jeffo

By Adrian Kingsley-Hughes @ ZDNN

It’s clear that Apple really doesn’t want users to think about security that much. So much so that the Cupertino giant is resorting to stealthy security updates.

This from security firm Sophos:

Although there is no mention of it that we could find in Apple’s release notes for Mac OS X 10.6.4, or the accompanying security bulletin, Apple has updated XProtect.plist - the rudimentary file that contains elementary signatures of a handful of Mac threats - to detect what they call HellRTS.

Did you know that Mac OS already has a very basic built-in virus scanner? I’m pretty sure that most Mac users don’t know this.

HellRTS is your standard malware fayre - it can be used to send spam, access your files, take screenshots of what you are doing and copy your clipboard. But Apple don’t want users to know this:

Unfortunately, many Mac users seem oblivious to security threats which can run on their computers. And that isn’t helped when Apple issues an anti-malware security update like this by stealth, rather than informing the public what it has done. You have to wonder whether their keeping quiet about an anti-malware security update like this was for marketing reasons. “Shh! Don’t tell folks that we have to protect against malware on Mac OS X!”

Apple doesn’t want users to think about security, but in this day and age that’s hardly a realistic approach. Given that threats can evolve on a minute to minute basis, ad hoc updates like this aren’t going to cut it for long.

Facebook: When ego gets in the way of privacy and security
- by By Jennifer Leggio c/o ZDNN

Today was a day in which you couldn’t turn a corner without running into the news of the privacy issue with Facebook chat. According to a report from TechCrunch Europe, a major security flaw allowed people to view the live chats of their friends. Indeed, Facebook chat was offline much of the morning, as the company allegedly was addressing the issue.

Due to instilled security paranoia anyway, I’ve never been one to use Facebook chat. However, I have and continue to be a huge proponent of leveraging Facebook for networking and business. But how far does that go? And should these networking and business benefits come at the expense of sacrificing one’s own privacy?

My ZDNet colleague Jason Perlow wrote a thorough piece the other day called “Contemplating Facebook Hara-Kiri.” The article cataloged his challenges with Facebook, from locking down his profile to dealing with a compromised account. Perlow described in detail how he has blocked most applications, has slowly shaved friends off of his page and is going to redirect new friend requests from folks he doesn’t know well to his fan page. He’s even put all of this in a handy dandy advanced privacy guide.

This is something I’m struggling with as well. For someone who works in security, I was one of the worst offenders. For a long time I would add almost anyone on Facebook. Oh, you like my blog? Awesome! Wow, you follow me on Twitter? Join the fun! Seriously, you have a large sum of money you need transmitted to a bank in another country? We’re golden. OK, maybe not the last one, but who knows what kind of scam I might’ve gotten myself into by doing this. Thankfully, this stopped over the last couple of years, but the folks I’d already added in the Facebook fold were still there.

I created a privacy group that wouldn’t allow people to see certain things — photo albums, my wall, etc. I’d already had it set to where no one could see my email addresses or phone number, so that wasn’t a concern. I went through my friends list and added all of these “strangers” into this list. I gave the appearance that we were connected, but we weren’t really that connected.

For some reason, I couldn’t just cut the cord. I struggled with these people. I created a dedicated “Favorite Friends” feed so I didn’t miss content from the folks I really knew. I worked around these issues. Even though many of them would invite me to events that weren’t even in my area or send me the most annoying applications that I would have to then block, I didn’t want to “unfriend” them.

I had to think about the “why.” The main reason: I was afraid to come across as mean. I respect Perlow’s approach as it works for him, but at the same time I’ve seen others handle it not so graciously. I’ve seen status messages with things like “I am going to unfriend you soon so become a fan of me.” How pompous is that? I can’t even bear the idea of creating a “Jennifer Leggio” or “Mediaphyter” page and would likely only do one if I reached 5,000 friends and hit overflow. I’m not a big enough personality to require my own page, let alone that kind of recruitment tactic. Yet, I sat there looking at all of these strangers — many of them “friend collectors” as my friend Cathy Brooks rightly calls them — and pictures of their babies and expressions of their religious affiliations, and I just felt out of control. Held hostage. By what? My own ego.

