Graham Cluley’s blog

Windows 7 security - A great leap forward or business as usual?

Duck savages Ikee iPhone worm author

Sophos's Paul Ducklin has been voicing some strong opinions.

There's nothing new about that, of course, as you'll know if you're a regular follower of his blog.

This time, though, Duck, is explaining why he can't excuse the author of the recent iPhone worm, Ikee, and why he feels the majority of people got the answer wrong when they took a poll earlier this week about whether it was justified to release the worm into the wild.

The below interview, with Patrick Gray of Risky Business, is excerpted from this week's Risky Business podcast. You can download the whole podcast (which also features an interview with Ashley Towns himself, the Aussie youngster who has admitted to setting the virus loose) here.

You'll enjoy this, because Duck doesn't mince his words, so give it a listen:

Posted on November 11th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, Mobile, Podcast

                                         

Extremely critical Mac OS X patch plugs 58 security holes

Yesterday Apple issued a fix for 58 vulnerabilities in its Mac OS X operating system, many of which could lead to hackers running malicious code and hijacking your Apple Mac.

The update to version 10.6.2 of Mac OS X Snow Leopard also includes a number of "stability and compatibility" update for users, including a fix for a bug that permanently deleted user data while using guest accounts.

More information about the products affected by the Apple security vulnerabilities can be found on Apple's website.

Security Update 2009-006 has also been released for users of Mac OS X 10.5.8 who have not yet upgraded to Snow Leopard.

It can't be emphasised strongly enough the importance of keeping your computer patched. Even though there are many more attacks against Windows users than Mac OS X users, that does not mean that Apple fans are completely ignored by the hacking and cybercriminal community. It is extremely critical that all computer users take their computer security seriously, or risk having their systems and data breached.

Of course you would be wise, before rolling out patches like this to a large number of computers, to test it out on a select number first - just in case there are any incompatibility issues.

Mac users can update their computers via the regular Software Update process, or download a patch directly from Apple Downloads.

It must be a busy time for system administrators in charge of multiple operating systems throughout their companies - later today Microsoft is due to release a number of important security patches for its Windows and Office products as part of its regular "Patch Tuesday" schedule.

Posted on November 10th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware

                                         

Looking for source code for the ikee iPhone worm? Sorry

Are you trying to find the source code for the ikee iPhone worm?

It seems a fair few people are, at least judging by the statistics I've seen for my blog today.

The raw statistics are apparently a closely guarded commercial secret (probably to be filed in a locked cabinet stuck in a disused lavatory with a sign on the door saying "Beware of The Leopard"), but I am allowed to share with you the top keywords that folks around the world have used when stumbling upon my blog today:

You'll notice it's not "Rick Astley" or "Rickrolling" that people are searching for. Instead a hot search term which is bringing people to my website is "ikee source code".

And that worries me. After all, who has an interest in the ikee worm's source code? None other than hackers who might want to create more variants of the worm, perhaps with more malicious intentions than displaying a picture of a pop star from the 1980s.

Posted on November 9th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Clu-blog, Malware, Mobile

                                         

75% believe worm author "did iPhone users a favour", poll reveals

I find this shocking.

A poll we ran earlier today suggests that three quarters of you think it's okay to spread a virus if it raises awareness of security issues.

We asked what you felt about the behaviour of the author of the first iPhone worm, which has spread in Australia changing wallpapers to an image of 1980s pop star Rick Astley.

Here's what you answered:

(By the way, I know it says 76% above. According to my maths it actually works out as 75.8%, so we'll be generous and say 75%)

Has the world gone completely bonkers? It's a depressing notion that most people think that doing harm and breaking computer crime laws is a good thing. The 21-year-old Australian student who wrote the iPhone worm has acted utterly irresponsibly - even if he now regretted (which he doesn't) releasing a worm into the wild, there is nothing he can do to stop it continuing to try and infect jailbroken iPhones.

Can you imagine a world in which everyone takes it upon themselves to release worms and viruses into the wild in the hope that it might "raise awareness"?

