Well, it was only a matter of time, Fake Video Codecs for Mac OS X. Proof that Mac users aren’t any more immune to socially engineered attacks than Windows users.

INTEGO SECURITY ALERT - October 31, 2007
OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to
Redirect to Malicious DNS Servers

Exploit: OSX.RSPlug.A Trojan Horse

Discovered: October 30, 2007

Risk: Critical

Description: A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file.
Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.

Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)
The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.

This Trojan horse also provides different versions of itself, perhaps according to the country in which the user is located to provide country-specific spoofing. Repeated downloads of the disk image show that there are several different versions.

Means of protection: The best way to protect against this exploit is to run Intego VirusBarrier X4 with its virus definitions dated October 31,2007. Intego VirusBarrier X4 eradicates the malicious code and prevents the Trojan horse from being installed. Intego recommends that users never download and install software from untrusted sources or questionable web sites.

About Intego
Intego develops and sells desktop Internet security and privacy software for Macintosh.

Intego provides the widest range of software to protect users and their Macs from the dangers of the Internet. Intego’s multilingual software and support repeatedly receives awards from Mac magazines, and protects more than one million users in over 60 countries. Intego has headquarters in the USA, France and Japan.

As the dangers of the Internet grow, Intego is hard at work, developing new software to protect users and their Macs from the latest security and privacy threats.

We protect your world.

Additional Stories:
http://isc.sans.org/diary.html?storyid=3595
http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.h tml
http://msmvps.com/blogs/spywaresucks/archive/2007/11/01/1276092.aspx
http://www.theregister.co.uk/2007/10/31/in_the_wild_osx_trojan/

IE Defender is a rogue security program that uses flawed, inadequate detections scheme and the false positives work as goad to purchase. Possibly Ultimate Defender clone.

You read about some starlet on CNN.com, and decided to Google her name. While checking out the pages returned from your search; You encounter a page with a supposed video of her in a compromising situation. You are greeted with something that looks like this:

Shortly afterwards, as in mere seconds, you are present with a download prompt to download and install a file you believe to be a Codec needed to view the Video on the site.

As soon as you install the “Fake Codec” you immediately start recieving pop-ups.

Clicking OK results in IE Defender being installed.

Other signs you have been infected:

HijackThis entries to look for:

O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll
O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll
O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll
O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll
O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll
O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll
O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {5DE176A4-B5FF-4D50-B084-E047526B8E97} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: Mp3 Video - {9A1EF21C-B0D4-4EB0-894F-CBAE2F4D0A82} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll
O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll
O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video DivX 3.12 - {7A23A1E8-B2AB-4C50-AD12-9E19B747E17C} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video DivX 3.12 - {F02B8C83-C817-4EA2-A499-29257DA0373A} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video On-line - {032706C0-EB72-4DF0-ABF6-B89958D2A6CC} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {323301C5-CB6B-490C-B59F-E7FAD4D69C93} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {66D69CC1-5373-4730-AB8E-24D2AB7FF95F} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {BD907325-42B2-4077-BA63-F636B627C998} - C:\Windows\System32\PowerVideo.dll

On the Desktop:

In the System Tray:

Screenshot of the IE Defender website:

IE Defender WHOIS information: http://whois.domaintools.com/iedefender.com

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: IEDEFENDER.COM

Registrant:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 05-Oct-2007
Expiration Date: 05-Oct-2008

Domain servers in listed order:
ns2.iedefender.com
ns1.iedefender.com

Administrative Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Technical Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Billing Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Status:ACTIVE

There is now an automated removal script for this infection. You can download the fix at http://www.malwareteks.com/FixIEDef.php

IDG News Service 10/24/07
Robert McMillan, IDG News Service, San Francisco Bureau

Notorious adware maker DirectRevenue LLC has closed shop.

The company, which was recently doing business as Best Offers, gave no reason for its sudden closure, which was announced on its Web site.

[Read the full Article at  ITworld]

Bad day for Firefox, Opera, and SeaMonkey users. All three browsers received updates today to patch multiple vulnerabilities.

Some vulnerabilities have been reported in Opera, where one vulnerability has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks and to compromise a user’s system.

Opera may launch external email or newsgroup clients incorrectly. This can be exploited to execute arbitrary commands by e.g. visiting a malicious website.

Successful exploitation requires that the user has configured an external email or newsgroup client.

An error when processing frames from different websites can be exploited to bypass the same-origin policy. This allows to overwrite functions of those frames and to execute arbitrary HTML and script code in a user’s browser session in context of other sites.

An unspecified error exists in Opera in combination with Adobe Flash Player 9.0.47.0 and earlier on Mac OS X. No further information is currently available.

The vulnerabilities are reported in all versions of Opera for Desktop prior to version 9.24.

Opera users are urged to update to version 9.24 http://www.opera.com/download/

Some vulnerabilities and a weakness have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, conduct phishing attacks, manipulate certain data, and potentially compromise a user’s system.

Various errors in the browser engine can be exploited to cause a memory corruption.