This might sound pathetic. OK, it should sound pathetic. It is pathetic. Even still, I know beyond a shadow of a doubt that I am not the only one who struggles with these types of issues. I’ve had this discussion with many friends, both inside and outside of social media circles. There are even blog posts about the importance of integrating one’s world. Yet, those posts never tell you what to do in the struggle between ego and safety. In an age where invisibility is tantamount to a career death sentence, a large network is an important claim. But at what cost?

Then the Facebook chat privacy issue exploded. Then Perlow, who I pay a lot of attention to, went on a rampage about locking down his profile. Even more so, I knew that I needed to practice what I preach. I’ve written countless articles about social networking and security and the importance of not engaging with people you don’t trust, yet I wasn’t fully doing it. Using the walled garden approach is not enough.

So, I went full throttle early this morning and cut a significant amount of “friends.” As I was doing it, I started to get panicky. “What if I need to reach out to these people someday? What if they stop reading my blog?” How weird and selfish. Visibility is important, but weren’t we taught as children that it’s better to be a genuine friend than a fake one?

In retrospect, I’m embarrassed that I let my drive for visibility get in the way of my good common sense. It’s not as if I don’t know better. I could’ve just deleted friends and gone quietly on my way. But again, I know that this is a common struggle with people trying to build their blog presence or their careers. It’s just not worth it, folks. Not with such ambiguous privacy policies, not with so many aggressive scammers and cyber criminals just waiting to fool you into friending them, and not with the future of online privacy being such an unknown entity.

At least I was smart enough to leave most of the applications alone a long time ago.

@ arstechnica.com, By Jacqui Cheng

Identity theft prevention service LifeLock is not as pristine as its reputation claims after all. The company agreed to pay out $12 million to settle charges with the Federal Trade Commission and 35 states, which had said that LifeLock's identity-theft-prevention claims were false and that the company actually made its own customer data available and unsecured from theft. As it turns out, there is no way to fully guarantee that identity theft won't happen, no matter what someone puts on the side of a truck.

LifeLock has made a name for itself as the go-to service if you never want to have any part of your identity stolen, ever. The company claims to proactively protect your information against fraud, alert you to any kind of shady activity, and reduce credit card offers for $10-15 per month. Those who have seen LifeLock's trucks driving around their cities know that the company used to slap its CEO Todd Davis' social security number on the side of the vehicle along with a number of claims guaranteeing that its customers won't fall victim. (As an aside, Davis' identity allegedly ended up getting stolen in 2007.)

According to the FTC, LifeLock has long claimed that it's the first company to prevent identity theft from ever occurring, that it will never happen to you if you become a paying customer, and that it can stop fraudulent activity before it happens. "Guaranteed." However, the company only employed limited protections on behalf of its users—LifeLock apparently only went so far as to place a credit alert on its customers' credit reports, says the FTC, and barely did anything else.

As we here at Ars know, there are many more elements to identity theft than preventing someone from opening new accounts in your name. Medical identity theft is quickly becoming big as more and more people go without health insurance, and the FTC says LifeLock offered no protection against this. "If you end up in the hospital with a split appendix and doctors look at your medical charts, they might think it's not an appendix problem because you've already had yours removed," TrustedID CEO Scott Mitic told Ars last September.

LifeLock also provides no protection against ID theft for job-hunting purposes and did nothing to protect its customers from being defrauded with their existing accounts. "[E]ven for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection," noted the FTC. (By the way, you can save yourself $10/month by setting up those fraud alerts yourself. Just contact the three major credit bureaus: Equifax, TransUnion, and Experian and they'll do it for you for free.)

On top of it all, LifeLock supposedly made claims about data security at its own company that the FTC says were false. After collecting sensitive data on customers, LifeLock did not encrypt its data and supposedly made the information easily accessible to anyone who wanted it. Thirty-five states joined the FTC in its complaint against LifeLock for deceptive claims.

The suit didn't last long, though—it was filed on March 8, and on March 9, LifeLock agreed to shell out $11 million to the FTC and $1 million to the attorneys general of the 35 states involved. The company has also agreed to stop misrepresenting its services as offering absolute prevention against identity theft, must establish a "comprehensive data security program," and is required to get independent third-party assessments of the program for 20 years.

Given the number of inquiries about LifeLock on our own forums, it's clear that the service managed to pique the curiosity of even some of the most savvy consumers. With the FTC's suit settled, the company seems set on moving forward with more transparency about what it can and can't do to protect users. As an ID-theft-obsessed consumer myself, I'd rather take measures to watch my info on my own than place my trust in a company that already has a somewhat shady past.

