Sep 20, 2017
John
Comments Off on How to tell if your Mac is infected

How to tell if your Mac is infected

There are a lot of reasons Mac users don’t sweat getting infected. One: They’ve got a built-in anti-malware system called XProtect that does a decent job of catching known malware. Two: Macs are not plagued by a high number of attacks. (Most cybercriminals are focused on infecting PCs.) And three: There’s just not a lot of Mac malware out there.

But that’s changing, and fast: Mac malware has increased by 230 percent in the last year alone. Most Mac users don’t know this, and assume their Mac is fine. For those folks we have one word: adware.

Your Mac is infected…with adware

Adware is software that’s designed to display advertisements, usually within a web browser. Most people don’t willingly download programs whose sole purpose is to bombard you with ads, so adware has to sneak its way onto your Mac. It either disguises itself as legitimate or piggybacks on another program in order to be installed.

Once in your system, adware changes the way your browser behaves by injecting ads into web pages, causing pop-up windows or tabs to open, and changing your homepage or search engine—all in the name of funneling advertising dollars away from companies who pay for online ads and into their own accounts.

Your Mac is infected…and not protected

Sounds pretty shady, right? So why doesn’t the Mac anti-malware program catch these guys? Typically, the makers of adware are hiding in plain sight, operating as actual corporations who claim to sell software on the level. They get away with it because their adware is often hidden in the fine print of a long installation agreement that most people skip over. Is it technically legal? Yes. You accepted the terms of the installment so they can spam you all they want. But is it right? So far, Apple hasn’t stepped in to crack down on it. But if you ask us, the answer is an emphatic “no.”

In addition to adware, other potentially unwanted programs, such as so-called “legitimate” keyloggers, scammy “cleaning” apps, and faux antivirus programs that don’t actually detect anything are skirting the Mac protections in place. (Because XProtect doesn’t detect and block adware or potentially unwanted programs—only malware that it has seen before.) So if a new form of malware makes its way onto your computer before Apple has a chance to learn about it and write code to protect against it, then you’re out of luck.

So if you ask us, it’s time to start taking a closer look at your Mac. Is it acting the way your sturdy, reliable Mac has always behaved? Or is it exhibiting classic signs of guilt? If something seems a little off, you just might have a problem. Let’s take a look at the telltale signs that your Mac is infected.

Signs of adware

Advertisements are displayed in places they shouldn’t be, literally popping up everywhere. Your web browser’s homepage has been mysteriously changed without your permission. Web pages that you typically visit are not displaying properly, and when you click on a website link, you get redirected to an entirely different site. In fact, even your search engine has been replaced with a different one. If your web browser, search engine, or websites are acting in funky, unpleasant ways, you’ve likely got yourself an adware infection.

Signs of PUPs

Maybe you downloaded a new program to monitor your family’s behavior online. All of a sudden, new icons are appearing on your desktop for software you don’t remember installing. New toolbars, extensions, or plugins are added to your browser. A pop-up appears telling you your Mac may be infected, and you need to install the latest antivirus immediately to get rid of it. Frightened, you do so, and now your computer has turned the corner from automatically installing apps to slowing to a crawl. What’s going on? These are PUPs, and your Mac’s anti-malware system is not going to get rid of them.

Signs of malware

Mac malware making its way onto your system is, right now, relatively rare. But if it does, you may look out for similar behavior as an infected Windows operating system: your computer’s processing power seems diminished, software programs are sluggish, your browser redirects or is unresponsive, or your ole-reliable starts crashing regularly.

In some cases, you may not be aware of an infection at all. While your computer hums along, info stealers operate quietly in the background, stealing your data for an attack on your bank accounts or identity.

And in the worst case scenario, your Mac can even be infected with ransomware. In March 2016, the first Mac ransomware was spotted, and it was downloaded by thousands of users before Apple had a chance to shut it down. A ransomware attack would be quite obvious to Mac users. Files would be encrypted and cybercriminals would deliver a ransom demand (usually via pop-up) in order to return your data.

Do any of these scenarios sound familiar to you? If so, there are a few steps you can take to remedy the infection. First, back up your files. Next, download a (legitimate) anti-malware program such as Malwarebytes for Mac that’s designed to search and destroy adware, PUPs, and any new forms of malware lurking on the scene. Run a scan and, if there are any nasties hiding away in your pristine Mac OS, it’ll bag, tag, and dump them for you. Then you can finally get your Mac back.

