patch⁴)

Macs today account for approximately 7.4 percent of consumer computers in the U.S., according to Gartner, a leading market research firm.  While, according to Gartner, these users on average are more affluent than PC owners, the unproven nature of Mac virus software (owing to their low market share in the 90s) has made Mac viruses still unexplored territory.  However, that looks to be changing, and given Apple’s slow rate of patching, it could be in trouble in the near future, particularly with the prospect of Apple-specific worms hitting in the near future.

---

1: http://www.macuser.co.uk/news/44258/mac-virus-is-number-78-in-most-common-chart.html

2: It’s not the market-share that determines the number of viruses, because there’s more OSX out there than Linux or BSD. The Ramen worm is one widespread Linux virus.

it definitely does have something to do with it, due to the fact that Windows is has surpassed 1 MILLION** viruses, worms and other malware (of course the horrific state of security on the Win9x line helped here, which was also why MacOS 9 had a fair number of viruses for it)

However where this theory fall apart is that there are far more worms, viruses, and malware in existence for Linux/BSD than for OSX. Actually in fact, there has been more malware for specifically RedHat Linux than for OSX.

Either way, US market-share isn’t the deciding factor. It could be that it’s the market-share of Macs in Russia, China, and other nations where virus development is prevalent that is a deciding factor.

A good guess would be the fact that there are no cheap Macs has far more to do with it. When you pay that much for a machine, you’re probably not writing viruses on it.

3: The Trojan in question does not replicate. It is not a virus. It is also not a Worm which is a virus that replicates across a network (generally IP based). Worms use a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program.

4: Several security research firms have criticized Apple for leaving critical and serious vulnerabilities unpatched for long periods of time. If you search DailyTech you should find some articles about patching, which include info on research which indicates that OS X is being patched far slower than Windows Vista.

the most rare special characater entities for HTML 4

Character entity names & their entity reference decimals, to type these hold alt and press the numbers on your keypad. These do not work on a PDA.

About the character entity html reference list

The Character Entity Reference HTML 4 has been formatted with accessibility and usability considerations. The Entity Reference List is presented using the definition list format. This allows usable small screen rendering on numerous Internet devices including Internet capable cell phones and PDAs. Lists presented using tables may lose their logical relational order to the contained elements when displayed on small screen rendering devices.

HTML 4.01 supports the ISO 8859-1 (Latin-1) character set. The lower part of ISO-8859-1 (codes from 0-127) is the original 7-BIT ASCII standard. Most of these characters can be used without a character reference. The higher part of ISO-8859-1 (codes from 160-255) can all be used using character entity names.

Character Entity Reference Browser & Font Support

Note: character entity names are case sensitive.

☠ ] skull & crossbones

[number: ☠]

[ ☡ ] caution sign

[ number: ☡]

[ ☢ ] radioactive sign

[number: ☢]

[ ☣ ] biohazard sign

[number: ☣]

[ ☤ ] Caduceus or "Kerykeion"

[number: ☤]

[ ☥ ] Ankh

[number: ☥]

[ ☦ ] Eastern Christian Cross

[number: ☦]

[ ☧ ] Chi Rho Cross

[number: ☧]

[ ☨ ] Patriarchal Cross

[number: ☨]

[ ☩ ] Greek Cross

[number: ☩]

[ ☪ ] Crescent Moon & Star

[ number: ☪]

[ ☫ ] Farsi symbol

[ number: ☫]

[ ☬ ] Adi Shakti

[ number: ☬]

[ ☭ ] hammer & sickle

[ number: ☭]

[ ☮ ] peace sign

[ number: ☮]

[ ☯ ] yin & yang

[ number: ☯]

[ ☰ ] trigram Heaven

[ number: ☰]

[ ☱ ] trigram Lake

[ number: ☱]

[ ☲ ] trigram Fire

[ number: ☲]

[ ☳ ] trigram Thunder

[ number: ☳]

[ ☴ ] trigram Wind

[ number: ☴]

[ ☵ ] trigram Water

[ number: ☵]

[ ☶ ] trigram Mountain

[ number: ☶]

[ ☷ ] trigram Heaven

[ number: ☷]

[ ☸ ] Dharma Wheel

[number: ☸]

