Sophos has a blog called NakedSecurity, and posted a history of Mac malware last October. Considering the recent Flash trojan variants, and all the recent news about security issues, I found it instructive to see how attacks on the Mac (and the Apple II before it) happened and what was done to prevent problems for Mac users.

Please have a look at the post for details… here’s a list by year of the malware mentioned.

Mac malware timeline

• 1982 – Prehistory: Elk Cloner
• 1987 – nVIR
• 1988 – HyperCard
• 1990 – MDEF
• 1991 – German folk tunes
• 1995 – Word macro viruses
• 1996 – Laroux – viruses for Excel
• 1996 – AutoStart 9805 and Sevendust
• 2004 – Renepo and Amphimix
• 2006 – Leap, the first virus for Mac OS X
• 2007 – OpenOffice BadBunny and RSPlug financial malware
• 2008 – Scareware, backdoors and Jahlav

2

• 009 – Malware in pirated software torrents, sex videos and a rudimentary virus protection from Apple
• 2010 – Backdoors, cross-platform attacks and free anti-virus
• 2011 – MacDefender scareware and SEO poisoning

Related posts:

1. Flashback malware removal tool roundup Originally posted by Topher Kessler, on MacFixIt 4.13.12 In the...

Related posts brought to you by Yet Another Related Posts Plugin.

Adobe Flash Player Install Manager (the application) checks for updates automatically, and will present you with a window asking if you want to continue with the install. That’s a legitimate application from Adobe. If you see something that looks like a Flash Player install window, and the app name is not exactly Adobe Flash Player Install Manager, quit the app immediately.

If you’re ever in doubt — or if it just makes you more comfortable — you can quit Adobe Flash Player Install Manager, go direct to Adobe.com and click on the Flash Player link (at the lower right when I just checked). The next page will allow you to download the Flash Player installer dmg. Open that, run the app inside, and you’ll get the same window as if Adobe Flash Player Install Manager started itself. It’s incredibly unlikely that Adobe’s site could be hacked, so this is a very safe way to keep Flash Player up to date. And, unless you never have Flash turned on, you need to keep Flash Player up to date.

Adobe Flash Player Install Manager can also be used to uninstall Flash Player.

Thanks to Stephen Hart

Additionally, depending on your OS (this works in Lion, at least) there is a Flash pane in System Preferences, where an option can be set to check for updates. If you click on it you’re taken to Adobe’s page where your Flash version is checked and the current version is noted, and if you don’t have the current version you’re directed to Adobe’s download page.

This is a sure way to keep Flash updated safely.

Related posts:

1. How do you know if a Flash Update notification is legit? MacFixIt’s Topher Kessler has a great post addressing this. I...
2. Gmail users may be at risk from a Flash bug  Yesterday (06/06/11) Adobe told the world that the Flash Player...
3. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...

Related posts brought to you by Yet Another Related Posts Plugin.

OSXDaily posted today a list of 24 multi-touch gestures used by Mac OS X and compatible hardware… newer Mac laptops and touch pads, and commonly used Mac apps.

Finder, Mission Control, and Desk

top

• Push Windows Aside to Show Desktop – Four Finger Spread
• Activate Mission Control – Four Finger Swipe up
• Switch Desktops & Full Screen Apps – Three finger swipe left or right
• Mission Control All Windows for Current Application – Four Finger swipe down
• Zoom Into Window in Mission Control – Two finger swipe up over window
• Open Launchpad – Four finger pinch
• Drag Windows – Three finger hold and drag over window bar
• Tap to Click – Tap with a single finger
• Right-Click – Two finger click
• Scroll – Two finger swipe in direction to scroll

Safari, Chrome, Firefox

• Zoom In & Increase Font Size – Spread
• Zoom Out & Decrease Font Size – Pinch
• Go Back – Two Finger swipe right
• Go Forward – Two Finger swipe left
• Look Up Word in Dictionary – Three fingered double tap over word (Safari only)
• Smart Zoom – Two finger double tap (Safari only)

Quick Look & QuickTime Player

• Enter Full Screen – Spread
• Exit Full Screen – Pinch
• Scrub Video – Two finger swipe right or left (QuickTime only)

Preview

• Rotate Image – Two finger rotate gesture
• Zoom Into Image – Spread
• Zoom Out Image – Pinch

Misc

• Flip Calendar Pages – Two finger swipe left or right (iCal)
• Refresh Tweet Stream – Two finger pull down (Twitter)

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

One question I’ve heard a lot recently is “how can I securely send or share files, so only the person intended can read them?”