Every victim of the iPhone worm has to take steps to repair the damage caused by the worm, and return their phone to normal use. Furthermore, every infected phone will have been eating up the user's data allowance as it hunted for more victims, potentially generating a large bill at the end of the month.

But what's worst of all is that the code for the worm is now available for anyone to download. The genie is let out of the bottle - and anyone could write a more dangerous version of the worm which could have a much more dangerous payload.

When I first entered this industry umpteen years ago I learnt an essential truth that is still as true as it was then: There's no such thing as a good virus. (See this excellent paper by Vesselin Bontchev if you want to read more about that. Or if you don't have the time or will-power to wade through Vesselin's paper, here's a succinct, perfectly formed and much more amusing piece by my colleague Paul Ducklin)

Disclaimer: Please bear in mind that this poll is not scientific and is provided for information purposes only. Sophos makes no guarantees about the accuracy of the results other than that they reflect the choices of the users who participated.

Posted on November 9th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, Mobile

                                         

Microsoft's COFEE forensic tool leaks onto the web

According to media reports, a tool developed by Microsoft to assist in computer crime investigations has leaked onto the web.

COFEE (Computer Online Forensic Evidence Extractor) is a system designed to collect digital evidence from suspect's computers while they are running, without the investigating officer having to do much more than inserting a USB stick.

COFEE allows computer crime investigators to grab a dump of processes running on an active computer at the scene of an investigation. The ability to grab a perfect copy of data from a PC without interfering with a computer is attractive to the computer crime authorities - and it's especially handy when more and more drives are using encryption and strong passwords to prevent unauthorised access.

But at the same time, you can probably understand why Microsoft might wish to control who can get their paws on the software.

Yes, it's understandable that some will be concerned that disreputable parties may now have access to a tool which may assist them in their own criminal activities. But more than that, what's to say that the bad guys couldn't analyse COFEE, and write their own code which neutralises it (or wipes sensitive data from their computer) if they determine it is being run on their own computer?

That, after all, might make life difficult for the computer cops when they try and dash-and-grab data from a suspicious PC.

Posted on November 9th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, Law and Order, P2P

                                         

Worm author tells media he initially infected 100 iPhones

The author of the world's first iPhone worm appears to be feeling pretty cocky about the whole incident.

Without a hint of apology, or the slightest acknowledgement that he may have done something wrong, Ashley Towns has been speaking to the media who have contacted him via his Twitter account.

Towns, who goes by the online handle of "ikex", spread the ikee worm which broke into jailbroken iPhones and installed a picture of Rick Astley before hunting for other vulnerable devices. In an interview with ABC News, the 21-year-old student was asked if he knew how many iPhones had been affected:

"Due to the nature of it, it's kind of hard to tell, I know my phone hit about 100 alone but from there I have no idea," he said.

So, it appears that Ashley Towns is admitting that he personally infected 100 iPhones from his own iPhone. Those iPhones would then have tried to infect other jailbroken iPhones, and so on, and so on..

Each of these affected users would need to take action to repair their iPhones from the unauthorised modifications. Yes, they should have been better secured in the first place - but surely that's not an acceptable justification for virus infection?

And don't forget, Ashley Towns will have cost each infected iPhone user all the bandwidth used by his malware - remembering that even just trying to initiate TCP connections to computers which won't accept them wastes some data - and his worm has some huge IP address ranges through which it tries to open connections.

The bandwidth used by the worm will come out of users' monthly data quotes or - depending on their payment plan - out of excess data charges. Lord forbid you should be unknowingly roaming overseas whilst infected!

Towns has said on his Twitter page that he is receiving requests from people for the source code to his worm. Sophos has contacted him requesting that he does not share it with any further people - as it could lead to more malicious iPhone malware being written in the future.

It remains to be seen whether the author of the first iPhone worm will recognise the seriousness of what he has done, and take appropriate steps to minimise the damage.

Posted on November 9th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, Mobile

                                         

First iPhone worm discovered - ikee changes wallpaper to Rick Astley photo

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

The worm, which could have spread to other countries although we have no confirmed reports outside Australia, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again

On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message:

ikee is never going to give you up

What's clear is that if you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, "alpine". In fact, it would be a good idea if you didn't use a dictionary word at all.