[ ☹ ] frowning face

[number: ☹]

[ ☺ ] smiley face

[number: ☺]

[ ☻ ] black smiley face

[number: &#9787;]

[ ☽ ] waxing crescent moon

[number: &#9789;]

[ ☾ ] waning crescent moon

[number: &#9790;]

[ ☿ ] Mercury

[number: ☿]

[ ♀ ] Venus - Female symbol

[number: ♀]

[ ♁ ] Earth symbol

[number: ♁]

[ ♂ ] Mars - Male symbol

[number: ♂]

[ ♃ ] Jupiter

[number: ♃]

[ ♄ ] Saturn

[number: ♄]

[ ♅ ] Uranus

[number: ♅]

[ ♆ ] Neptune

[number: ♆]

[ ♇ ] Pluto

[number: ♇]

[ ♈ ] Aries

[number: ♈]

[ ♉ ] Taurus

[number: ♉]

[ ♊ ] Gemini

[number: ♊]

[ ♋ ] Cancer

[number: ♋]

[ ♌ ] Leo

[number: ♌]

[ ♍ ] Virgo

[number: ♍]

[ ♎ ] Libra

[number: ♎]

[ ♏ ] Scorpio

[number: ♏]

[ ♐ ] Sagitarius

[number: ♐]

[ ♑ ] Capricorn

[number: ♑]

[ ♒ ] Aquarius

[number: ♒]

[ ♓ ] Pisces

[number: ♓]

[ ♔ ] White King

[number: ♔]

[ ♕ ] White Queen

[number: ♕]

[ ♖ ] White Rook

[number: ♖]

[ ♗ ] White Bishop

[number: ♗]

[ ♘ ] White Knight

[number: ♘]

[ ♙ ] White Pawn

[number: ♙]

[ ♚ ] Black King

[number: ♚]

[ ♛ ] Black Queen

[number: ♛]

[ ♜ ] Black Rook

[number: ♜]

[ ♝ ] Black Bishop

[number: ♝]

[ ♞ ] Black Knight

[number: ♞]

[ ♟ ] Black Pawn

[number: ♟]

[ ♠ ] black spade suit

[name: ♠] [number: ♠]

[ ♡ ] red heart suit

[number: ♡]

[ ♢ ] red diamond suit

[number: ♢]

[ ♣ ] black club suit = shamrock

[name: ♣] [number: ♣]

[ ♤ ] red spade suit

[number: ♤]

[ ♥ ] black heart suit = valentine

[name: ♥] [number: ♥]

[ ♦ ] black diamond suit

[name: ♦] [number: ♦]

[ ♧ ] red club suit

[number: ♧]

[ ♨ ] hot springs

[number: ♨]

[ ♩ ] musical quarter note

[number: ♩]

[ ♪ ] musical eighth note

[number: ♪]

[ ♫ ] musical single bar note

[number: ♫]

[ ♬ ] musical double bar note

[number: ♬]

[ ♭ ] flat note

[number: ♭]

[ ♮ ] natural note

[number: ♮]

[ ♯ ] sharp note

[number: ♯]

[ ✁ ] cut above

[number: ✁]

[ ✂ ] cut here

[number: ✂]

[ ✃ ] cut below

[number: ✃]

[ ✄ ] scissors

[number: ✄]

[ ✆ ] public pay phone

[number: ✆]

[ ✇ ] film reel - tape spool

[number: ✇]

[ ✈ ] airport jet airplane

[number: ✈]

[ ✉ ] envelope mail email

[number: ✉]

[ ✌ ] victory sign

[number: ✌]

[ ✍ ] signature - sign here

[number: ✍]

[ ✎ ] pencil diagonal down

[number: ✎]

℞ ] Prescription Take pharmaceutical symbol

[number: ℞]

[ Ω ] Ohm

[number: Ω]

[ ℧ ] Inverted Ohm

[number: ℧]

[ ☀ ] sunshine - sun

[ number: ☀]

[ ☁ ] cloudy - cloud

[ number: ☁]

[ ☂ ] raining - rain

[ number: ☂]

[ ☃ ] snow - snowman

[ number: ☃]

[ ☄ ] comet

[ number: ☄]

[ ★ ] star solid

[ number: ★]

