Friday, September 26, 2008
Closure!
Tuesday, September 23, 2008
3 Essential Mac OS X Security Software Programs for PC Converts (Part 2: Little Snitch)
In essence, Little Snitch complements the inbound firewall in the Mac OS X operating system. That firewall prevents hackers from getting in. Little Snitch, meanwhile, prevents applications to send data outside your computer without being authorized. Certainly, there are many applications that will want to access the internet at any time for a variety of legitimate reasons. Many applications perform automatic updates, for example, and many others "phone home" to its developer to verify that you don't have a pirated product. But suppose, God forbid, you were infected with malware from a torrent site, for instance, or something else that occurred before you figured out you were required to turn on the OS X firewall (it's turned off by default -- come on Apple, I just don't get that). Or even something more mundane: suppose your jealous significant other has installed keyloggers and other spyware on your system (of course, he'll surely burn in hell, but that won't help you right now). Without an outbound firewall, malware could be sending just about your whole computer's contents to someone in Kazakhstan and you'd never know it. Enter Little Snitch.
VirusTotal Report: Trojan.ByteVerify
File ms03011.jar-3847f8dc-50961bb6.zip received on 06.30.2008 14:04:16 (CET) | |||
Antivirus | Version | Last Update | Result |
AhnLab-V3 | - | - | - |
AntiVir | - | - | EXP/Java.Bytver.5.B |
Authentium | - | - | Java/Trojan!8746 |
Avast | - | - | JS:ClassLoader-7 |
AVG | - | - | Java/ByteVerify |
BitDefender | - | - | Trojan.Exploit.Byteverify.V |
CAT-QuickHeal | - | - | - |
ClamAV | - | - | Java.Openconnection |
DrWeb | - | - | VBS.Siggen.1989 |
eSafe | - | - | Trojan-Downloader.Ja |
eTrust-Vet | - | - | Java/ByteVerify!exploit |
Ewido | - | - | - |
F-Prot | - | - | Java/Trojan!8746 |
F-Secure | - | - | Trojan-Downloader.Java.OpenConnection.ao |
Fortinet | - | - | Java/ClassLoader.AU!tr |
GData | - | - | Trojan-Downloader.Java.OpenConnection.ao |
Ikarus | - | - | - |
Kaspersky | - | - | Trojan-Downloader.Java.OpenConnection.ao |
McAfee | - | - | Exploit-ByteVerify |
Microsoft | - | - | Exploit:Java/ByteVerify.C |
NOD32v2 | - | - | Java/TrojanDownloader.OpenConnection |
Norman | - | - | - |
Panda | - | - | Exploit/ByteVerify |
Prevx1 | - | - | Cloaked Malware |
Rising | - | - | Trojan.DL.Java.Jadoler.a |
Sophos | - | - | Troj/ByteVeri-X |
Sunbelt | - | - | - |
Symantec | - | - | Trojan.ByteVerify |
TheHacker | - | - | - |
TrendMicro | - | - | JAVA_BYTEVER.BJ |
VBA32 | - | - | Trojan-Downloader.Java.Agent.a |
VirusBuster | - | - | Java.DL.OpenConn.C |
Webwasher-Gateway | - | - | Exploit.Java.Bytver.5.B |
Symantec says the virus infects only computers using Microsoft's operation system (no surprise there), but my philosophy is that viruses are like cockroaches: kill them just because.
3 Essential Mac OS X Security Software Programs for PC Converts (Part 1: Clam Xav 1.1)
When I first purchased my MacBook, as a PC convert, I asked the salesman what I've since learned to be the most common question PC users ask when switching over to Macs: What security products should I use? The only product name given to me by the helpful Mac store sales rep was MacScan, an anti-spyware program (currently $29.99 for a single license from http://macscan.securemac.com/buy/). No antivirus program was recommended at all, and my initial research indicated that, at the time, the commercial programs for Macs (specifically Norton) had a bad ratings and were used by very few people.
Welcome to the Mac Paradigm! I was also a bit shocked that my favorite financial software, Quicken, was essentially useless (at the time at least) on the Mac platform. Reviews were dismall. In the Mac Universe, most of the quality software in any given area are produced by names you've never heard of. Finding what's worth the money is a little bit of a challenge. Of course, these programs for the Mac by smaller developers also tend to cost less, so there's an upside to this phenomenon. But I digress.
After spending a while with my Mac, I settled on the following three security programs that I find indispensible, especially if you're a worrywart (as most of us who had PCs tended to be): the afforementioned MacScan; a free antivirus application called ClamXav (you'll forgive the naming of this little gem. That's what you get when your marketing budget is $0), and Little Snitch ($29.95 for one license), an outbound firewall program whose closest analogous PC program is probably ZoneAlarm (also free for the PC). This posting focuses on ClamXav.
ClamXav 1.1 Review (Mac OS X)