- by Sam Diaz of ZDNN

For the second time in less than a week, Research in Motion is scrambling to deal with a widespread outage - this time affecting North America and South America, according to reports.

That company confirmed Tuesday night that messaging services, including e-mail, were experiencing “delays” in the Americas. A CNN report cites an e-mail that says that, at one point, 100 percent of its North American customers were impacted. Telephone service reportedly was not affected. The cause of the outage was unknow and reports that the service was coming back up came in early Wednesday.

Last week, an outage that affected users across the U.S. was reportedly caused by a Blackberry server that was preventing mail from being sent. That outage fell on Dec. 17, hours before RIM would report better-than-expected earnings and instantly became the darling of Wall Street.

LOS ANGELES (Reuters) - Twitter, the fast-growing microblogging site now seeking ways to make money, expanded its terms for users on Thursday to allow advertisers to reach the Internet site's more than 45 million monthly visitors.

Twitter, the two-year-old venture capital-backed company that lets people send an unlimited number of 140-character messages, is just now beginning to ramp up efforts to monetize, or gain revenue from, its popular site.

On Thursday, it revised its "terms of service" to specify that it may run ads.

"We leave the door open for advertising. We'd like to keep our options open, as we've said before," founder Biz Stone wrote on Twitter's official blog. blog.twitter.com/

Advertising revenue is the time-honored way for Web sites to generate revenue while remaining free for consumers.

Explosive growth in social networking is attracting interest: worldwide unique visitors to Twitter's site reached 44.5 million in June, up 15-fold year-over-year, according to comScore.

Some analysts are skeptical that advertising will catch on in a meaningful way on social networks, arguing that companies are reluctant to juxtapose their brands with unpredictable, and potentially offensive, user-generated content.

Stone himself has said the company was wary of annoying its growing base of users by pummeling them with ads.

But other analysts point out that users of social networking websites tend to spend a lot of time on those sites, providing an attractive platform for advertisers to promote their brands -- especially if preferences are tracked.

Twitter kept its new clause on advertising open-ended, and stressed it was subject to change.

"The services may include advertisements, which may be targeted to the content or information on the services, queries made through the services, or other information," the terms read. "The types and extent of advertising by Twitter on the services are subject to change."

"In consideration for Twitter granting you access to and use of the services, you agree that Twitter and its third-party providers and partners may place such advertising on the services...."

by Ryan Naraine via ZDNN

Security researchers have intercepted a fake Flash Player update creating a Firefox add-on that spies on a target user’s Google search results.

The malicious Firefox extension, called “Adobe Flash Player 0.2,” injects ads into the user’s Google search results pages and even has the capability to monitor the user’s browsing activities, particularly Google search queries using the Firefox browser.

It then sends the information it gathers to a hacker-controlled server.

Trend Micro has a detailed description of this piece of malware and some insight into why this could become a bigger problem for people migrating towards Firefox in search of better browser security:

We have seen a lot of malware target Internet Explorer in the past. This is probably one of the reasons why a huge number of users are opting to use alternative browsers such as Firefox, Chrome, Safari, and Opera instead. Though this used to be considered a safe computing practice before, it seems it no longer is with the proliferation of malware targeting the most popular alternative Internet browser — Firefox.

Users should be wary, as always, of downloading updates from unknown sources. They should also note that no browser is safe from malicious attacks as cybercriminals will do just about anything to infect users with their malicious code.

by Adrian Kingsley via ZDNN

Following a two-hour outage yesterday, Google has now managed to get its Gmail service up and running. This outage follows two other well-publicized outages in February and May of this year. What do these outages say about Google, and email in general?

Well, the most apparent conclusion that can be drawn in that Google is not infallible. The company is like every other and is prone to failures. And let’s remember that Gmail is primarily a free service, so we as users get what we pay for. This outage has, ironically, been put down to changes to the request routers that direct queries to the service’s web servers, changes that were meant to improve service. I doubt that if we all paid Google for the pleasure of using Gmail that you could eliminate downtime totally. Someone made a change, things went wrong, everything came crashing down. It happens.

But the fact that downtime is an inevitable side effect of relying on any technology doesn’t mean that every time Gmail suffers downtime, decision makers think twice about turning to Google for web services, especially services that they rely on like email. Email is a critical business service, and downtime not only frustrates, it costs money.

Is it realistic to expect 100% uptime? After all, email is something that’s been around for decades. Seriously, no, it isn’t, for the reasons I mentioned earlier, but it still doesn’t mean that people don’t demand it. As Gmail continues to grow, the seriousness of each outage period will grow. That said, even though expecting 100% reliability is unrealistic, it’s in Google’s interests to improve reliability and add measures to prevent the entire email system from collapsing.

Outages such as this also paint Google’s OS aspirations in a different light. Would a Chrome OS put increasing pressure on Google’s infrastructure and make outages more commonplace? Will users put up with this?

How did the Google Gmail outage affect you? Do you think that it’s time for a company to offer 100% uptime guarantee? Do Gmail outages make you suspicious of relying on Google?

By Randall Palmer - Reuters

OTTAWA (Reuters) - The popular social networking site Facebook is not doing enough to protect the personal information it gets from subscribers, and it gives users confusing and incomplete information about privacy matters, Canada's privacy commissioner said on Thursday.

"It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," Privacy Commissioner Jennifer Stoddart said in a report on an investigation into Facebook.

The report said Facebook violates Canada's privacy laws by keeping the personal information of people who have deactivated their accounts in its databases indefinitely.

It provides confusing information about privacy practices, for example showing users how to deactivate accounts but not how to delete them.

Facebook told the commissioner it needed to keep personal data for those who shut down accounts because about half of users reactivate accounts that they had deactivated.

The report said Facebook had strenuously objected to some of the commissioner's preliminary conclusions, and on Thursday Facebook said it would continue to work with her to address outstanding areas and to raise awareness of privacy controls.

Facebook has 200 million active users, including about 12 million in Canada -- more than one in three Canadians.

Stoddart also said Facebook lacked adequate safeguards to prevent unauthorized access to users' personal information by third-party developers. There are more than 950,000 developers in 180 countries.

She said Facebook had resolved some issues and she gave Facebook 30 days to comply with a series of "recommendations".

The investigation was launched in response to complaints by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa. Stoddart has the power to ask Canadian courts to have her recommendations enforced.

In a statement, Facebook said it was "pleased that the Canadian federal privacy commissioner has dismissed the most of the inaccurate claims brought by CIPPIC, and that we were able to collaboratively resolve other issues raised in the complaint."

It added: "As part of our continued leadership in developing privacy tools that advance user control over their information, Facebook will soon be introducing a number of new additional privacy features to its service that we believe will keep the site at the forefront of user privacy and address any remaining concerns the commission may have."

To implement the workaround that disables the Microsoft Video ActiveX Control automatically on a computer that is running Windows XP or Windows Server 2003, click the Fix this problem link under Enable workaround. To undo the workaround, click the Fix this problem link under Disable workaround. Then click Run in the File Download dialog box, and follow the steps in this wizard.

Click link below;
- scroll up to the second section from the top (Fix it for me),
- click on the "Fix It button",
- Run,
- Run,
- Agree,
Next

...or call us @ 636.519.7646

http://support.microsoft.com/kb/972890#LetMeFixItMyself

by Ryan Naraine - ZDNN

Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical.

The latest fixes, available in the new Safari 4.0, corrects a wide range of code execution and denial-of-service vulnerabilities and even comes with a fix for the vexing “clickjacking” issues plaguing modern Web browsers.

Several proof-of-concept examples of clickjacking, also known as URI redressing, show how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. It is a problem that affects all the major Web browsers and it appears Apple is pushing out a fix for Mac and Windows users.

how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user.

WebKit (CVE-2009-1681): A design issue exists in the same-origin policy mechanism used to limit interactions between websites. This policy allows websites to load pages from third-party websites into a subframe. This frame may be positioned to entice the user to click a particular element within the frame, an attack referred to as “clickjacking”. A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase. This update addresses the issue through adoption of the industry-standard ‘X-Frame-Options’ extension header, that allows individual web pages to opt out of being displayed within subframe.