[ ☆ ] star outline

[ number: ☆]

[ ☇ ] lightning

[ number: ☇]

[ ☈ ] thunderstorm

[ number: ☈]

[ ☉ ] sun

[ number: ☉]

[ ☊ ] ascending node

[ number: ☊]

Top 5 free programs to enhance performance ( Better then Finally Fast☺)

7-Zip/Winrar

7-Zip

7 Zip is open source software. it is legitametly free with no nag message, unlike Winrar.  Most of the source code is under the GNU LGPL license. The unRAR code is under a mixed license: GNU LGPL + unRAR restrictions. Check license information here: 7-Zip license.

Winrar is another alternative to the misconception that is WinZip, somehow people managed to think that Winzip is free () and is the default windows unpacking program. Winzip is NOT made by Windows and NOT free. Winrar, can extract/decompress .rar files .zip files and a host of other formats as well. FYI (the rar format provides more convenient multipart (multivolume) archives, tight compression including special solid, multimedia and text modes, strong AES-128 encryption, recovery records helping to repair an archive even in case of physical data damage, Unicode support to process non-English file names ect.)

Archiver	Mozilla Firefox		Google Earth
	161 files 15,684,168 bytes		115 files 23,530,652 bytes
	Compressed size	Ratio	Compressed size	Ratio
7-Zip 4.23 (7z format)	4621135	100%	6109183	100%
WinRAR 3.50	5021556	109%	6824892	112%
CABARC 5.1	5131393	111%	7434325	122%
WinZip 10.0 beta (maximum-PPMd)	5277118	114%	8200708	134%
7-Zip 4.23 (zip format)	6222627	135%	8909446	146%
WinZip 10.0 beta (maximum-portable)	6448666	140%	9153898	150%

Unlocker

ever get one of these?

Cannot delete file: Access is denied
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.

Unlocker is a God sent program,  when you are trying to delete a file that can not be deleted because a process is running.  This can be very annoying and is often the sign of a virus. A virus/trojan could be masquerading as any process, alg.exe, lsass.exe, svchost.exe ect. You may not know which one to end, so that you can delete or modify the file, Unlocker gives you the option to delete the file at startup, rename the file or delete the file immediately.

If the folder or file is locked, a window listing of lockers will appear

CCleaner

CCleaner is a tool to clean your system of temporary and unnecessary files that accumulate over time. This also includes a rather thorough cleaning of Internet tracks and logs like tmp files, cache, recently used files, history, cookies and more. You can select the items that you want cleaned and also specify what you do not want to delete.  A good trick is if you do not want it to delete your Mozilla cache and saved info, have that program running while you run it.   In addition, CCleaner comes with a registry scanner that scans for invalid references and other registry errors. there are options to start cleaning automatically or from the command line.

WinDirStat

(TreePie is a more lightweight simple software to get a visual view of your hardrive and see what is taking up space)

The more we use the computer, the more our hard disk gets filled with useless stuff like junk files, temp files, old song files etc. WinDirStat is a free program that gives you a visual representation of your hard disk usage. It indexes the hard drive and creates a visual map of each file and also helps you in deleting the file that you don’t need.

It uses tree maps to represent each file as a visual rectangle so you can visualize file distribution across the drive. All the files are coded with a specific and color and you can click on them to reveal file name and even open it in Explorer, copy the path, delete the file. You can also view the folder organization in a drill down interface and get an indication on how large it is. The most noticeable feature is the visual representation of the hard drive with a lots of colored rectangles representation lot of different types of files.

It is  nice software which will allow you to see which is occupying how much space on the hard drive. It is a freeware and works with Windows 2000/XP/2003/Vista.

Process Explorer

Similar to Unlocker but more complex. Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. This program demystifies which process is linked to which application and is also great for tracking down viruses which hide as certain processes such as svchost

process explorer

VLC media player

This media player plays any file you can throw at it, no more issues with video codexs or anything else you got off bit torrent.

Best Free AntiVirus (go to Download.com

best thing to do is only run these if you have a problem, run Antivir all the Time.

