PC Repair on Wheels Blog

by Matthew Skelly Matthew Skelly No Comments

New email scam…and it’s a tricky one!

So here’s one that almost got by us. It’s a new take on the old “you have an invoice, package, parking ticket” scam where a virus loaded doc is attached to an email. The twist is, this one immediately puts you on the defensive by accusing YOU of being the scammer. Take a look.

 

You know what? That’s some scary stuff! And of course, my first instinct is to defend the company and look at that doc. But then I looked a little closer.

 

 

Neither I nor Mike have ever had that conversation on the phone. I also can’t help but notice a gap in the “WWW” on that link. Finally, if I hover over that doc link, it takes me to a VERY diffrent link than what is displayed.

End of the day, it’s just another email scam. A little more inventive than most, but a scam nonetheles. Keep your eyes open!

by Matthew Skelly Matthew Skelly No Comments

New Firefox!

 

As an IT professional, I’ve been recommending Firefox for over a decade. It’s generally been more secure than Internet Explorer and usually functions better. It’s more easily customizable than Google Chrome and has been my personal browser of choice since the demise of Netscape navigator.

Truth is, I though I was watching that whole death of netscape replay out here with Firefox – one or two bad releases of a once proud browser that sink the whole ship. The last few releases have been practically unusable and I’ve been running Chrome instead for the last six months or so. It’s been a bummer, and I’ve constantly kept hope alive that Firefox may somehow course correct and come back better than ever.

Today’s announcement seems to indicate that they are giving it a try though it’s too early to know if this is really the rebirth of the Firefox browser that I’ve been waiting for. Early reports are suggesting they’ve fixed the memory hog problem and made it even faster than Chrome (that’s no great feat considering how many processes Chrome runs – even AFTER you’ve shut it down) though I’m not digging the more “minimalist interface” they’re announcing. Hopefully I’ll still have options to restore menu bars and such.

I’m downloading this sucker tomorrow morning, first thing when I get into the office. I’ll post my thoughts on it soon.

Stay Tuned.

by Matthew Skelly Matthew Skelly No Comments

Mac Fruitfly virus

Found a fascinating article on an insidious virus for Macs on the Malwarebytes site.

Six months after it was discovered, the first Mac malware of the year is still causing a stir.

The recently discovered Fruitfly malware is a stealthy but highly-invasive malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, and keyboard and mouse.

But despite its recent discovery, little is known about the malware.

Given how rare Mac malware is, especially one with all the hallmarks of what could be a nation state attacker, Patrick Wardle, a former NSA hacker who now serves as chief security researcher at ‎Synack, got to work.

Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said. Nevertheless, the malware still works well on modern versions of macOS, including Yosemite. Fruitfly connects and communicates with a command and control server, where an attacker can remotely spy on and control an infected Mac.

But what it does, and why, aren’t widely known.

“It’s not the most sophisticated Mac malware,” said Wardle in a Signal call last week, but he described it as “feature complete.” Like others, he wasn’t sure what the malware did exactly on first glance.

Instead of reverse-engineering the malware’s code to see what it did, he took a novel approach of creating his own command and control server to interact directly with a sample of the malware in his lab.

A selection of the computers, their username, and computer’s name infected by the Fruitfly malware. (Image: Patrick Wardle/Twitter)

“I had to figure out how to create a command and control server that could speak the ‘language’ of the malware,” he said. That let him fully deconstruct what the malware did simply by “asking” the malware the right questions, giving him an unprecedented view into its capabilities.

He found that he could take complete control of an infected Mac, including its keyboard and mouse, take screenshots of the display, remotely switch on the webcam, and modify files. The malware can also run commands in the background, and even kill the malware’s process altogether — likely in an effort to avoid detection.

“The most interesting feature is that the malware can send an alert when the user is active,” said Wardle, so that the attacker can then avoid interfering with the computer to remain stealthy. “I haven’t seen that before,” he said. He even found that some commands supported additional parameters. What he called the “second byte” to each command would offer more granular options. He explained that he could take screenshots of the display of varying quality — a useful feature for low-bandwidth connections or trying to evade network detection.

He noticed that the malware was communicating out to primary servers that were offline. But some of the backup servers were available.

Armed with his Python-based command and control scripts, he registered some domains, and fired up his servers. And that’s when his screen began to fill up with victims’ computers connecting to his servers, one after the other.

“I thought — ‘f**k!’ — I have to be responsible here,” he said. When the malware connects, you get the IP address, name of the user, and the computer name (which is typically the full name of the user). “I just logged the connections and parsed the computer names, then closed the connection,” he said.

The early analysis was that as many as 90 percent of the victims were in the US, with no obvious connection between the users, he said. “It was just a general smattering of users.”

But questions remain over where the malware came from, and what purpose it performs.

Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.

He also wasn’t sure on the exact delivery method of the malware, but suggested it could infect a computer through a malicious email attachment.

Wardle has since informed and is now working with law enforcement on the matter, handing over the list of victims and command and control servers.

“You have to realize that this kind of re-exposes the fact that you can be an ordinary person and still be victim of a really insidious attack,” he said. “This is just another illustration that Macs are just as vulnerable as any other computer.”

In part for that reason, Wardle spends his spare time developing free-to-download Mac tools to protect against this kind of attack, including Oversight, which notifies users when their microphone or webcam becomes active; essentially protecting against some of the features of this malware.

“It’s not surprising that this malware wasn’t detected for five or more years, because current Mac security software is often rather ineffective,” he said. “Most don’t even look for this kind of activity.”

Wardle is set to talk about the malware in more detail at the Black Hat conference in Las Vegas on Wednesday.

Apple did not respond to a request for comment.

Originally posted at
http://www.zdnet.com/article/new-analysis-fruitfly-mac-malwware-almost-undetectable-backdoor/

Top