Macs Hit by Backdoor Attack

Apple antivirus company Intego has discovered a backdoor malware attack targeting Mac users.

Able to infect both PowerPC and newer Intel-based Macs thanks to being written as a universal binary, OSX.HellRTS.D sArtwork: Chip Taylorets out to take complete control of an infected machine, setting itself up as a server capable of doing pretty much what it wants. This will include, downloading software, spewing email, set up screen sharing, accessing files on the Mac, and copying anything it finds on the clipboard.

The company describes infection levels as currently being very low, but warns that the code is circulating on hacker forums, which will give criminals access to it. No threat vectors such as spam attachments are mentioned because none have so far been used, but an infected file seems the most likely attack method.

As with so many of the small number of Mac-specific malware attacks that come up from time to time, this one is a variant of an attack from 2004, the company said, which will sound quaint to Windows users hit by thousands of variants on most days.

Mac malware is still rare enough to be worthy of an individual press release from a security company, something that hasn't been true of Windows malware for two decades. Examples are few and far between to the extent it is almost possible to name them all in a short blog, as Techworld did this week.

Theo pcworld.com

Norton Internet Security 2011 Beta Handles New Threats

Computerworld - As protections against garden-variety viruses and malware have become more effective, malware writers have turned to new ways to infect computers in the pursuit of profit. Two increasing threats are malware spread via bad Facebook links and so-called scareware -- malware that masquerades as virus-scanning software.

The main screen of Norton Internet Security 2011.

The beta of Norton Internet Security 2011 adds several tools designed to protect against those threats, along with other useful tools and tweaks. The result is a useful all-around security application aimed at keeping up with a fast-changing landscape where new threats are constantly emerging.

Scanning Facebook links

The new Facebook Scan checks links on your Facebook Wall and News Feed to see whether they link to malware or to sites known to harbor malware. When you start it up, the feature takes you to a browser page, where it reports on the progress and results of the scan.

In order to use the tool (which is actually a Facebook app), you'll have to give Norton Internet Security 2011 access to your Facebook stream. The tool also asks for permission to post the results to your Facebook page. The scanner doesn't require posting permission in order to work, though, so if you feel uncomfortable granting that permission, don't.

The labeling of the tool is somewhat confusing. You access it from the Norton Internet Security 2011 main interface, but on the Web page where the results are reported, it is labeled Norton Safe Web, which is the suite's browser toolbar. But there is no way to scan Facebook directly from the Norton Safe Web toolbar, and the toolbar itself makes no mention of a Facebook scanning tool (at least in this beta version).

Norton Internet Security 2011 reporting on the results of checking a Facebook page for bad links.

I had trouble getting the Facebook Scan to work properly. It stalled at a "Generating results" notice that said it was scanning my feed for viruses. Clicking the "View results" button only started the scan again, and it once again stalled. When I closed the page and started the process again from Norton Internet Security, however, I did get results -- it reported that 27 of the 29 links it checked were safe. Results were pending on the remaining two links.

Each time I used the tool, similar problems occurred. It will clearly be a useful tool, assuming that it's fixed before the program ships.

Battling scareware

One problem with combating scareware is that individual pieces are typically so new that antivirus signatures have yet to be devised to identify them.

The previous version of Norton introduced a "Download Insight" feature that checks files as they are downloaded, as well as files already on your system, to see whether they are "trusted" -- that is, whether other people have downloaded and used them safely. If a piece of software is not trusted, that means it may not be safe. In that way, you are steered away from installing scareware.

The newest version of Norton extends that feature, adding support for more browsers -- while the previous version supported only Internet Explorer and Firefox, the new one includes Chrome, Opera, AOL and Safari. It also supports many instant messaging, peer-to-peer and e-mail applications, including AIM, Outlook, Yahoo Messenger and Windows Live Messenger.

Norton also has introduced a free stand-alone application, Norton Power Eraser, that discovers and kills hard-to-find scareware that cannot be detected by traditional antivirus software. Once you download it, the application scans your system and sends the information to Norton's servers, which analyze and report on the results. Power Eraser will then kill the scareware if you tell it to.

Norton Power Eraser is a free tool that can find and kill hard-to-detect scareware.

Be aware, though, that Norton Power Eraser is a more aggressive system scanner than the normal Norton malware scanner and is likely to return more false positives. So it's a good idea, before taking its advice to kill a program, to do a search on what it finds to get a better sense of whether it's really malware. For example, on my Windows 7 system, Power Eraser reported "shellfolderfix" as being malware, when in fact it is add-on software that helps Windows better remember the size and position of Windows Explorer windows.