The user interface of ClamXav is very utilitarian, and the initial warning when loading the program each time is a bit jarring. If I can paraphrase, it basically says "Back up all your data before using me. You got this for free, so don't expect tech support, or any kind of restitution if things go wrong"). The program preferences deserve tweaking in order to get the program to actually do anything. The default settings at the very least will not harm your system.
ClamXav's icon displays in the OS X menu bar, so u can easily access the program to perform occassional real time searches, or see the progress bar scanning files that have been added to or changed in your watch folders. This is pretty cool and definitely helpful.
ClamXav has some limitations. Chief among them, and mentioned in several popular websites, is the speed at which scans are performed compared to commercial programs in this field. But its virus definitions are updated daily, and the reports I've read say that its ability to find viruses rivals or betters those you'd spend $60 on [citation needed]. Unlike antivirus solutions in the PC universe that I was used to, ClamXav does not have real-time scanning capabilities, except for the folders you select in what the program terms "Folder Sentry". I have my Downloads folder set to be scanned as items are put there, and that's about it. There is an option to delete or quarantine viruses upon detection, but that option is turned off by default, and is not recommended if you plan to scan e-mail (also turned off by default). Indeed, a quick google search of ClamXav technical issues will lead to some quite disturbing issues people have had with the program deleting their entire inbox. So conservative settings of the system preferences has the end result that emails are not scanned upon arrival for infected messages. I have mine set to Not Scan Email, and to Quarantine (versus Delete) any found viruses. That is what I recommend, especially because false positives do happen.
Once a virus is found and moved to the quarantine folder, what does that mean exactly? Generally speaking, any or most found viruses will only be able to infect PC Users (or so I've been told by complacent Mac users), but does that mean I can just delete the file with impunity? Or, for that matter, leave them on my computer with impunity? I am still trying to figure that out. For my own edification, I'm going to submit the virus I recently found (the first in a year), a little ditty called "ms03011.jar-3847f8dc-50961bb6.zip" to a site I just discovered called Virus Total for analysis. Results of the analysis will be forthcoming.
You'll want to perform full system scans regularly (I scan the directory "/Users/[myusername]".) That's how I found the potentially harmful file above. Somehow it appeared in the Java system files without my knowledge. (Maybe it was that pirated version of Sim City 4 I downloaded. I guess I'll never learn my lesson.) Full scans do take quite a long time, but affect the performance of my MacBook only modestly.
For now I see no reason to spend a lot of money on commercial antivirus programs for my Mac when ClamXav does just about everything I need, for the right price.
Sunday, November 4, 2007
Kernel Panic and Zip Bomb

Error: File not scanned (appears to be a ‘zip bomb’)
Joss Whedon:System:Library:PrivateFrameworks:MediaKit.framework: Versions:A:Resources:MKDrivers.bundle:Contents:Resources:bootroot.loader
Info: Immediate job completed at 1:39:36 PM on Saturday, November 3, 2007
512774 items scanned, 0 viruses detected, 5 errors
Sunday, October 21, 2007
SecurityFocus's "Attacking the Attackers"
Tuesday, October 16, 2007
Portion of an interview with Jamie Butler on Rootkits
Mr. Butler: Normally what has to be done is a complete reinstall of the operating system itself. And we've seen, um, over the last year, year to two years, the evolution of rootkits even into the hardware and bios spaces, where it's been demonstrated at Black Hat Federal and other conferences where a complete reinstall of the operating system may not be enough to get rid of the rootkit itself.For months I could not understand why a complete wipe and reinstall of Windows Vista on my infected machine(s) resulted in the same damaged computer as before. At times I blamed an infected installation disk, infected hidden partition (from which many computer companies perform system reinstalls, eschewing disks altogether). Finally I was convinced the malware was coming straight from my Cable Internet provider (paranoia I realize, but I was basing this on the statements of a nemesis's statement (who worked for Comcast) that "You would be amazed what we can do to your computer and what we can see." Over time my infected computer's security had essentially been completely wiped out. Services I disabled automatically re-enabled themselves. At certain points my system was visibly under the control of an unseen entity/hacker. I described the problem to friends, and they told me what I was explaining to them was science fiction, and used the "P" word to describe me again. Now thanks to Mr. Butler I have some explanation that the events I was experiencing was and are real, but am now pessimistic that my one remaining Windows machine will ever be viable and may have to be trashed completely.
A relevant portion of the podcast can be seen below.
Securing Your Mac
- Change Your Keychain Password. Many people (myself included) don't realize your keychain of passwords is entirely accessible once you log in to your Mac. Your Mac login unlocks the keychain, so if you step away from your computer, anyone can access without restriction your passwords for Airport settings and even web site passwords that Safari stores in the keychain. Solution: open Keychain Access, select Show Keychains, select your default keychain (usually called 'login'), then choose Edit | Change Password for Keychain, and choose a different password from your login.
- Encrypt Sensitive Files. Acknowledging the instability inherent in Mac's FileVault, MacWorld describes a better way to encrypt your sensitive data, by creating an encrypted disk image: In Disk Utility, create a new disk image by selecting File | New | Blank Disk Image. Under Encryption, select 'AES-128'. Select 'Sparse Disk Image' from the Format popup box, specify a name and location, and move all your sensitive files to this location once you mount the disk. Eject the disk when you're through editing/viewing these top-secret files.
Saturday, October 13, 2007
My Mac, the Server?