One solution is Dropkey, currently available on the Mac App Store for $19.99.

Check here to see the web site and download a trial, and let me know how you like it.

One thing I’m not yet sure of but have inquired about is if I send files to Windows users, will this work? Also, if Mac users don’t use Address Book, but Outlook or another app for contacts, will it work?

I’ll post the answers to these questions when I receive them.

Related posts:

1. Trojan masquerades as image files Intego reported that a new version of the Imuler trojan...

Related posts brought to you by Yet Another Related Posts Plugin.

MacFixIt’s Topher Kessler has a great post addressing this. I highly suggest you read it carefully.

In part:

if you are browsing the Web and see a notice pop up about the need to update Reader, there are several things you can do.

1. Do not trust it
Immediately be skeptical of any automatic software update, especially those for Flash or Reader. Instead of accepting it and downloading the update, check the interface for any apparent typos or grammar errors, and if found, then close it down. Additionally, check online by simply doing a Google search (or more accurately visiting Adobe’s support site) to see if any updates have been recently issued.

Right-click the Flash installer package in the Dock, and reveal it in the Finder to see if it is in your user account or in a location that would first require authentication before the program could be placed there.

2. Standalone application
Adobe’s updates are automatically distributed via utilities such as Update Adobe Flash Player, which are run from the Adobe Flash Player Install Manager program that is installed when you install Flash or Reader. To see if this program is what is running, right-click the installer icon in the Dock and select the option to show it in the Finder.

If the program is in your downloads folder, or somewhere in your user account, then do not trust it and throw it out. However, if it is in the /Applications or /Applications/Utilities/ folder, then it suggests the program is legitimate, since installing to these locations would first require a username and password (as is needed when installing Flash for the first time).

3. Quit your browser
Often malware will be presented as a download from within a specially crafted browser window that displays a Web page which is intended to look like a program running on your system. If you see a notice to install Flash, and then quit your Web browser and the notice goes away, then this is a good indication that it is not legitimate and is likely an attempt to lure you into downloading malicious software.

If you observe these three steps when dealing with an automatic update window that suddenly appears, you should be able to better avoid malware attempts on your system.

As a final note, the easiest method by far for avoiding malware attempts when updating your programs (any software, and not just Adobe’s) is to avoid the automatic update solutions altogether. Instead, enable them to notify you when an update is available, and then only download the update directly from the developer. By doing this you will be sure the software you download is legitimate and up-to-date. In the case of Adobe’s products, you can easily get them from the following Web pages:

• Adobe Flash Player
• Adobe Reader

Related posts:

1. Gmail users may be at risk from a Flash bug  Yesterday (06/06/11) Adobe told the world that the Flash Player...
2. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...
3. Adobe to release Reader and Acrobat security patches tomorrow A “pre-notification” from Adobe announced patches for “critical” security flaws...

Related posts brought to you by Yet Another Related Posts Plugin.

Exerpted from MacFixIt

This new minimum-threat malware development for OS X copies Flashback and suggests criminals jump on opportunistic bubbles.

Recently the Flashback malware attacks on OS X gained headlines, not because of the presence of the Trojan, which had been around for some months prior to the increase in attention, but rather because it gained the possibility of installation in a drive-by-download attack that did not require any interaction from the user in order to install.
This development was made possible because of a vulnerability in Java that allowed for a maliciously crafted applet to break the Java sandbox and write files to the disk. Apple has since patched this issue and it, along with other companies, have released Flashback Trojan removal tools to combat the malware; however, in its prime, the malware did reach more than 600,000 Mac users.
While this vulnerability has been linked in the media to Flashback, it appears the same vulnerability is being attempted by other criminal malware developers as well.
When exploits to vulnerabilities are found by criminals, many times they are packaged in underground software development kits that are then distributed, making malware development around these vulnerabilities far easier to do. According to computer security expert Brian Krebs, the CVE-2012-0507 vulnerability in Java that was used by Flashback was included in one of these kits (called Blackhole), and therefore has been available to criminal software developers for some time.