Various errors in the Javascript engine can be exploited to cause a memory corruption.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

An error in the handling of onUnload events can be exploited to read and manipulate the document’s location of new pages.

Input passed to the user ID when making an HTTP request using Digest Authentication is not properly sanitised before being used in a request. This can be exploited to insert arbitrary HTTP headers into a user’s request when a proxy is used.

An error when displaying web pages written in the XUL markup language can be exploited to hide the window’s title bar and facilitate phishing attacks.

An error exists in the handling of “smb:” and “sftp:” URI schemes on Linux systems with gnome-vfs support. This can be exploited to read any file owned by the target user via a specially crafted page on the same server.

Successful exploitation requires that the attacker has write access to a mutually accessible location on the target server and the user is tricked into loading the malicious page.

An unspecified error in the handling of “XPCNativeWrappers” can lead to execution of arbitrary Javascript code with the user’s privileges via subsequent access by the browser chrome (e.g. when a user right-clicks to open a context menu).

Firefox users are urged to update to version 2.0.0.8.

SeaMonkey users are urged to update to version 1.1.5

NOTE: Additional fixes have been added to prevent the exploitation of a URI handling vulnerability in Microsoft Windows.

Thunderbird users are urged to update to version 2.0.0.8. Thunderbird uses the Firefox engine and is susceptible to the same exploits.

Note: (Saturday, 20 October, 2007) Thunderbird 2.0.0.8 has not yet been released.

Update: (Wednesday, 24 October, 2007) Thunderbird 2.0.0.8 release on hold. Possible forth coming release of Firefox 2.0.0.9 to fix bugs introduced in FF 2.0.0.8.

One of the biggest threats to you and your identity is spyware that can easily be added onto your computer without your knowledge. A key logger is a type of spyware that can be added to your computer and without knowing what to look for, you could never know it was there. A key logger records your keystrokes, all numbers, letters and symbols, and transmits them or saves them for the hacker.

If you make an online purchase from a website, your account information and your credit card number could be recorded by a key logger. Even though you are at a reputable website, you could still be having your identity stolen. You’ve provided the hacker with everything they need to rack charges up on your credit card and you are left unsuspecting. Your computer could be infected with spyware and/or a key logger right now and you probably don’t even know it.

Some spyware is pretty harmless but some of it leaves you and your information completely exposed and ripe for the picking. Some programs can collect all of your activity on the Internet, including messaging conversations, strokes on your keyboard, travel plans, information about you and your family, even photos and files.

To stop yourself from being a victim of identity theft due to spyware and key logger programs, there are a few things you can do.

First of all, ensure that you have ant-spyware installed on your computer and that you keep it updated regularly. Anti-spyware software can detect spyware on your computer and delete it. You should run an anti-spyware on your computer at least every other day, if not once a day. It’s not fool proof because hackers and spammers are always updating their programs to avoid detection - keeping your anti-spyware up to date, and even having more than one can be very beneficial and help keep you bug free.

Install an anti-virus on your computer as well as anti-spyware, and keep your anti-virus updated and on constantly. You should run an anti-virus on your computer at least every other day, if not once a day.

Practice safe sites - be wary when you are on the Internet and only download programs from web sites that you trust. Never allow anything to be installed on your computer via the Internet without first finding out what exactly it is. Keep your working programs, such as your Internet Browser up to date with the newest versions as well.

There are many ways to have your identity stolen online and spyware and key loggers are just a drop in the bucket. You have to be vigilant with your information that you provide on the Internet, even on trusted websites. Taking care of your computer and the software that is installed on it will help to increase your protection, but nothing is for certain. You must keep an accurate track of your finances and notice immediately if anything looks suspicious. Keep a watchful eye on your credit card and bank statements and if anything seems out of place, report it immediately. You should also check your credit report at least once a year from each of the credit bureaus to ensure that all the information recorded on there is correct. Identity theft is serious and it can completely financially destroy you, so be aware, vigilant and wary.

About the Author
Faithe Thomas is concerned about identity theft and online fraud. She designed a website to help victims and pre-victims: http://www.identity-fraud.info

Just a little something I found while surfing.

1. When you call us to have your computer moved, be sure to leave it buried under half a ton of postcards, baby pictures, stuffed animals, dried flowers, bowling trophies and children’s art.

2. Don’t ever write anything down, especially the error message that was on your screen.

3. If we ask what the last thing you did was, always respond with, “I didn’t do anything.”

4. When we say we’ll be right over, immediately find a reason to leave so you won’t have to answer silly questions from us, like “what’s your screen saver password?”

5. When describing your problem, just tell us what you were ultimately trying to do. For example, just say, “I can’t get my email”. We don’t need to know that the computer won’t even turn on.

6. Feel free to ignore any email sent from us, especially those marked with high importance. You don’t really need to know about the latest virus that wiped out your neighbors hard drive.

7. Always send important and urgent emails in all uppercase.

8. When the copier, or anything else remotely electronic, doesn’t work, call us. Heck, if we can fix computers, we must know all about copiers too.