Theo pcworld.com

Diary of a Mad McAfee Antivirus Victim

As if McAfee's bad antivirus update last week wasn't bad enough, some customers were none too happy with how the security vendor's tech support handled the situation either.

David Hellen, an independent contractor for the U.S. Navy who heads his own SAP configuration business, says last Wednesday when he noticed that his Dell Latitude running Windows XP wouldn't boot straight into Windows, he knew he had to try and figure out what was going on. He saw news stories about the McAfee antivirus update snafu, which involved the faulty DAT 5958 file, and called his McAfee Gold Service phone number for help.

"After waiting 20 minutes in the queue, they connected me to India and I got a service technician," says Hellen, whose business is called David J. Hellen & Associates. "The first thing they said is, 'You have a virus.' I said I think I have that DAT thing. They told me to run scans."

Hellen says he ended up calling Dell because he has a contract with that vendor for support, and the technician there helped adjust the machine to prevent automatic shutdown so it would boot into Windows. But he still lacked some services, such as support for his security card reader, which he needs, especially since he works as a Department of Defense contractor.

"I phoned the McAfee guy back and we ran the McAfee scan, and we came up with nothing," Hellen says. "We tried the SuperDAT tool and that didn't work, and the 5959 update. It still didn't solve it." The McAfee technician told him he needed to escalate to "Tier 2 support."

Due to his work schedule, Hellen had to postpone more attempts at remediation until the weekend, so when he called McAfee tech support back then, he was surprised to learn that Tier 2 support doesn't work on Sunday. "I said, you have to be kidding me," he notes.

On Monday, April 26, McAfee tech support did contact Hellen and a technician took full control of his computer and uninstalled the antivirus software using what Hellen viewed as a "special cleaner they have to uninstall." McAfee was completely uninstalled and then reinstalled, he says.

While he appreciated that, and McAfee's effort did seem to restore his computer to full service, "what ticked me off' was that he got an e-mail from McAfee about his case, which he believes doesn't accurately represent his interactions with the vendor.The McAfee e-mail stated: "Customer called in that computer is infected by virus" and that the "severity rating" was "Business not affected."

That simply is not what occurred, says Hellen, who wants the notation of his status changed in the McAfee file to reflect what he feels is a more accurate representation -- that his business was impacted, and especially that his computer uses special software provided by the Defense Department.

Hellen is also upset that McAfee CEO Dave DeWalt issued a formal apology for the faulty antivirus update, saying that thousands of McAfee employees were working around the clock. But from Hellen's experience Tier 2 tech support didn't seem to be working on Sunday, even in the wake of a situation that McAfee itself caused.

McAfee had no immediate response related to McAfee Tier 2 support, but a spokesman did say the company is "investigating" Hellen's case.

McAfee does not intend to release the number of customers impacted by the faulty DAT update. The vendor announced Tuesday it will offer a free one-year subscription to its automated security health-check platform, an assessment of the security in the organization, on a case-by-case basis, to eligible corporate customers.

Read more about wide area network in Network World's Wide Area Network section.

Theo pcworld.com

McAfee's Mea Culpa for Update Error

McAfee apologized late Thursday for crippling thousands of customers' computers with a flawed update the day before.

"I want to apologize on behalf of McAfee and say that we're extremely sorry for any impact the faulty signature update file may have caused you and your organizations," said Barry McPherson, executive vice president of support and customer service, in a post to the company's blog near midnight yesterday.

It was the first apology by a McAfee executive for the fiasco, which started early Wednesday when an antivirus signature update wrongly quarantined a critical Windows system file after identifying it as a low-threat virus.

Reports, confirmed and anecdotal, put the number of affected PCs in the thousands, the majority of them in businesses. Only systems running Windows XP Service Pack 3 (SP3), the newest version that Gartner analyst John Pescatore estimated had a 50% share of the enterprise market, were clobbered by the bad update.

Computers crippled by the update crashed and rebooted repeatedly , and lost their connection to the network, a symptom that forced support staff to visit each downed PC, thus dragging out the time required to resuscitate machines.

McPherson provided a bare bones explanation of how the flawed update managed to get through McAfee's testing. "The problem arose during the testing process for this DAT file," he said. "We recently made a change to our QA [quality assurance] environment that resulted in a faulty DAT making its way out of our test environment and onto customer systems.

McAfee is adding what McPherson called "additional QA protocols" to any updates that may impact critical Windows system files -- like the "svchost.exe" file that was erroneously quarantined Wednesday -- and will utilize its Artemis technology to provide customers a whitelist of hands-off system files.