Check these two folders for files called “com.apple.PubSabAgent.plist” and “com.apple.PubSabAgent.pfile,” and remove them from the system if they are present.
(Credit: Screenshot by Topher Kessler/CNET)

Over the weekend, another Trojan called PubSab has been identified for OS X that uses the same Java vulnerability in an attempt to infect Mac systems. There is a little uncertainty over exactly how this malware attacks the system, but Sophos suggests it uses the same CVE-2012-0507 vulnerability found in Java, and SecureList’s analysis shows it uses CVE-2009-0563, which was a vulnerability in Microsoft Office that was patched years ago.
When installed, as with other Trojans and malware of its kind, it creates a launcher file and the malware executable within user accounts that it tries to disguise as a legitimate Apple-supplied file, and then uses the launcher to keep the malware running on affected systems. The malware then tries to upload personal information such as screenshots to remote servers, and can accept commands from remote servers.
Because both the Java and Office vulnerabilities that this malware uses have been patched, moving forward this is not considered a serious threat as long as you have kept your system and software up-to-date. Additionally, it being distributed in part through rogue Word documents makes avoiding it a bit easier by simply deleting attachments and e-mails of unknown origin. As with the Flashback malware, OS X systems that ship with Lion are safe from attack, and anyone who has updated Microsoft Office within the past couple of years is also safe from this exploit.
Despite this, to ensure your system is clear, you can check for the malware by going to the Library folder within your user account (hold the Option button and select Library from the Finder’s “Go” menu in OS X Lion), and then open the LaunchAgents folder and the Preferences folder within the user library. In the LaunchAgents folder, locate and remove the file called “com.apple.PubSabAgent.plist.” Then go to the Preferences folder and remove the file called “com.apple.PubSabAgent.pfile” (note the extension “pfile” instead of “plist”). The first document here is the launcher that keeps the process running, and the second is the process itself.
Alternatively to using the Finder to locate and remove these files, you can run the following two commands in the Terminal application (in the /Applications/Utilities/ folder):
rm ~/Library/LaunchAgents/com.apple.PubSabAgent.plist
rm ~/Library/Preferences/com.apple.PubSabAgent.pfile
After you have removed these files, log out and log back in to your system to clear them from the system’s memory and from the launch manager for your user account.
Note that if you use a full system backup option like Time Machine, then these files may have been backed up, and therefore might be restored if you need to restore your system from backup. Therefore, when in these folders invoke Time Machine and then locate the files in the Time Machine backup. Then right-click the files (or control-click) and choose the option to delete all backups of the files. Additionally, after removing the files be sure to have Time Machine or your other backup solutions make a full, fresh backup instance of your system to ensure you have a new starting point that is malware-free.

Not to be confused with this malware, the “PubSub” folder within user accounts is used by the system for syncing RSS feeds.
(Credit: Screenshot by Topher Kessler/CNET)

The name of this malware suggests the criminals behind it are attempting to confuse users with legitimate technologies in OS X. One of the services Apple includes with OS X is called “PubSub,” and is used by OS X for syncing RSS feeds among devices. Therefore, you may periodically see a process called PubSub or PubSubAgent running in Activity Monitor; however, you should not see a process with “PubSab” in its name.

The use of these known vulnerabilities in these and other malware attacks suggest that when a vulnerability in OS X or common applications and technologies used on OS X is found, then it is likely that more than one malware developer may be attempting to use it. A while ago we discussed this as a possibility, and this latest development supports this notion where criminals might jump on opportunities presented to them by the distribution of exploits in kits like Blackhole and others.

