According to Russian antivirus company Dr. Web, there are about 600,000 Macs around the world that are infected by different variations of the Flashback trojan and are now part of a fast-growing Mac botnet. Of the 600,000 infected Macs the majority are located in North America – 57% from the US and 20% in Canada.

If you own a Mac and would like to check whether its infected or not, you can follow these step-by-step instruction provided by the folks from F-Secure.

NOTE: This procedure is risky and could be a bit tricky so it is recommended only for advanced users. If you think you’re not capable of doing it yourself, you can request a friend or a professional technician to assist you.

1. Open up Terminal (Finder > Applications > Utilities > Terminal).
2. Key in and run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

3. Take note of the value, DYLD_INSERT_LIBRARIES
4. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

5. Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obta</blockquote>ined_in_step2%

6. Take note of the value after “__ldpath__”
7. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment 

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

8. Delete the files obtained in steps 2 and 5
9. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

10. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

11. Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%

12. Take note of the value after “__ldpath__”
13. Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 

launchctl unsetenv DYLD_INSERT_LIBRARIES

14. Finally, delete the files obtained in steps 9 and 11.

If you get both “does not exist” errors on Step 4 and 10, it basically means that your Mac is not infected by the latest Flashback trojan variation. However, other Flashback trojan variations include additional components which require additional removal steps. Please refer to this link for further information and removal instructions.

I performed the procedure on my Mac and fortunately for me, it isn’t one of the 600,000 infected machines. I strongly recommend that you do the same thing and check to make sure whether your Mac is infected or not. It won’t hurt if you do and its always better to be safe than sorry.

Anyone here who got infected by the latest Flashback trojan or a different variant? What did you do to fix/disinfect your machine?

I checked the suspicious email and at first glance, it looked legit. The email address used was store[at]itunes[dot]com and the message looked like a real iTunes receipt.

I compared it with a real iTunes receipt I previously received and found a few discrepancies:

Fake iTunes Receipt
Sender: iTunes
Email Address: store[at]itunes[dot]com
Billed To: email address
Billed To: “Credit card”

Real iTunes Receipt
Sender: iTunes Store
Email Address: do_not_reply[at]itunes[dot]com
Billed To: email address, full name, billing address (street, state, zip code)
Billed To: Credit card type – MasterCard, VISA, etc. with last 4 digits.

I also checked the email headers of both the real and fake iTunes receipts and saw that the data (Return Path, Received, Received-SPF, Authentication-Results, DKIM-Signature, etc.) didn’t match up. I also noticed that the fake email had these strange characters “•” at the bottom of the email.

The last thing I checked were the links embedded on the email. Btw, I did it by hovering the mouse over the links, not clicking on the links. Below are links and URLs they’re pointing to:

Cancel Order, Report a Problem links – slavodelic[dot]com/pod/check[dot]php

View\Download link – http://cpslex[dot]com/images/download[dot]jpg[dot]exe

Purchase History link – http://cpslex[dot]com/images/history[dot]pdf[dot]exe

As you can see, the URLs were pointing to a PHP page and a couple executable files. With that, it’s safe to say that the fake iTunes receipt email was not just an ordinary spam or phishing email but a malicious email that intended to trick users into installing a trojan horse virus on their computers.

People who send these type of emails use scare tactics to trick users to provide their account names/passwords, click on links, install attachments, etc. If an unsuspecting person got duped into thinking that this was a real iTunes receipt and that person clicked on any of the embedded links, their computer would’ve been compromised. Their personal information could be stolen, credit cards & bank accounts breached and their computer could be used as a “bot” for a botnet.

If you ever come across the same type of email, make sure that you DON’T click on any of the links and/or DON’T download/install any of the attachments. DELETE the email and warn your family and friends about it.

Anybody else got these fake iTunes receipt emails?

If you receive a password reset email from Facebook on your inbox, be careful! Facebook users are being warned of a malicious email password reset scam that is making its rounds and quickly spreading across the social network the past couple of days. This massive spam run is the latest version of malicious emails targetting Facebook’s 400 million global users.

The email messages that are believed to be sent from the Cutwail and Rustock botnets, use a spoofed return email address like “help@facebook.com“, making it look real and appear that its really from Facebook. The message indicates that the user’s Facebook password has been reset and that the user should download the email attachment containing the new password. Unbeknownst to most users, that attachment is a Trojan horse program designed to infect a computer. This massive spam run also contains different varieties of malware programs, password stealers, rogue antivirus programs and botnet code.

Unlike most spam and phishing emails, this Facebook password reset scam’s English-language messages contain correct grammar but has a weird sign-off: “Thanks, Your Facebook.”

Here’s a screenshot provided by McAfee from one of those Facebook password reset scam emails.

Users should always keep in mind that companies or social networks like Facebook won’t send unsolicited passwords. The only time a user will get a new password is if that user requested for it. Aside from keeping your AV (antivirus) up-to-date, users should also make it a habit not to click on embedded links on emails and NEVER download attachments. If you have to download an attachment from someone you know, make sure you scan it first with your antivirus software before opening/running it.

Social networking sites will always be a favorite target of scammers, spammers, phishers and other types of cybercriminals because of the huge number of users and the large percentage of “ignorant” users. So its important that users should always be protected (up-to-date antivirus) and be educated about these types of email scams.

Next time you open your inbox and find an email that asks you to reset a password or change login details, be careful. It could “pretend” to come from Facebook, Twitter, Bank of America, PayPal or any other website – don’t click on the embedded links and NEVER download any attachments!

Anyone here or anyone you know recently received a Facebook password reset scam email?

