Still think Mac is secure?

Over the past week, researchers have been investigating a new botnet consisting of compromised computers, all running the Mac OS. From what I can tell, this is a rather simplistic attack, where malware has been added to popular pirated software which users then installed and ran.

The Flaw

The major flaw here is the overwhelming overconfidence of Mac users, in my humble opinion. Many Mac users do not consider their computers to be at risk for infection, because Macs are rarely attacked. They seem to believe that this is because Macs are inherently more secure, rather than a result of the lower market share of the Operating System.

As a result of this attitude, many Mac users have not bothered to install/configure/update the basic software necessary to protect a computer, especially when downloading as untrustworthy software as pirated applications. The consequence of this is of course, that their computers were compromised.

The consequences

Compromised computers that have been added to the botnet in question have been used in Distributed Denial of Service attacks against various web sites, as the attackers behind this botnet rent the network out to third parties. Additionally, as the software accesses the administrator-level credentials for the computer, it is possible that attackers may be able to access and/or retrieve sensitive data from compromised systems.

More Information

• Name: OSX.Trojan.iServices.A, OSX/iWorkS-A, OSX.iWorkServices.A


• Infection Vector: Trojan Horse contained in pirated Mac OS software


• Article on Techtree


• Intego alert on this virus


• Removal utility from Securemac.com

Protecting Your World of Warcraft Account

I am writing this because over the weekend I have had another friend have their World of Warcraft account compromised. In this case, the attack was done using a Trojan (Win-Trojan/GameHack). World of Warcraft accounts are one of the most profitable things for hackers to steal. As compromises continue to increase, I feel like this is a good time to remind everyone of the steps that should be taken to protect your account if you play World of Warcraft or any other MMORPG. Of course, most of these tips go for everyone else too...

Viruses and Trojans such as GameHack can come from anywhere. One recent source that caused large numbers of accounts to be compromised has been flash-based ads which could bypass the security of any browser and install the virus. Sites about World of Warcraft, especially if they display ads for gold-selling services, should not be trusted. Here are a few steps you should take to protect your World of Warcraft account:

1. The right antivirus software is essential. Kapersky (expensive but worth it) Avast (free) and AVG (free) are among the best. AVG and Kapersky both pre-screen web pages before they are displayed in your browser. I typically recommend users avoid McAfee and Norton - they have become so popular that most viruses are designed to avoid or even disable them.

2. The next priority is to establish a strong perimeter. Your computer should NEVER be connected directly to the Internet. Even if you only have a single computer on your network, invest in a router. Routers add an extra layer of protection through their built-in firewall that prevents external systems from contacting your computer.

3. Next, establish a strong software perimeter. This is done by installing a software firewall on every computer on your network. Unless you share files between computers, each computer should be completely locked down. Even if you do share files or use other network features such as sharing printers, a software firewall can still protect your network. And no, the built in firewall on a Windows or Linux system is not sufficient. You need a firewall that monitors all network activity from every application on your computer. This will often give you the first warning of a virus on your system, and in most cases can prevent a keylogger from sending data back to the attacker. ZoneAlarm is a free, easy to configure firewall that provides comprehensive monitoring. Comodo Firewall is a good, albeit complex free firewall application that is not as user friendly as Zone Alarm, but which provides even more high-level application monitoring.

4. Finally, update everything. It is absolutely essential that you use the update function included with your Operating System. Patch your OS and your web browser as soon as updates become available. Your browser also must be kept up to date along with your antivirus software and firewall. Most of these applications will automatically update themselves.

5. Try alternatives. Firefox is generally considered more secure than Internet Explorer and can provide additional protection against Trojans. Combined with plugins that block scripts and Flash, you can create a browser so secure malware simply can't find a way to attack your system.

6. Use different passwords. Never use the same username/e-mail and password combination for any web-based service as you do for your World of Warcraft account. Login credentials can be stolen from other sites or even read in plain text by attackers and used to compromise your account.

7. Get the Blizzard Authenticator. According to Blizzard, no account using the Blizzard Authenticator has ever been hacked. They have been stolen by friends or relatives, but none have been reported attacked through keylogger means. The Authenticator is relatively inexpensive, and provides a great level of additional security.

There is no magic bullet when it comes to protecting your World of Warcraft account. There is some work involved in securing your system, but once that work is done, you can greatly reduce the risk of compromise.

Confiker Worm Update

Hello everyone. I just wanted to post an update on the Conficker worm, recapping the virus' activity following it's April 1 activation date. As expected, the virus did not cause major havoc when it updated. However, the worm has gotten stronger, and analysts are now able to identify several intended revenue streams for the hackers behind this worm.

When the worm updated on April 1, the first major development is that the virus began attempting to spread once again, while becoming even harder to remove from infected systems. The worm at this time has increased protection against users downloading anti-virus software. This can be demonstrated at the Conficker Eye Chart page from the Conficker Working Group.

In addition to the virus spreading and becoming harder to remove, Conficker has shown two revenue streams. First, some variants attempt to install scareware, fake antivirus software that installs its own malware while attempting to coerce the user to pay for the fake software. Second, other variants have formed into a botnet that researchers believe may be rented to spammers by the worm's authors. This has become one of the major purposes behind widespread viruses, as it allows the virus controllers to sell the computing resources of infected systems to spammers.

Fortunately, infection by Conficker can be prevented. As I have noted before, prevention is key - a strong software and hardware firewall and up to date antivirus, as well as regular operating system patches, will leave your system secure against this virus.