Therefore, despite OS X having a fraction of the malware that is being developed daily for Windows systems, when an attack happens there may be others that follow in tow that attempt to use the same means of compromising a system, so be sure to patch any found vulnerabilities for the software you use on your system. OS X is a relatively new operating system, but its market share is on the rise in both the United States and worldwide, making it a more enticing target for attackers to use as we’ve seen with the increase in attacks (both opportunistically and otherwise) over the past few years.

NOTE: The name of this malware may cause a bit of confusion. Some have called it “SabPub,” and others have called it SubPab, PubSab, and other permutations of the name, resulting in a bit of a tongue-twister. For now it is known to write files to the hard drive that use the term “PubSab” in their names; however, popularity and security companies are referring to it primarily as SabPub.

Topher Kessler, 04.16.12

Related posts:

1. New Security Update provides more malware protection for Snow Leopard Security Update 2011-003 was released a couple of days ago...

Related posts brought to you by Yet Another Related Posts Plugin.

from tuaw.com 04.16.12

Just days after Apple released its official Flashback trojan patch, another Java trojan has been discovered that could possibly infect Macs. The trojan is known as “LuckyCat.” As Kaspersky Lab Expert Costin Raiu explains in a blog post (see my previous post), LuckyCat takes advantage of an exploit in Microsoft Word that allows malware to be spread via documents that take advantage of the CVE-2009-0563 vulnerability:

One of the biggest mysteries is the infection vector of these attacks. Given the highly targeted nature of the attack, there are very few traces. Nevertheless, we found an important detail which is the missing link: Six Microsoft Word documents, which we detect as Exploit.MSWord.CVE-2009-0563.a. In total we have six relevant Word .docs with this verdict — with four dropping the MaControl bot. The remaining two drop SabPub.

The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named “8958.doc”. This suggests it was extracted from a Word document or was distributed as a Doc-file.

Currently there are no details on how the average user can detect if they are infected with the LuckyCat trojan, nor how to remove it. One can expect that the Microsoft Word vulnerability will be patched in an Office for Mac update.

Thanks to Michael Grothaus

Related posts:

1. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...
2. More good information about Flashback trojan and Java vulnerability AppStorm Mac has a very cogent article posted this morning...
3. Flashback trojan info, and a detection app Auto-installing Flashback trojan varient infecting Macs worldwide First, I’d like...

Related posts brought to you by Yet Another Related Posts Plugin.

Thanks to Costin Raiu, Kaspersky Lab Expert posting on SecureList

At the moment, there are more than 100 million Mac OS X users around the world. The number has grown switfly during the past years we expect this growth to continue. Until recently, Mac OS X malware was a somehow limited category and included trojans such as the Mac OS X version of DNSChanger and more recently, fake anti-virus/scareware attacks for Mac OS X which boomed in 2011. In September 2011, the first versions of the Mac OS X trojan Flashback have appeared, however, they didn’t really become widespread until March 2012. According to data collected by Kaspersky Lab, almost 700,000 infected users have been counted at the beginning of April and the number could be higher. Although Mac OS X can be a very secure operating systems, there are certain steps which you can take to avoid becoming a victim to this growing number of attacks.
Here’s our recommendation on 10 simple tips to boost the security of your Mac:

1. Create a non-admin account for everyday activities

Your default account on Mac OS X is an administrator user, and malware writers can take advantage of that to infect your computer.

For everyday activities, we recommend you create a non-admin user and you only log in as administrator when you need to perform administrative tasks. To do that, go to the “Accounts” pane of “System Preferences, then create a non-administrator user. Use the new account for everyday tasks like e-mail and web browsing. This greatly helps to limit the damage from zero-day threats and drive-by malware attacks.

2. Use a web browser that contains a sandbox and has a solid track record of fixing security issues in a prompt manner.

We recommend Google Chrome, for many reasons, one of them being that it’s updated a lot of more often than Apple’s built-in Safari browser. In addition to its own sandbox, Chrome ships with a sandboxed version of Flash Player that puts up a significant roadblock for malicious exploits. Google Chrome also has a silent, automatic update mechanism that removes the burden of patching security vulnerabilities. Make sure the new browser is also set as your default web browser.