9. If the document you sent to the printer didn’t print, send it at least 20 more times. One of them is bound to work.

10. Don’t ever learn the proper name for anything technical. We know exactly what you mean by “my thingy blew up”.

11. Don’t waste your time using the built in help files. We already had to learn the hard way, why should you?

12. If any of the computer cables are in your way or keep moving, be sure to route them across the top of your portable heater or set something big and heavy on them to hold them in place.

13. Never bother reading any message that pops up on your screen. Just click the X to close it or the first button your mouse gets to.

14. Don’t ever try rebooting the computer yourself. Call us immediately. Only experienced, highly-trained professionals should attempt that.

15. Feel perfectly free to say things like “I don’t know anything about this computer crap”. We love hearing our area of professional expertise referred to as crap.

16. When you receive a huge movie file that’s really funny, be sure to forward it to all your friends. We have plenty of disk space and bandwidth.

17. Don’t bother bringing a radio to work, just listen to music over the internet. Like I said, we have plenty of bandwidth.

18. Don’t even think of breaking large print jobs down into smaller chunks. Somebody else might squeeze their one-page document into the queue.

19. When an I.T. person is carrying heavy equipment, worth thousands of dollars, that’s the best time to ask why your screen saver quit working.

20. Don’t bother to tell us when you move computer equipment around on your own. We certainly don’t need to keep track of those things.

21. Your computer case makes a great flat surface for sitting drinks or potted plants on.

22. Do whatever you can to cover up those ugly open air slots in the computer and monitor.

Nowadays, spyware remover software is a must-have software product that is designed to protect your PC from possible online attacks. If your PC is used for work or any other important activities, then you cannot afford not to have one. But how do you choose the right software product? There are many of them out there, and you need to make sure to have high quality application that will do the job.

First of all, spyware and adware are simple programs running on your PC that can send out data to a third party server about your online activities or personal information. As the internet grew for the past 7 years, more people started shopping online and exchange very important information. This has also attracted so called hackers that try to intercept the data being sent from your computer for their own material benefits.

There are a few software applications out there that allow you to scan your PC free of charge, but they don’t always provide updated definitions of all the spyware and internet viruses out there.

Here are just a few tips you should consider before buying a spyware remover software:

- Does the merchant have a proven track record in the industry
- Do they offer a free trial
- The cost of the software compared with prices in the industry
- Features of the software
- Does it have user friendly interface
- Is their spyware and anti-virus definitions database being updated frequently
- Search online for customer’s reviews of the particular product
- Does the merchant offer “Money-Back Guarantee”

Keep in mind that you want the best software on the market if you are using the internet on daily basis, and making lots of purchases online.

To check if the merchant you are buying from has a proven track record, you could perform a search using Google for their business name to verify they are a legit company.

Make sure the company offers a free trial so you can test the software on your computer before you make the purchase. This way you can estimate how effective and user friendly the software will be.

Always compare prices with other similar products. The most expensive one is not always the best choice.

Compare different features of 3 or more software products to pick up some of the most important ones that you need.

Any good spyware remover software has frequently updated database of spyware and adware definitions.

I hope the above tips will help you with your purchase of a good spyware remover or anti-virus software. In today’s online world it’s a must have product that can save you a lot of headaches and money.

Author: Pawel Reszk

Mammary stick malfunction

By Dan Goodin in San Francisco
Published Friday 5th October 2007 22:39 GMT

Ohio state legislator Matthew Barrett was supposed to give a group of high school seniors a civics presentation using PowerPoint slides he had prepared on how a bill becomes a law. What they got was an anatomy lesson when the computer he was using displayed the image of a topless woman.

The busty photo appeared shortly after Barrett inserted a memory stick into a school computer. He said there were several snickers from the 20 or so students in the senior government class at Norwalk High School.

[Full Article at The Register]

Free for all

By John Leyden
Published Friday 5th October 2007 12:25 GMT

Microsoft has dropped the requirement for Windows XP users to go through Windows Genuine Advantage validation in order to get Internet Explorer 7.

The move, delivered via a software update on Thursday, means even users of pirated copies of Windows can take advantage of Microsoft’s latest browser software. For the rest of us it means avoiding the chore of WGA validation, a test that has been known to go wrong from time to time and is a chore even at the best of times.

IE7 comes bundled with Vista and as an optional update to XP. Dropping WGA checks for IE7 only affects Windows XP users.

[Full Article]

Accused CastleCops nemesis didn’t get mad. He got bots.
By Dan Goodin in San Francisco
Published Thursday 4th October 2007 17:26 GMT

Late in the evening of February 13, Paul and Robin Laudanski were planning the following day’s Valentine’s celebration when they received word that CastleCops, the volunteer security website they run, was under assault.

At its peak, the five-day attack flooded CastleCops with close to 1 gigabyte of data every second. The distributed-denial-of-service deluge was so severe that the husband-and-wife team were forced to take their site offline 15 minutes after it started. It also knocked CastleCops’ webhost offline for two days, causing more than $160,000 worth of damage to the company and its customers.

[Read the Entire Article]