Lavasoft Ad-Aware
Spybot – Search & Destroy(lets you know every time there is a change to the registry and asks approval)
SuperAntiSpyware
AntiVir (catches all sorts of stuff) learn to remove antivir nag message here http://www.byteforums.com/thread-2702.html
Malware Bytes( effective against Antivirus 2009 Trojan)

AVG is NOT recommended as it runs to large and slows your comp AND it is the biggest target for virus authors to write malware FOR because so many people have it.

Core Temp

What it does: As the name suggests, Core Temp is a quick and easy way to check out the temperature of your CPU as determined by the processor’s internal probes. If you’re a familiar face at Maximum PC, you’ve surely heard the gang wax about the wonders of the SpeedFan utility. Temperature-wise, the two programs conduct similar readings. The reason I lean to Core Temp, however, is that SpeedFan will sometimes offset the actual temperate of your CPU (depending on the processor) by a hearty 15 degrees. Core Temp gets the reading right the first time, every time–a perfect tool for novice users that don’t know about SpeedFan’s important little quirk.

Download it here!

NetStress

What it does: Although you can use innumerable online tools to give you a decent gauge of your current bandwidth, NetStress is an offline tool that will help you isolate network peculiarities within your internal setup. To gain the most use out of the program, set up your network and run the throughput benchmarking features at a time when you feel your setup is at peak efficiency. Record the numbers. Later, if you start to detect slowdowns or other strange goings-on, re-run the benchmarking application and see how your numbers stack up. Just like Sherlock Holmes, you can begin to isolate the problem to an errant network cable, problematic PC, or router based on the results of your tests!

Download it here!

Nero DiscSpeed

What it does: Curious to know if you’re getting maximum performance out of your optical drive? That’s where Nero DiscSpeed comes into the picture. Although this program is no longer being updated in favor of a new paid-for application (grr), it’s still a great way to analyze your drive’s read and write speeds. For example, it’s one of the best ways to figure out if your 52X burner is actually performing at 40X for some unknown reason–measurements like that aren’t really the kind of thing that an average user can estimate by how the reading or writing process “feels.” Get the real seek times, transfer rates, and other measurements with this helpful application.

Download it here!

HDDScan

What it does: This free application gives you a host of options for checking on the health of your hard drives. Pull up the drive’s S.M.A.R.T. diagnostic information if you’re just interested in a quick scan. If any statistic looks out-of-place or otherwise dangerous, the program will alert you via colored icons on the side of each piece of information. From there, you can conduct more thorough evaluations by using the application to run offline S.M.A.R.T. testing of any drive in your system, even those connected to your PC via USB or FireWire. If you’re concerned about your system’s airflow, the program will even display real-time temperature readings from your drives as icons on the lower-right hand side of Windows’ taskbar.

Download it here!

Memtest86

What it does: It’s an oldie, but a goodie. I have yet to find a more thorough or easier-to-use method for evaluating the health of your system’s memory. Even Maximum PC itself agrees with me on this one. In fact, it’s well worth your time to click that link and read about how you can use Memtest86 to your greatest advantage. If you’re experience blue screens that have seemingly come out of nowhere and they match the qualifications of a typical memory issue (either the PFN_LIST_CORRUPT or PAGE_FAULT_IN_NONPAGED_AREA error messages), run Memtest86 as soon as you can to help you pinpoint the problem.

SQL injection: Not only AND 1=1

SQL injection: Not only AND 1=1

View more presentations from Bernardo Damele a. g..

Conficker C. Virus AKA Anti-Virus 2009: April 1st update

Read my original article on Conficker B and it’s mutations.

Lets begin with this quote from NY times…

A McAfee spokesperson told us that “McAfee researchers are monitoring for any signs of a Conficker outbreak” while warning that users should not assume a false sense of security: “Security is not a joke. In 2008, McAfee saw the largest number of malware – over 2 million malicious programs which equals nearly 5,500 pieces of malware per day.”

Journalists should stop quoting sources like McAfee, who invariably use the opportunity to spread fear and uncertainty to increase sales of their ineffective products.

If they were going to quote,  for an article like this, and choose someone from an anti-malware company, select personal more knowledgeable than a spokesperson.