3. Uninstall the standalone Flash Player.

Unfortunately, Adobe’s Flash Player has been common target for hackers looking to take control complete over your computer. An old version of Flash Player will most certainly put you at risk when browsing the internet. To uninstall Flash, you can use the two utilities provided by Adobe, for versions 10.4-10.5 and 10.6 and later. See this link for details.

4. Solve the Java problem.

Like Flash Player, Java is a preferred target for exploit writers looking to plant malware on your machine.

We recommend you completely uninstall it from your machine. Unfortunately, Apple doesn’t allow Oracle to update Java for Mac directly. They do it themselves, usually several months later! This means the window of exposure for Mac users is much longer than PC users.

The Java Preferences utility is in /Applications/Utilities; uncheck the boxes next to the versions listed in the General tab.

If you must use Java for some specific applications, it’s very important that you at least disable Java in Safari and other Web browsers. In Safari, go to Preferences -> Security -> Web Content and uncheck “Enable Java”.

5. Run “Software Update” and patch the machine promptly when updates are available.

Many of the recent attacks against Mac OS X take advantage of old or outdated software. Commonly exploited sxploited suites include Microsoft Office, Adobe Reader/Acrobat, and Oracle’s Java, but there are other applications that can be abused as well. Office for Mac 2011 is much better from a security point of view than Office for Mac 2008. If you are still using 2008, we recommend you update to 2011 as soon as possible. Whenever you see the Apple’s “Software Update” prompt, be sure to apply the fixes and reboot the machine when necessary.

6. Use a password manager to help cope with phishing attacks.

The good news is that unlike Windows, Mac comes with a built-in password manager, the “Keychain”.

Whenever possible, try to generate unique, strong passphrases for your resources and keep them in the keychain instead of remembering easier passwords. Whenever the cyber-criminals manage to compromise one of your accounts, they will immediately try the same password everywhere – GMail, Facebook, eBay, PayPal and so on. Hence, having an unique strong password on each resources is a huge boost to your online security.

Another, though more complicated advice is to have a separate keychain, with a 3-5 minutes password cache timeout, for important passwords only. What are important passwords? Well, things such as resources which when compromised can cause direct financial loss: eBay, PayPal, online banking and so on. If somehow your “Keychain” gets compromised, you don’t loose all the passwords.

7. Disable IPv6, AirPort and Bluetooth when not needed.

Turn off connectivity services when not in use, or when not required. These include IPv6, AirPort and Bluetooth, three services that can be used as entry points for hacker attacks.

IPv6 is a relatively new communication protocol which your Mac can use. This is rarely used in practice , although in my years of travelling, I’ve seen only one hotel which supported IPv6 in parallel to IPv4. Hence, it’s probably safe and even a good advice to disable IPv6 proactively.

To disable IPv6 on your computer Choose Apple menu > System Preferences, and then click Network.

If the Network Preference is locked, click on the lock icon and enter your Admin password to make further changes. Choose the network service you want to use with IPv6, such as Ethernet or AirPort.

Click Advanced, and then click TCP/IP. Click on the Configure IPv6 pop-up menu (typically set to Automatically) and select Off.

(More details here.)

10. Install a good security solution.

“Mac’s do not get viruses” has been a common theme ever since the famous 2006 commercial with the sick PC and the healthy Mac. Six years have passed and the situation has changed dramatically. In 2011, cybercriminals began pushing DNSChangers and fake anti-virus lures to Mac users in a very aggressive way. The Flashback trojan which appeared in September 2011 caused a huge outbreak in March 2012, which amounted for over half a million infected users worldwide. (see this article on the methodology used to calculate the number)

Nowadays, a security solution is absolutely mandatory for any Mac user. You can download and install a trial of Kaspersky Anti-Virus for Mac. (I use Intego VirusBarrier X6 myself, and recommend it)

For Mac OS X power users, a utility like Little Snitch can be used to determine when a program attempts to establish an outgoing Internet connection and give you the option to allow or deny this connection.

In conclusion…
At the beginning of 2012, we predicted that an increase in the number of attacks on Mac OS X which take advantage of zero-day or unpatched vulnerabilities.