The post How to tell if your Mac is infected appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 20, 2017
John
Comments Off on A week in security (September 11 – September 17)

A week in security (September 11 – September 17)

Last week, we dug into phishing campaigns done via Linkedin accounts, remediation versus prevention, issues with smart syringe pumps, and advised you to go patch against a Word 0day. We had some tips regarding identity theft protection, explored crowdsourced fraud, and explained YARA rules.

Elsewhere:

Consumer News

Stay safe!

Malwarebytes Labs Team

The post A week in security (September 11 – September 17) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 20, 2017
John
Comments Off on [Updated] Infected CCleaner downloads from official servers

[Updated] Infected CCleaner downloads from official servers

Update (9/19/2017):

Avast posted a clarification explaining what happened and giving a timeline of the events. One point we should take note of is that the breach preceded the take-over of Piriform by Avast.

Users that are unsure whether they were affected by this and whether their data may have been sent to the C2 server can check for the presence of the following values under the registry key:

HKEY_LOCAL_MACHINESOFTWAREPiriformAgomo

The values in question are:
MUID, TCID and NID

These values are not created by any clean versions of CCleaner, just by the infected ones.

Malwarebytes will detect the presence of those values and flag them as Trojan.Floxif.Trace

The trojan itself reportedly only ran on Windows 32 bit systems, but the values above were created on 64 bit systems as well.

Original post:

In a supply chain attack that may be unprecedented in the number of downloads, servers hosting CCleaner, a popular tool for cleaning up the PC, has been delivering a version of the said software with malware.

What happened?

Threat actors have managed to change the files that were being delivered by Avast servers hosting CCleaner updates. In case you are wondering why they were on those servers, Avast acquired Piriform, the original publishers of CCleaner, a few months ago.

The incident was discovered and reported by Talos. Piriform is aware of the situation and is acting to prevent further damage. They are also investigating how the files coming from their servers were modified before being released to the public.

compromised version

Possible impact

It is difficult to say at this moment how many users might have been affected, but the numbers could be huge. From the statistics brought out by Piriform, CCleaner has been downloaded 2 billion times in total, 5 million times every week. The modified version, 5.33, is made available from August 15 until September 12 when version 5.34 was released. In a press statement the company estimates that 2.27 million people used the affected software.

The malware

The malware collects the following information about the infected system:

  • Computer name
  • A list of installed software, including Windows updates
  • A list of the currently running processes
  • The MAC addresses of the first three network adapters
  • Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.

The malware uses a hardcoded C2 server and a domain generating algorithm (DGA) as a backup, to send information about the affected system and fetch the final payload.

blocked IP

What to do if you think you are affected?

First of all, check the version of CCleaner on your system. If you suspect you may have downloaded CCleaner version 5.33.6162 or CCleaner Cloud version 1.07.3191, scan your system for malware.

Detection and Protection

 

CCleaner users that are running older versions or that do not trust the one they are using now are encouraged to update their CCleaner software to version 5.34 or higher. The latest version is available for download here.

Affected versions: CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191

Malwarebytes blocks the IP and domains related to this malware. We also remove the malicious installer.

Stay safe!

 

Pieter Arntz

The post [Updated] Infected CCleaner downloads from official servers appeared first on Malwarebytes Labs.

Powered by WPeMatico

Aug 29, 2017
John
Comments Off on Mac and Android malware on the rise, reports show

Mac and Android malware on the rise, reports show

New research suggests that malware for the two device families has spiked over the past year.

The post Mac and Android malware on the rise, reports show appeared first on Malwarebytes Press Center.

Powered by WPeMatico

Aug 29, 2017
John
Comments Off on Mac, Android devices increasingly at risk for malware

Mac, Android devices increasingly at risk for malware

Windows devices are no longer the sole victims of damaging malware attacks. Strategic attacks on both Mac and Android devices are rapidly on the rise, according to new data from Malwarebytes, which makes anti-malware software.

The post Mac, Android devices increasingly at risk for malware appeared first on Malwarebytes Press Center.

Powered by WPeMatico

Aug 29, 2017
John
Comments Off on Mac malware continuing to escalate, warn security researchers

Mac malware continuing to escalate, warn security researchers

Malware targeting the Mac operating system has seen a significant growth in the first half of this hear, according to security firm Malwarebytes.