Artemis is a McAfee technology that its desktop software uses to help identify suspicious files by matching their digital "fingerprints" with a database stored on the company's servers.

From the few comments added to McPherson's blog by 1:30 a.m. Eastern time today, McPherson's apology didn't sit well with users. "Let me say I am glad we have switched nearly 75% of our clients away from your product prior to this happening," said someone identified only as Charles H. "I can't imagine the chaos if we hadn't. It was chaos enough."

User were much blunter the day before when they commented on a post McPherson wrote late Wednesday. That entry, titled "A Long Day at McAfee" raised the hackles of many who added their two cents.

"I'm not really interested in how hard your day was. Lots of folks had a rough day yesterday," said someone using the moniker "JustanIT Guy" in a comment Thursday. "What we should be hearing is how an update that smashed any PC running XP Service Pack 3 made it out the door."

Several comments asked why McAfee CEO David DeWalt had not issued an apology. DeWalt , who also occasionally posts to the McAfee blog, last did so on April 15, when he wrote about hosting the company's Public Sector Summit on security and current cyber threats.

"It is extremely telling that the CEO, David DeWalt, has not issued a statement about this matter on the McAfee web site," said a user identified only as Mark who commented on McPherson's blog.

Early Thursday, McAfee made available a semi-automated tool, dubbed "SuperDAT Remediation Tool," that restores a crippled computer. SuperDAT can be downloaded using a link on this support document .

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@ix.netcom.com.

Read more about security in Computerworld's Security Knowledge Center.

Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2010 Computerworld Inc. All rights reserved.

Symantec Warns of Cyber Attacks Worse Than Love Bug

A decade after the Love Bug virus attacked millions of computers worldwide and put the Philippines in the IT world map in a negative way, computer security experts have noticed that today's computer attacks are more malicious than the original computer security threat.

In its April 2010 security report, Symantec said it has detected 36,208 unique strains of malware that were designed to carry out targeted attacks.

MessageLabs, which was acquired by Symantec later, was the first one to raise the alert on the Love Bug virus, which was designed to overwrite and destroy data. The virus came in the form of a message attachment when, once opened, sent itself to the addresses of the email recipient and spread on from there.

Ten years since Symantec Hosted Services, then MessageLabs, intercepted 13,000 copies of the virus in a single day on 4 May 2000, MessageLabs Intelligence said it now stops 1.5 million copies of malicious e-mails each day.

"Although mass mailing viruses like the Love Bug are rare today, cyber criminals' techniques have evolved to more malicious, highly targeted attacks and they are motivated less by achievement and credibility than by financial gain and identity theft," Symantec said in a statement. "On 4 May, 2000, 1 in 28 e-mails contained the Love Bug virus. By comparison, 1 in 287.2 e-mails contained a virus on 9 April 2010, the peak for April. In April 2010 overall, MessageLabs Intelligence intercepted 36,208 unique strains of malware."

"The Love Bug was operating in the wake of the Melissa virus, a similarly destructive worm from the previous year," said MessageLabs Intelligence senior analyst Paul Wood. "Back then, users were less savvy, regarding the dangers posed by suspicious e-mail attachments and e-mails from unknown senders. The general public was also less aware of issues such as spam and denial of service attacks."

Bot Attacks

The April 2010 MessageLabs Intelligence Report also revealed that Rustock has surpassed Cutwail as the biggest botnet both in terms of the amount of spam it sends and the amount of active bots under its control.

The report noted that Rustock has reduced the output of individual bots by 65 per cent but increased the number of active bots by 300 per cent, thus, making up for the decreased output. Meanwhile, Cutwail has reduced in size to 600,000 bots from two million bots in May 2009 and is now responsible for only four per cent of all spam. "Rustock remains the largest spam-sending botnet responsible for 32.8 per cent of all spam," the report read.

"Affected by the closure of ISP Real Host in August 2009, Cutwail likely lost the ability to update some of its bots causing its numbers to diminish greatly without the ability to recover," said Wood. "As a result, Rustock has taken over significant volumes from spammers by undercutting the market with greater capacity and lower operational costs."

Spam

Worldwide, the spam rate this month was pegged at 89.9 per cent, a drop of 0.8 per cent from the previous month.

In the region, Malaysia and Singapore also saw a drop in the spam rate to 87.7 per cent, and 87.6 per cent respectively, the report added.

"Spam is more commonly sent from computers running Windows than from those running other operating systems," Wood said. "However, spam not identified as coming from botnets was seen in lower proportions coming from Windows machines than from known botnets."

Theo pcworld.com