There was excessive y2k like media hype around an April fools activation of the botnets controlled through Conficker, but what What would be the monetary gain of activating the virus on April 1st with the world closely watching on? Botnets are made up of infected computers, created and controlled by viruses like Conficker,  they are used for one purpose in these modern times, that’s money. For example they can be used against a gambling website as a threat to run a denial of service attack (DoS) against their server on the date of the Indie 500, in exchange they would demand a large sum of money.  The old protection racket.

Now that the Conficker authors have the world listening, they could theoretically pull some sort of massive global threat for exchange of say one….million….dollars.  This is very unlikely because every security expert and their mom’s infected hard drive, are wanting to catch these guys.  Most likely the authors of Conficker will continue to lay low and collect their checks, from the various versions of the virus and their “affiliates” who’s business it is to stuff the virus inside torrents, emails and website pop ups to  infect as many computers as possible for a cut of the profit.  The BBC stated that there are no reports of “unusual PC behavior” emerging from Asia where a great many of the 15 million Conficker infected machines are located confirming the April 1st hype is hot air.

The organization attempting to track the many changes to the virus, the Internet Corporation for Assigned Names and Numbers refer to the loosely pyramidal structured criminal organization behind Conficker,  as the Conficker Cabal.   It is easy to constantly change a virus to make it undetectable often having to only change one a 1 to a 0, or making other slight alterations. This changes the blueprint or pattern, so that most anti-virus programs will no longer have that specific pattern in their database, and be able to match and flag it as a virus.

The Conficker worm already had been through several versions when the alliance of computer security experts seized control of 250 Internet domain names the system was planning to use to forward instructions to millions of infected computers.

Shortly thereafter, in the first week of March, the fourth known version of the program, Conficker C, expanded the number of the sites it could use to 50,000. That step made it virtually impossible to stop the Conficker authors from communicating with their botnet.

The latest major variation of the virus Conficker C constitutes a major rewrite of the software. Not only does it make it far more difficult to disable, via an antivirus software or registry edits but the authors have taken into account Microsoft’s security update features they made popular for the virus as well.

The Conficker authors were using the most advanced computer security techniques, said the original version of the program contained a recent security feature developed by an M.I.T. computer scientist, Ron Rivest, that had been made public only weeks before. And when a revision was issued by Dr. Rivest’s group to correct a flaw, the Conficker authors revised their program to add the correction.

One of the largest botnets tracked last year consisted of 1.5 million infected computers that were being used to automate the breaking of “captchas.” Many different individuals control their own botnets without the Conficker Cabal only being loosely centralized, other activities of the virus include, identity theft, extortion and using the computers to send spam.

On a semi related note, here’s a conversation I over-heard in my Management of Info and Network Security class today:

Student 1: Oh, professor…did you hear ’bout that uh, that virus-trojan thing?

Professor: Oh, you mean the compt..uh, er, corn…compfiker thing?

Student 1: Yeah, cuz I heard it like, crashed Microsoft or somethin’!?!

Professor: Oh, no. That part was probably just an April fools joke. Windows comes with a firewall to prevent stuff like that from happening.

Student 2: (In a thick accent) Do you know where I am to be getting download patch, to fix the crack of that?

Professor: Oh, just watch The CNNs. They put out one of them hyper texts this morning.

All things considered, it was a semi-good disscussion when compared to some other gems that I’ve heard in this class.

Professor: “I think it’s a good idea to give up freedoms for security. After all those…things, I’d rather just sleep in the air port over night so I can get checked in line early, the next day to get that TSA stuff out of the way. I feel safer knowin’ that it stops the wrong kinds of people from gettin’ in the air.” (I’ve assumed that this is his position because he’s a retired cop, but some of the things he says just seem blatantly ignorant. I wont go into a lot of them, as they require too much context to be fully understood.)

“You don’t have to really know anything about how hardware [and software] works to know how to make policies and regulations on how the ‘geeks’ should be using it.”

“People don’t really use flow charts anymore.”

“You don’t have to worry about viruses gettin’ into your system, as long as you have some anti-virus software.” (Doesn’t seem too bad, except for the fact that he would only exclusively refer to Norton and Macefe.)

I’ve mentioned Linux, Open source and TrueCrypt to only have them met with blank stares.

Needless to say, I get a lot of other work done in that class.

No, I am not fucking with you, and yes, this is (supposed to be) a college level class I’m reffering to.