The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.

SophosLabs is analysing the worm's code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labelled the "D" version) is that it tries to hide its presence by using a filepath suggestive of the Cydia application.

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

Presently it appears that the worm does nothing more malicious than spread and change the infected user's lock screen wallpaper. However, that doesn't mean that attacks like this can be considered harmless.

Accessing someone else's computing device and changing their data without permission is an offence in many countries - and just as with graffiti there is a cost involved in cleaning-up affected iPhones.

Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.

iPhone users may rush into jailbreaking their iPhones in order to add functionality that Apple may have denied to them, but if they do so carelessly they may also risk their iPhone becoming the target of a hacker.

My prediction is that we may see more attacks like this in the future. Indeed, only last week we saw hacked iPhones in the Netherlands being held hostage for 5 Euros.

Who wrote the ikee iPhone worm?

The source code of the worm says at its start:

/ "ikee virus" by ikex
/ Revision: 10 (Variant D)

A quick trawl of the Whirlpool forum where users are reporting that their iPhones are unexpectedly displaying an image of Rick Astley, reveals a user calling themselves "ike_x".

According to ike_x's user profile on the Whirlpool forum his nearest city is Sydney, Australia . Further searching on the internet reveals other pages seemingly related to ike_x of Wollongong, New South Wales, using the name "Ash" or "Ashley Towns". For instance, here is a MySpace page and this appears to be Ash/ikex on Twitter.

The worm's author appears to have realised that people might be interested to learn why he wrote the worm, and posted this explanation inside the code:

Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn't anyone RTFM anymore?

There is a certain irony in the notion that a hacker who says he was trying to expose sloppy security by the owners of jailbroken iPhones has done such a bad job of covering his own tracks..

Source of image of affected iPhone: Batman from the Whirlpool forums.

Posted on November 8th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, Mobile

                                         

Think you've won a MacBook Air? Beware email malware attack

Apple's super-skinny MacBook Air is one of the most desirable laptops on the planet - which means it's not too surprising if criminals try and take advantage of its allure to infect unsuspecting computer users.

And that's exactly what hackers are doing today in a malicious email campaign that has been spammed widely out across the internet.

Unsuspecting computer users may find an email with the subject line "Congratulations" in their inbox this morning, telling them that they "have won todays Macbook Air" and that they should open the attached file (called winner.zip) for more information.

Here's the full text of the email:

Congratulations!! You have won todays Macbook Air.
Please open attached file and see datails.

Of course, in reality you haven't one a competition, and there is no MacBook Air up for grabs. Instead, the hackers who spammed out the messages are hoping that the thought of winning a sexy laptop will be enough to make you open the attached file and infect your computer.

Sophos is detecting the attached Trojan horse as Mal/EncPk-LE.

The MacBook Air was launched in January 2008, catching the imagination of the media with its thin frame and adverts claiming it was the "world's thinnest laptop" as it was shown it being slipped inside a Manila envelope. The lesson to learn today is that receiving news of a complimentary MacBook Air in your electronic mail might not be the safest thing in the world.

At least Apple users can feel smug about one thing - this particular Trojan horse doesn't work on Mac OS X, only Windows.

Posted on November 6th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, Spam

                                         

Mossad hacked Syrian laptop before bombing nuclear facility

According to reports in Der Spiegel, agents working for the Israel's Mossad intelligence service planted a Trojan horse on a computer belonging to a senior official in the Syrian government, gathering information which lead to an air-raid on a nuclear project in Syria's eastern desert.

The attack on the partly-constructed Syrian nuclear facility occurred in September 2007, a year after a top Syrian official is said to have left his laptop in his room in a swanky hotel in Kensington, London.

According to Der Spiegel:

[The Syrian official] was under Mossad surveillance and turned out to be incredibly careless, leaving his computer in his hotel room when he went out. Israeli agents took the opportunity to install a so-called "Trojan horse" program, which can be used to secretly steal data, onto the Syrian's laptop.