This is a normal development which happens on any other platform with enough market share to guarantee a return-on-investment for virus writers so Mac OS X fans shouldn’t be disappointed because of this. During the next few months, we are probably going to see more attacks of this kind which focus on exploiting two main things: outdated software and the user’s lack of awareness. If you follow the above steps, keep everything updated and be aware of these attacks, your chances of becoming yet another random victim will be greatly diminished.

Thanks to Ryan Naraine (@ryanaraine) for contributing to these tips.

Related posts:

1. Want Security? Get a Mac Keir Thomas at PCWorld wrote yesterday about former Google CEO...

Related posts brought to you by Yet Another Related Posts Plugin.

Originally posted by Topher Kessler, on MacFixIt 4.13.12

In the past week, a number of reputable companies have released tools to automatically remove the Flashback malware from OS X systems.

The Apple community is tackling the Flashback malware threat for OS X. Despite these efforts, the malware is still out there with the potential to infect unpatched
Mac systems or even those that are patched, but for which the user fell for the fake Flash updater traps used by earlier variants of the malware.

You can check for the presence of the malware using our instructions or others, or use automated online options such as Dr. Web’s checker to determine if your system may be compromised. So far, a number of tools have been released by some reputable security firms that will detect and remove this threat from OS X systems.

1. F-Secure Flashback Remover
   The first of these tools is F-Secure’s Flashback remover, which will extract known variants of the malware from its location within applications and user accounts, and save them in a benign zip file, which can then be destroyed or sent in for analysis.
2. Kaspersky Flashfake removal tool
   The second such tool is from Kaspersky labs and is called the Flashfake removal tool. This tool runs a number of Unix commands within an AppleScript that will remove any known malware and notify you of the results. Unlike F-Secure’s option, it will just remove the malware and not quarantine it.
3. Symantec Flashback Remover
   Symantec was the third to release its Flashback removal option, which it has supplied as a shell script and Ruby script combination. Unlike those from Kaspersky and F-Secure, Symantec’s solution runs within the OS X terminal but launches by double-clicking the script file located within the downloaded disk image.
4. Apple MRT tool
   Apple followed an announcement of its own Flashback removal tool (available via Software Update) with the release of one that accompanies yet another update to the Java runtime for both OS X 10.6 and 10.7. This tool is reminiscent of the tool Apple released to remove the MacDefender malware, and is a native Cocoa application instead of being a script-based tool as is the case with other options. The program will run when the Java update is applied, and will remove the malware and upload the results to Apple’s servers, followed by deleting itself from the system.

Note that these tools are not full antivirus scanners, and instead are simple run-once scripts programs that are intended to quickly clear the problem instead of providing ongoing protection.

While Apple’s malware tool is a good sign to see from the company, unfortunately it will only work on systems running OS X 10.6 or later, since Apple has stopped supporting prior versions of OS X. Therefore, if you are running an older version of the Mac operating system, then be sure to use one of the first three tools to check your system, or follow our instructions for manually running the commands necessary to check for and remove the malware.

Related posts:

1. Flashback Removal Tool Available F-Secure released a free tool to detect and remove the...
2. Apple Developing a Flashback Removal Tool Last night Apple announced that they are developing a tool...
3. Java update from Apple contains Flashback removal tool Apple promised, and they delivered. The latest updates to Java,...

Related posts brought to you by Yet Another Related Posts Plugin.

Apple promised, and they delivered. The latest updates to Java, Java for OS X Lion 2012-003 and Java for Mac OS X 10.6 Update 8, contains the removal tool, as well as disabling automatic execution of Java applets by default. You can choose to renable automatic applet execution if you choose… after a while (not sure how long) of not running any Java applets, your Mac will disable auto-execution again.

Software update or a download from Apples site will get you the tool for Lion users.

Snow Leopard users can use Software update or download from this Apple page.

Related posts:

1. Apple Developing a Flashback Removal Tool Last night Apple announced that they are developing a tool...
2. Flashback Removal Tool Available F-Secure released a free tool to detect and remove the...
3. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...

Related posts brought to you by Yet Another Related Posts Plugin.