Skip navigation.
Home

Zeno's blog

"MacAccess" OSX DNSChanger New Variant

For those interested, I just uploaded the file. MD5: 56cb64220dc0248b57649ba1fc6956a1

Further Reading

iPhone Users Vulnerable to URL Spoofing Attack

As I was reading my RSS feeds, I just noticed that Aviv Raff disclosed two vulnerabilities found in iPhone on Jewish new year (Oct 2). But, to my surprise the phishing vulnerability isn’t new really ... Further Read

Prevalence of Exploited PDFs

|

While the threat landscape has changed dramatically over the past years, attackers are becoming increasingly aggressive in exploring ways to get into users’ system.

A spammed email with an EXE attachment no longer penetrates the wider network or users, now that most home users and enterprise networks have a certain level of awareness on information security.

But, how about spamming an exploited file like a PDF?

The incidents of exploited PDF files are not isolated. Instead, there has been a consistent prevalence and recurrence of this threat. Further Reading

New DNSChanger Hacks Router In Mac?

As we all know, DNSChanger has two executables: EXE for Windows and DMG for Mac OS X. This threat has been around for quite sometime, but there’s nothing exceptional until last week a new variant captured our attention.

A new EXE variant of DNSChanger is capable of changing users’ DNS settings by hacking the configuration page of the wireless router. Is this true ? Yes, it’s targeting a list of routers and performs dictionary attack.

Is there similar variant affecting Mac? Let’s check the latest downloadable DMG file, courtesy of several PornTube sites roaming around the net. Read iThreatsBlog

Apple Fixed Piggybacking Issue in Software Update

If you are using Apple application in Windows, i'm pretty sure you encountered this.

Couple weeks ago there has been a series of reaction specifically those who understands information security, criticizing about Safari 3.1 piggybacking or stealth installation through Software Update. [full story here]

The interesting news, Apple listened and fixed this issue in its latest Software Update tool for Windows version 2.1.

Apple fixed the issue by creating two sections: (1) Updates (2) New Software. This shows that Safari 3.1 is no longer piggybacking in software updates since it has its own category as New Software, which is good.

But, the tick boxes were still filled-in by default? [full story here]

How To Download DNSChanger DMG In Windows?

There has been an increase prevalence of DNSChanger DMG threats. These capture more attention but unfortunately some analysts cannot download the right installer (DMG file) for Mac.

Why?

RBN's Trojan DNSChanger, also known as fake codec for Mac, serves two executables: an EXE for Windows, and a DMG for Mac. When a Windows user visits a malicious site, the user's browser sends the User-Agent info. This contains information such as your OS, version, web browser, and language preference. The malicious website then decides which executable to serve.

Pay-per-Install A Malware Retail Business

Organize cyber-criminals introduces a new retail business Pay-Per-Install. This business primarily entice webmaster to join the gang and promises to pay 350$ for every 1000 install.

The deal behind this is you have to register or sign up for an account. Then, they will reply with your login credentials and link to your installer.

Detailed info found at iantivirus

MacSweeper Rogue Application

First rogue application that works in Mac OS X.

MD5: bac67dcace732e3679ab536c0b3635f9

Analysis of OSX Trojan DNS Changer

::::::::::::
File Size
::::::::::::
DMG : ~ 17.1 KB (17,598 bytes)
Installer.pkg : ~132 KB (135,168 bytes)

:::::::::::::::::
Propagation
:::::::::::::::::
This malicious code does not spread and propagate by itself. It uses an ancient yet effective Social Engineering technique to entice users to manually install the program. This trojan disguises as video codec and associates itself to a shared and free download videos. It was first seen and linked to porn sites but later it was also linked to funny videos and seen as splogs (spam blog).

Is this in-the-wild ? Yes.

Russian Business Network study

|

For Reading - Russian Business Network study

There are some places in the world where life is dangerous. Internet has some dark zones too and RBN is one of them. RBN stands for Russian Business Network and it’s a nebulous organisation which aims to fulfil cyber crime.

This study aims to provide some enlightenment on RBN activities and tries to detail how they work. Indeed RBN has many constituents and it’s hard to have an exact idea on the goal of some of them and the way they’re linked with other constituents.
There are some countermeasures available but they don't make sense for home users or even companies. Only ISPs, IXPs and internet regulators can help mitigating risks originating from RBN and other malicious groups.

You may download, the pdf in these links:
+ http://research-labs.net/news/13-Russian+Business+Network+study.html
+ www.bizeul.org/files/RBN_study.pdf

just fyi..

Regards,
~ Zeno

Syndicate content