Thursday, October 11, 2007
Red Herrings
Unfortunately, the paranoia such thoughts bring about are maddening. One sees "evidence" everywhere, signs pointing to one person or the other. Red herrings, as they call them in detective novels and movies. I've been led down several wrong paths, but have narrowed the list of suspects down to three serious ones. Each one has had opportunity (access to my machine), motive (let's just say I've made my share of enemies), and the amorality required to commit such an offense. I used to hang around with a group of people with let us say ... questionable scruples. What can I say, it's true: You lay down with dogs, you get fleas. But no one deserves to be put through what I've gone through. I plan in a later post to enumerate the direct and indirect costs -- such as time spent troubleshooting and reinstalling software -- this crap has cost me. I expect the figure to be astounding. I plan also on profiling (though not naming) each of these three Horsemen of the Apocalypse.
Norton Security Scan Clues (part 3)



Wednesday, October 10, 2007
Encryption in Vista and OS X: Not Worth It?
I bought a Toshiba laptop (a great machine, really) with Vista Ultimate, one of my many purchases (this one roughly $1,400) in an attempt to foil my already-hacked home network. No sooner had I plugged the machine into the ethernet cable to my modem than it seemed to be hacked again. I ran all the Microsoft security updates as soon as possible, but it was too late. Very quickly, my PC looked like it was running a copy of Virtual PC or something. Windows showed me being on a "network" which was composed of an intermediary computer between me and the internet. I wasn't on a network at all. When I tried to download and install BitLocker (although it's a Vista Ultimate feature, it still requires a download) a weird error denied my enabling the feature. Drive wipes and reinstalls didn't help. Was my mystery hacker to blame, or is Microsoft?
I ran into similar, though less paranoia-inducing, problems with OS X's File Vault (the Mac version of this strong disk encryption). My computer kept freezing, unable to recover from Sleep Mode, requiring constant restarts. Apparently this corrupted the FileVault, resulting in the below message.

Tuesday, October 9, 2007
"In the end there can only be one..."
The same day I brought my MacBook home, a friend-of-a-friend Mac "expert" took a look at it and said "This computer isn't behaving very Mac-like," a frown creasing his forehead. I didn't know what "Mac-like" behavior was of course -- I had nothing to compare it to. Of course the statement scared me, especially since this person supposedly knew nothing of my ridiculously unfixable PC security issues. But at the end of the session he seemed convinced my computer was okay. Then a few days later, my outbound firewall popped up the below message.


Thursday, October 4, 2007
Norton Security Scan Clues (part 2)
The first of two more incriminating screen captures from Norton Security Scan shows a file called dnsrxpob.exe, below, in the c:\windows\system32 folder. I knew from my limited knowledge that the system32 folder is where a lot of malware likes to hide out. Googling the file name, I found out that it's evidence of a mass-mailing Worm that Symantec calls W32.Stration.DD@mm (how do they come up with these names?). Info about this worm can be found on Symantec's site.


Video Evidence?
And finally, this is part two. Again, the quality sucks I realize.
Update [10/5/07]: It took some time since I am fairly new to video editing, but the first of two higher-def videos is posted online at a free hosting site called Files Upload. Direct link to part one: hacking_evidence_or_not_1.mov. Direct link to part two: hacking_evidence_or_not_2.mov.