Just found out from Weblog Tools Collection about a certain website with the name WordPresz.org that pretended to be WordPress.org and tried to release a backdoored (trojanised) version of WordPress to unsuspecting users who are still using older versions of the popular blogging platform. Blogger Craig Murphy was the first to report about this issue and below is a summary of his report taken from Sophos.com.

“Craig talks about how when he logged in to his admin account in WordPress he received a “High Risk Vulnerability Warning” from a spoofed WordPress domain. (The last ’s’ in WordPress.org has been replaced by a ‘z’.) The Warning suggests upgrading to the ‘new’ version 2.6.4 of WordPress. Downloading this ‘new’ version of WordPress I found that of the 638 files in version 2.6.4, 637 were identical to the same files in the official 2.6.3. The only difference was in the file pluggable.php. The hacked version of the file pluggable appears to be stealing the content of cookies on larger installations of WordPress. Sophos are now detecting this file as Troj/WPHack-A.”

WordPresz.org, setup by malicious persons was designed to steal valuable information stored in cookies from users who install the compromised version of WordPress and could also potentially be used to hijack these WordPress installations for malicious purposes. WordPresz.org is no longer online but the site looks exactly the same as the real thing. Below is a screenshot of the fake site.

If you can’t see the difference, below is a screenshot made by Craig pointing out the differences between the real and the fake WordPress site.

1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.

2 – these are randomised over at WordPress.org, but are static at WordPresz.org.

3 – The real WordPress.org has a “Showcase” link included.

It’s really hard to know the difference between the two sites and any WordPress user could be lead to believe that they’re visiting the real one.

Here’s Peter Westwood’s (one of WordPress’s lead developers) response to this incident:

It looks like sites which have not upgraded to 2.6.3 are being exploited in an interesting way whereby a hacker, probably using an automated script, is hacking into sites with the vulnerability and changing the settings of one of the dashboard modules to point to a different feed thereby encouraging people to go to a different site which is offering a dodgy upgrade.

“We recommend that people upgrade as soon as possible when we release a security release so as to ensure they are not vulnerable to issues which will likely have exploits in the wild.

Also in the upcoming 2.7 release of WordPress we are including a built-in upgrade mechanism within WordPress which will allow people to upgrade automatically with ease. I would however stress the need with any piece of software to check that an upgrade is real by visiting the website of the software provider manually rather than relying on a link that you have been provided. Otherwise, as with bank phishing scams there is the potential for someone to trick you into doing something you didn’t want to do.

This is not the first time hackers and fraudsters tried to released compromised version of WordPress. Early last year, I published WordPress 2.1.1 – Dangerous Download, which is about how crackers were able to upload a backdoored version of WordPress 2.1.1 into one of the servers powering WordPress.org. Other instances include websites trying to distribute WordPress themes containing malicious codes.

These is another good reminder for all of us WordPress users to practice safe computing. For those of you who are still using an old version of WordPress, please take the time to upgrade to the newest version. Make sure you update your WordPress installation to the most recent version especially if the newer version contains a security fix. Also, make sure that you download your next WordPress install ONLY from WordPress.org and not from any other site. Users should also be careful what themes and plugins you download/install and where you get it from. As much as possible download only from WordPress Extend or from reputable plugin and theme authors.

To those of you who think that you’ve been victimized by WordPresz.org and believe that your WordPress installation has been compromised, download the newest version or WordPress from WordPress.org and do a reinstall/upgrade.

To know more about the details of this story you can visit the following links:

• Craig Murphy – WordPress 2.6.4 Fake?
• The Register – Fake site punts Trojanised WordPress
• ZDNet Blogs – Fake WordPress Site distributing backdoored release

Any of you guys were able to visit the actual fake WordPress site? Anyone had the same experience as Craig Murphy? What other security and safety measures can you suggest for other WordPress users to make sure they keep their blogs clean and safe? Please share your thoughts. Thanks for your time!

*images taken from The Social Programmer and ZDNet Blogs.

Be careful with what blogs you visit. Google’s Blogger.com is reportedly being hijacked by scammers to spread malware through fake blogs. Security experts are calling this the “fake blog scam”. Blog hopping or surfing hasn’t been this dangerous.

Scammers are creating what would seem as a normal-looking blogs with ordinary topics like “Star Wars, school, furniture, Christmas, cars and girlfriends” to host a variety of script-initiated malware. What’s scary is that it’s virtually impossible for visitors to spot the danger of these blogs and these malware infested blogs are said to be in the hundreds.

An example of these blogs is a one that is supposedly owned by a fan of the Honda CR450 motor car which attempts to infect it’s visitors with the Wonka Trojan. Other malicious tricks involve redirecting visitors to a phishing site.

“These are not legitimate blogs that were compromised. They appear to be deliberately set up to promote phishing, which is against our terms of service. We are investigating, and blogs found to include malicious code or promote phishing will be deleted,” Google said in a statement to CNET.

Previously, scammers have used social networking site MySpace for spreading adware, luring users into phishing sites and even YouTube by using fake porn videos. Now they’ve entered into the blogosphere, using the popularity of blogs in the hopes of having a huge payday.

Since it’s virtually impossible to detect if a blog is malware infested or not, we better take precautionary measures ourselves.

Here’s my advice:
» Avoid visiting blogs that you’re not familiar with.
» Close the window or tab if a blog redirects you to a different site.
» Close pop-up windows and NEVER click, however tempting it may be.
» Use a more secure browser like Mozilla Firefox or Flock.
» Keep your anti-virus programs up-to-date.

Hopefully no one else gets fooled or victimized by these fake blogs and Google should get rid of them A.S.A.P. Practice safe computing everyone! :)

Read the full story.