The latest Safari refresh also fixes five documented several code execution issues in CoreGraphics (all could lead to complete computer takeover attacks); an ImageIO issue that could be exploited via maliciously crafted PNG images; 5 flaws in libxml; and a variety of WebKit vulnerabilities that affect Safari on both Mac and Windows systems.

by Dancho Danchev -ZDNN

Which is the most dangerous keyword to search for using public search engines these days? It’s “screensavers” with a maximum risk of 59.1 percent, according to McAfee’s recently released report “The Web’s Most Dangerous Search Terms“.

Upon searching for 2,658 unique popular keywords and phrases across 413,368 unique URLs, McAfee’s research concludes that lyrics and anything that includes ‘free” has the highest risk percentage of exposing users to malware and fraudulent web sites. The research further states that the category with the safest risk profile are health-related search terms.

Here are more findings:

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky
The categories with the worst average risk profile were also lyrics sites (5.1%) and “free” sites (7.3%)
The categories with the safest risk profile were health-related search terms and searches concerning the recent economic crisis. The maximum risk on a single page of queries on the economy was 3.5% and only 0.5% risky across all results. Similarly, even the worst page for health queries had just 4.0% risky sites and just 0.4% risk overall.

This isn’t the first time McAfee is attempting to assess the risk percentage of particular search terms, as the company did similar studies in 2006 and 2007. And whereas the research attempts to raise awareness on malicious practices applied by cybercriminals, it also has the potential to leave a lot of people with a false feeling of security since it’s basically scratching the surface of a very dynamic problem.

Pages: 1 2 3

by Dancho Danchev - ZDNN

Spammers are no strangers to the ever-growing Twitter. From commercial Twitter spamming tools, to re-tweeting trending topics for delivering their message, a new crafty search technique can provide spammers with fresh and valid emails harvested from Twitter’s users in real-time.

Basically, the search query consists of common phrases such as “email me at” and “contact me at” in a combination with a domain of a spammer’s choice.

The result? A flood of valid and fresh email addresses of Twitter users unaware that their emails will not only get indexed by public search engines, but also, that the output can be syndicated for spamming purposes.

From theory into practice - a day after the tactic was discussed a proof of concept script was released, even though it should be logical to assume that the practice has been taking place for a while now.

Email harvesting has been around since the early days of the Internet, and has therefore greatly evolved throughout the years. From the JS.Yamanner@m worm spreading through a Yahoo Mail flaw in 2006, harvesting @yahoo.com emails from the infected indoxes in order to further propagate, the email harvesting scripts crawling the web and their modern versions, to the Web 2.0 spammer’s mentality of harvesting instant messaging and social networking user names - their database usually ends up as value-added service in a managed spam vendor’s proposition.

In Twitter’s case, their TOS states that:

You are solely responsible for your conduct and any data, text, information, screen names, graphics, photos, profiles, audio and video clips, links (”Content”) that you submit, post, and display on the Twitter.com service
And whereas that should be the case, what Twitter can do to at least slow down this efficient email harvesting approach, is to either allow its users to choose whether or not they would like to have their emails/phone numbers obfuscated (reCAPTCHA Mailhide), or enforce the policy to all users.

By Seb Janacek silicon.com via ZDNN

Just a few short weeks after the Mac trounced competitors in a customer satisfaction survey, the iPhone has repeated the same trick for Apple in the smartphone market.

The iPhone has taken first place in a consumer survey by J D Power published last week, dominating all but one of the categories: physical design, ease of operation, features, operating system, battery aspects and overall satisfaction.

Most iPhone owners won't be surprised to hear it came last in battery performance.

In contrast, RIM's BlackBerry - the competitor against which the iPhone is most often measured - scored highest in battery life but performed poorly in other categories.

According to a recent report by NPD, the BlackBerry has overtaken the iPhone in unit sales for the Q1 2009. RIM has been operating an aggressive buy-one-get-one US campaign and its sales have surged 15 per cent in the first quarter, though presumably at lower than normal hardware margins.

The news will no doubt prompt some doomsayers to predict the death of the iPhone or some other such nonsense and call for Apple to respond immediately with a host of new models.

Assuming it needs to, what could Apple do to drive up iPhone sales? The two obvious answers are to expand the iPhone product portfolio and to end their exclusive deals with carriers. Both ideas have had some coverage in recent weeks in the press and blogosphere.

While rumors of an iPhone 'nano' or 'lite' have been around for some time, the introduction of either looks unlikely in the short to medium term.