The hard drive contained construction plans, letters and hundreds of photos. The photos, which were particularly revealing, showed the Al Kibar complex at various stages in its development. At the beginning -- probably in 2002, although the material was undated -- the construction site looked like a treehouse on stilts, complete with suspicious-looking pipes leading to a pumping station at the Euphrates. Later photos show concrete piers and roofs, which apparently had only one function: to modify the building so that it would look unsuspicious from above. In the end, the whole thing looked as if a shoebox had been placed over something in an attempt to conceal it. But photos from the interior revealed that what was going on at the site was in fact probably work on fissile material.

One of the photos showed an Asian in blue tracksuit trousers, standing next to an Arab. The Mossad quickly identified the two men as Chon Chibu and Ibrahim Othman. Chon is one of the leading members of the North Korean nuclear program, and experts believe that he is the chief engineer behind the Yongbyon plutonium reactor. Othman is the director of the Syrian Atomic Energy Commission.

The information gathered by the spyware Trojan horse appears to have lead to Israel knocking out Syria's nearly-completed nuclear reactor the following year.

Should we be surprised by these news reports? Probably not. In fact, I think it's likely that many countries around the world are using malware - and more specifically spyware Trojan horses - to spy upon each other.

Earlier this year, Seoul accused North Korea of having a specialist cyberwarfare brigade, stealing information from enemy countries and disrupting rival South Korean and American military networks with computer technology.

Back in September 2007, the Financial Times reported that the Chinese army were being blamed for an attack against a Pentagon computer in the office of US defense secretary Robert Gates. The FT reported that the People's Liberation Army (PLA) had been named as the likely perpetrators of the hacking attempt.

And last year I explained how the conflict between Russia and Georgia spilled into cyberwarfare, described how the German foreign intelligence service had been accused of spying on a ministry in Afghanistan, and described how the Belgian and Indian governments had pointed the finger at China for attacks against their systems.

Countries will use every dirty trick in the book to spy upon each other and grasp an advantage. We shouldn't be surprised if intelligence agencies like Mossad are also engaged in this kind of behaviour, and we shouldn't fool ourselves into thinking that our own countries aren't also using spyware for their own ends too.

And what's the lesson for those of us who aren't spies or Government agents? Well, if you have sensitive information on your laptop - make sure it is properly protected with security software and that any confidential information is encrypted.

Furthermore, maybe it wouldn't be a good idea to leave it unattended in your hotel room if the data contained upon it could be considered extremely sensitive.

Posted on November 6th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, Malware

                                         

Just how much does Google know about you?

Google has announced a new product: Google Dashboard.

The search engine giant - who today changed its logo to celebrate the 40th birthday of "Sesame Street" - is attempting to respond to the concerns of some internet users that Google is gathering too much data about individuals through its various cloud services.

The thing is that you may have shared information with a Google service in the past, only to have forgotten about it in the mists of time. Dashboard makes it easy to recall all those Google services you may have signed-up for in the past (for instance, if you chose not to upload all your holiday snaps to Picasa or realised that you didn't want your friends to be able to see where you were 24 hours a day via Latitude after all) and may now wish to consign properly to the dustbin.

Hang on, let me rephrase that. Dashboard makes it easy to recall nearly all those Google services. Some, such as Google Wave, Google Groups, and Google Checkout, aren't currently incorporated fully into the Dashboard yet, but at least they are linked to from the bottom of the Dashboard page. Google says it plans in the future to integrate all Google services into the Dashboard.

There's nothing new about what you can do with Google Dashboard - you always were able to manage your various Google assets by logging in to the individual product pages - but it does provide an easy one-stop-shop with a handy list of links to your different account management pages.

So, congratulations to Google on being more transparent and making it easier for individuals to manage the personal data that the company stores about them.

But it's worth remembering that this openness could come at some cost. For instance, putting this info all in one place could make it easier for a cybercriminal to learn more about you more quickly, should they manage to discover your Google password.

On similar lines, journalist Ian Paul has written about how he could tell his browser to remember his account password for future visits to Google Dashboard, leaving a worrying door open should his computer be hacked or stolen.

Posted on November 6th, 2009 by Graham Cluley, Sophos
Filed under: Data loss, WWW