The post Mac malware continuing to escalate, warn security researchers appeared first on Malwarebytes Press Center.

Powered by WPeMatico

Jan 25, 2017
John
Comments Off on VU#535111: McAfee VirusScan Enterprise for Windows scriptproxy COM object memory corruption vulnerability

VU#535111: McAfee VirusScan Enterprise for Windows scriptproxy COM object memory corruption vulnerability

Vulnerability Note VU#535111

McAfee VirusScan Enterprise for Windows scriptproxy COM object memory corruption vulnerability

Original Release date: 13 Dec 2016 | Last revised: 19 Dec 2016

Overview

McAfee VirusScan Enterprise for Windows scriptproxy COM object contains a memory corruption vulnerability.

Description

According to the reporter, McAfee VirusScan Enterprise for Windows version 8.7i through at least 8.8 patch 7 contains a scriptproxy COM object that is vulnerable to the following:

CWE-824: Access of Uninitialized Pointer

According to the reporter, when attempting to load the McAfee VirusScan Enterprise scriptproxy COM object DLL via CLSID in an HTML document through Internet Explorer, the DLL may crash in such a way as to cause an access violation on the instruction pointer, which may lead to denial of service.

The CERT/CC has not received a CVE ID assignment from McAfee for this issue at this time. Intel Security, which owns McAfee, has provided the following response:

Intel Security takes any claim of this kind very seriously. We have requested and are awaiting the information we require to conduct our assessment. We look forward to receiving this information.
The CERT/CC has independently confirmed this issue in McAfee VirusScan Enterprise 8.8 patch 7 on Internet Explorer 11 for Windows 7 and reported details to McAfee in June 2016. It is unclear if other versions of Internet Explorer are also affected. The CERT/CC will continue to work with Intel Security/McAfee to address this issue.

This issue was originally published as part of VU#245327, but was later moved to its own Vulnerability Note to prevent product confusion.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to cause a denial of service.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. However, affected users may consider the following workaround:
Disable the McAfee ActiveX control in Internet Explorer

The vulnerable McAfee ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{7DB2D5A0-7241-4E79-B68D-6309F01C5231}] "Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{7DB2D5A0-7241-4E79-B68D-6309F01C5231}] "Compatibility Flags"=dword:00000400

Vendor Information (Learn More)

Vendor Status Date Notified Date Updated
McAfee Affected 08 Jun 2016 19 Dec 2016

If you are a vendor and your product is affected, let
us know
.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C
Temporal 6.1 E:U/RL:U/RC:UR
Environmental 4.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Shelby Kaba for reporting this issue to us.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:
    Unknown
  • Date Public:
    12 Dec 2016
  • Date First Published:
    13 Dec 2016
  • Date Last Updated:
    19 Dec 2016
  • Document Revision:
    46

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Powered by WPeMatico

Feb 13, 2016
John
Comments Off on Microsoft Surface Pro Recall

Microsoft Surface Pro Recall

FEBRUARY 02, 2016 Recall number: 16-089

Microsoft Recalls AC Power Cords for Surface Pro Devices Due to Fire, Shock Hazards
The power cords can overheat, posing fire or shock hazards.

Phone – E-mail
House Call – Remote Connection

Don’t wait, get help now!
401-366-2249 Ask for John
Contact Form

Feb 13, 2016
John
Comments Off on WakaWaka Shock, Explosion, Fire Hazard

WakaWaka Shock, Explosion, Fire Hazard

NOVEMBER 12, 2015 Recall number: 16-708
WakaWaka Recalls Adapter Kits Due to Electrical Shock, Explosion, Fire Hazards (Recall Alert)
The Adapter Kit can overheat posing a risk of fire, and the plastic shell of the adapter can open exposing a risk of shock to consumers.

Phone – E-mail
House Call – Remote Connection

Don’t wait, get help now!
401-366-2249 Ask for John
Contact Form

Feb 13, 2016
John
Comments Off on Eastwood Power Pack Recall

Eastwood Power Pack Recall

FEBRUARY 03, 2016 Recall number: 16-090
Eastwood Recalls Multi-Function Power Packs Due to Fire Hazard
The power packs’ lithium ion batteries can burst during charging, posing a fire hazard.

Phone – E-mail
House Call – Remote Connection

Don’t wait, get help now!
401-366-2249 Ask for John
Contact Form

Pages:123»

Location and hours

1-401-366-2249
Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo