A search run by the iWorm malware against Reddit yielded lists of compromised servers making up the botnet's command and control network.

The Russian antivirus vendor Dr. Web has reported the spread of a new botnet that exclusively targets Apple computers running Mac OS X. According to a survey of traffic conducted by researchers at Dr. Web, over 17,000 Macs worldwide are part of the Mac.BackDoor.iWorm botnet—and almost a quarter of them are in the US. One of the most curious aspects of the botnet is that it uses a search of Reddit posts to a Minecraft server list subreddit to retrieve IP addresses for its command and control (CnC) network. That subreddit now appears to have been expunged of CnC data, and the account that posted the data appears to be shut down.

The Dr. Web report doesn’t say how Mac.BackDoor.iWorm is being distributed to victims of the malware. But its “dropper” program installs the malware into the Library directory within the affected user’s account home folder, disguised as an Application Support directory for “JavaW." The dropper then generates an OS X .plist file to automatically launch the bot whenever the system is started.

The bot malware itself looks for somewhere in the user’s Library folder to store a configuration file, then connects to Reddit’s search page. It uses an MD5 hash algorithm to encode the current date, and uses the first 8 bytes of that value to search Reddit’s “minecraftserverlist” subreddit’—where most of the legitimate posts are over a year old.

Read 3 remaining paragraphs | Comments

[security bulletin] HPSBHF03124 rev.1 - HP Thin Clients running Bash, Remote Execution of Code
PayPal Inc Bug Bounty Issue #70 France - Persistent (Escape Shopping) Mail Vulnerability
HTTP Commander AJS v3.1.9 - Client Side Exception Vulnerability
BulletProof Security Wordpress v50.8 - POST Inject Vulnerability

We all know that anti virus, the necessary evil of basic computer security, isn't a stranger to false positives. So no big surprise here when John is writing that he ran into such a false positive during an incident response:

I was scanning a forensic drive image with clamav and scored a positive hit on a file.

Great. ClamAV, a free anti-virus product. Of course, we don't trust it. So John did what most of use would have done, and submitted the suspect binary to Virustotal:

Virustotal showed 14 out of other 50 AV vendors' products thought it was malware as well.

Ouch! 14 out of 50? Many actual malware samples I submit get a lower rate then that. Turns out the binary in question was a desktop management software, "lunchwrapper.exe", and the AV tools picked up on it's file download component (the famous "generic downloader" signatures).

But you think this is bad? Listen what happened next according to John:

The scary part was that after I submitted the sample, other major AV vendors decided that the submitted sample was malicious and our endpoint software starting quarantining the program after the AV dats had updated.

After all, as my fellow developer can attest?too: The reason we allow people to use our applications is so that we don't have to do any testing ourselves.

(BTW: Virustotal/Google are doing great work, and I think it is a good thing that they are distributing samples. The problem is how AV vendors use this information.)

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinuxSecurity.com: OpenVPN could be made to expose sensitive information over the network.
LinuxSecurity.com: OpenSSL TLSv1.2 support has been improved.
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in libvirt: An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk [More...]
LinuxSecurity.com: A vulnerability has been discovered and corrected in phpmyadmin: With a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages (CVE-2014-7217). [More...]
LinuxSecurity.com: file could be made to crash or run programs as your login if itopened a specially crafted file.
[security bulletin] HPSBMU02895 SSRT101253 rev.3 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code
[security bulletin] HPSBMU03118 rev.1 - HP Systems Insight Manager (SIM) on Linux and Windows, Multiple Remote Vulnerabilities
Linux Kernel 'net_get_random_once' Local Information Disclosure Vulnerability
[ MDVSA-2014:195 ] libvirt
[ MDVSA-2014:194 ] phpmyadmin
Elasticsearch vulnerability CVE-2014-6439
Ultra Electronics / AEP Networks - SSL VPN (Netilla / Series A / Ultra Protect) Vulnerabilities
[security bulletin] HPSBHF03119 rev.2 - HP DreamColor Professional Display running Bash Shell, Remote Code Execution
FreePBX 'index.php' Remote Command Execution Vulnerability

Naked Security

Security incidents are up - and pricier! - but infosec budgets are dwindling
Naked Security
The number of security incidents is rising, as are associated costs to clean them up. Global corporate security budgets, meanwhile, seem to be hiding in the closet, just hoping it all goes away. The news of this depressing state of affairs comes ...

and more »

Posted by InfoSec News on Oct 03


By Antone Gonsalves
Oct 2, 2014

A security researcher has found another flaw in the Android browser that a
cybercriminal could use to steal sensitive data.

The latest same-origin policy (SOP) bypass vulnerability is the second
discovered by researcher Rafay Baloch, who discovered the first,
CVE-2014-6041, last month.


Posted by InfoSec News on Oct 03


By Russell Brandom
The Verge
October 2, 2014

In July, researchers Karsten Nohl and Jakob Lell announced that they'd
found a critical security flaw they called BadUSB, allowing attackers to
smuggle malware on the devices effectively undetected. Even worse, there
didn't seem to be a clear fix for the attack. Anyone who plugged in a...

Posted by InfoSec News on Oct 03


By Senior Airman Jette Carr
Air Force News Service
October 02, 2014

NELLIS Air Force Base, Nev. (AFNS) -- The internet is a battleground, and
information is the prize. News reports of a shopping retailer losing
control of customers’ digital data and an internet browser being
compromised are some of the recent evidence of the constant...

Posted by InfoSec News on Oct 03


By Kelly Jackson Higgins
Dark Reading

Insurance policies customized for cyberattack protection are on the rise
as businesses worry they could be the next Target. The string of data
breaches at Target, Home Depot, JPMorgan Chase, and so many other major
brands has reinvigorated the cyberinsurance industry.

Cyberinsurance, which...

Posted by InfoSec News on Oct 03


By Patrick Tucker
October 2, 2014

The United States should be conducting more disruptive cyber attacks
against nations like Russia, according to Rep. Mike Rogers, R-Mich.,
chairman of the House Intelligence Committee.

“I don’t think we are using all of our cyber-capability to disrupt” actors
in Russia...
Internet Storm Center Infocon Status