Apple is giving out a little at a time with the iPhone. Last year on the hardware front it got 3G connectivity and GPS. One would expect a couple of new features in the near future, possibly a better camera and improved video recording.

Of course the iPhone is really more about software than hardware and the 3.0 update will bring the long-demanded MMS update and, lest we forget, copy-and-paste. Hallelujah!

Battery life on the iPhone remains truly terrible, something I covered in an earlier article. It also appeared at the top of my wish list of 10 missing iPhone features.

It seems likely that Apple will announce new iPhone hardware early this summer. However, I don't think the company will diversify its iPhone product range just yet. Why? Because it doesn't need to. iPhone sales are very strong at the moment (3.8 million in the last quarter) and, according to the old aphorism, if it ain't broke don't fix it.

At the company's last earnings call, Apple's acting CEO Tim Cook said the company "chose from the beginning of the iPhone to focus on one phone for the whole of the world". That strategy is working just fine.

Another option for the company to consider, as a way to sell more iPhones, is to end its exclusive 'one carrier per territory' deals.

I'm not convinced Apple will change this model or if indeed it needs to. With its exclusive deals, Apple can sustain high margins on the iPhone. The company can play carriers off against each other to negotiate the best deal. Breaking from this model will mean losing some bargaining power - and possibly lowering its profit margins.

Lest we not forget that Apple is performing well in the smartphone market. Despite having been a player in less than 25 per cent of the mobile market for under two years, it's already a leading brand and an agenda setter.

iPhone sales remain buoyant despite both a depressed economic climate and the parameters it has set itself with its exclusive partnerships. It can continue to drip feed new products and features rather than rush them to market. New models will undoubtedly come, just not yet.

Personally, I tend to look forward to software releases more than new hardware. With that in mind, the keynote at the Worldwide Developers Conference in a month's time should prove exciting.

Predictions will follow later in the month.

- from ZDNN, Larry Seltzer

OPINION: The controversial firm spent 10 years abusing users, suing security companies, defending itself in the press and court, and breaking promises to everyone. Luckily, this chapter of the software industry is over.

Contrary to rumors that it had been sold, Zango is now out of business. Some assets have been purchased by video search engine firm Blinkx, but the company itself has closed its doors.

Formerly known as ePIPO, 180solutions and Hotbar, Zango pioneered many of the most intrusive advertising strategies on the Internet. Despite its insistence that they were legitimate advertisers and listened to their customers, the company never was able to escape its reputation for installing without permission, refusing to uninstall and never quite explaining what it was doing to the customer. It's not clear that, even in the end, it abandoned these abuses.

Ben Edelman, Harvard professor and spyware researcher, was one of those who brought Zango's practices to light: "Zango never offered anything sufficient to compensate users for Zango's substantial intrusion onto users' PCs." The price for such information should be high, but "the little trinkets and doodads Zango offered were not enough." Much of what the company offered in exchange was easily available elsewhere for free. It also had a habit of redistributing content to which it had no clear rights.

In other words, it was a shady company. Throughout its history it was caught at a variety of sleazy activities, from ripping off its affiliates to displaying pornographic ads with no warning. To protest its classification as malicious, it sued or sent threatening letters to several security companies, including Symantec, Kaspersky and Zone Labs.

Pages: 1 2

Malware hunters at Symantec have discovered a direct link between a malicious file embedded in pirated copies of Apple’s iWork 09 software and what appears to be the first Mac OS X botnet launching denial-of-service attacks.

Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine.

The variants have been found inside bogus copies of iWork ’09 and Adobe Photoshop CS4 which were shared on the popular p2p torrent network. The author of the malware downloaded the original/trial versions of each program and introduced a copy of the malicious binary into the packages. Users who then downloaded and installed the applications from the torrent download would have been infected. It is estimated that thousands of people have downloaded the infected torrent files.

They describe this as the “first real attempt to create a Mac botnet” and notes that the zombie Macs are already being used for nefarious purposes.

The researchers pointed to this blog entry that describes a a PHP script, running as root, launching attacks against an unknown Web site.

The article goes into detail on the botnet’s peer-to-peer engine, startup and encryption capabilities and configuration file structure and concludes that the person who wrote the malware is not the same as the person who actually ‘used’ it.

“The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it – and therefore we would not be surprised to see a new, modified variant in the near future,” the researchers added.

- from ZDNN by Ryan Naraine