MacOS KenDensed: Apple’s Malware & Patent Headache-fest

| MacOS KenDensed

It's Ken Ray!Apple just can’t shake the malware news, just like it can’t shake the patent lawsuit headache it calls Samsung. Speaking of headaches, Greenpeace is on Apple’s back again, too. We prescribe a healthy dose of Mac OS Ken’s Ken Ray for this week’s headaches.

Going Viral. Or Trojan.
The headlines are scary; the stories less so.

The Computerworld headline: Two More Mac Trojans Discovered

Oh. this is scary.

The first paragraph of the Computerworld piece: “Following the outbreak of the Flashback Mac Trojan, security researchers have spotted two more cases of Mac OS X malware. The good news is most users have little reason to worry about them.”

Oh. So this is not scary.

Headlines, am I right?

The piece has Kaspersky Labs commenting on the two bits of malware, both of which are based on the same Trojan, called SabPub.

The first one may only have been used in highly targeted attacks, and is likely spread through Java exploits on websites, so if you’ve been keeping up with your Mac updates over the past week on Snow Leopard and Lion machines you should be cool on that one.

The second SabPub variant spreads itself through infected Microsoft Word documents and is distributed by e-mail. Quoting Computerworld again, “Like the other SabPub variant, this one was used only in targeted attacks, possibly against Tibetan activists.”

So unless you’re working with a pro-Tibet organization, and you have a habit of opening suspicious Word documents, there’s little reason for alarm. “At most,” wraps the piece, “SabPub is more evidence that Macs aren’t immune to attacks—a point that Flashback already made perfectly clear.”

So I guess maybe there’s one more out there, as well. To be honest, I’m not sure. I’m really not that used to doing security issue news.

A few reports popped up this week about a bit of malware called LuckCat. The Mac Observer has Kaspersky saying that this one, too, uses Microsoft Word files as the payload vehicle, though reader responses at both TMO and MacRumors say not only does it only attach to Office for Mac 2004 and 2008 docs and not Office for Mac 2011, but Microsoft actually patched the vulnerability LuckyCat exploits in 2009.

I understand not updating for a week or two, but if you’re using stuff for which patches have been available for three years and you haven’t applied those patches. please go ahead and do that now.

Where I get confused about whether this was one of the ones mentioned in the Computerworld piece I don’t see any mention of the name LuckyCat in that story, though TMO does quote the same guy from Kaspersky as the first piece. And, it says, LuckyCat “targets a security flaw in Microsoft Word to spread its malware payload via Java exploits.”

So it seems to me, even if you haven’t patched your Office for Word since the Bush administration but have updated your Snow Leopard or later machine with the latest Java updates, you should be good to go. Or really still be good to keep going.

I think.

Either way, the message from security firms is clear: you are not safe.

If you updated Java with the security releases Apple issued last week, you’re be cool. Well you may be cool, but you’re not safe.

Macworld UK has security expert Graham Cluley writing on his blog that, “Unlike the earlier sightings of SabPub, there is nothing about this attack which relates to the Java vulnerability exploited by the Flashback botnet … Rather than relying upon a Java vulnerability — it appears to be exploiting malformed Word documents instead.”

According to Cluley,

Any Mac users who believe that they have protected themselves because they don’t use Java probably need to realize that that’s not an effective defense.

I have to say I am so glad that I’m not the only one that gets stymied by all of this.

The rest of the new malware news seems to have survived accuracy testing, meaning that the variants rely on an exploit discovered back in 2009 and were patched sometime since then. So, again, keep up with your Office for Mac updates, please.

How many Macs are still infected with the Flashback malware? I’m gonna go with “no one knows for sure,” but a few organizations are willing to tell you how many they think.

On Tuesday, security firm Symantec said infections were down to 140,000, which sounded good compared to the 600,000 a couple of weeks earlier, but was still worse than the 99,000 to which they thought we should be down.

Maybe people have become more vigilant in the past few days. Or maybe we should just ask someone else. Say, Kaspersky Labs.

AppleInsider says that security firm held a press conference Thursday morning to announce that Flashback infections were down to 30,000. At that rate, if we find one more firm to ask we could be down to negative 110,000 infections by Monday.

Apple & Samsung: Patent Smackdown
Apple and Samsung are meting soon to discuss settling their multitudinous court cases… out of court.

If it had been their idea I’d be optimistic. Sadly it wasn’t, so I will instead be mildly hopeful.

What, me worry?FOSS Patents’ Florian Mueller says Judge Lucy Koh, the bench-warmer overseeing the two Apple v Samsung cases in California, ordered the two companies to say when they could be available for an Alternative Dispute Resolution (or ADR) effort.

“In this situation,” writes Mueller, “they both had to be cooperative: if only one of them had made the CEO available, the other one would have appeared to be less than constructive.”

And so they’re meeting in the next three months.

Apple and Samsung have informed the court that they’re “both willing to participate in a Magistrate Judge Settlement Conference … At Apple, the chief executive officer and general counsel are the appropriate decision-makers, and they will represent Apple during the upcoming settlement discussions. At Samsung, the chief executive officer and general counsel are also the appropriate decision-makers, and they will represent Samsung during these settlement discussions.”

Could we actually see something get done here? What fools we mortals be.

With the meet and greet on the horizon, CNET says Samsung has filed a counterclaim to an earlier Apple patent suit, claiming that Apple is — in fact — infringing on eight Samsung patents.

Well, that’ll just give the CEOs more to talk about, won’t it?

I believe it was Albert Einstein who said, “You cannot simultaneously prevent and prepare for war.” But let’s face it: He was an idiot who couldn’t possibly understand something as complex as intellectual property.

Cleaning Up, the Greenpeace Way
Greenpeace seems to be back on its Apple bashing bandwagon. Electronista has the environmental organization naming Apple, Amazon, and Microsoft as three of the worst companies when it comes to clean power and data-centers.

The activist organization has rated a little over a dozen Internet-based companies on factors like their “consideration of clean power when picking a location, their advocacy for the idea, and how transparent their clean power strategy is.”

Greenpeace gave both Apple and Amazon “Fs” for choosing to place data centers in North Carolina and Northern Virginia. respectively. Greenpeace frowns on both of those for their dependence on mixes of coal and nuclear power, and never mind the solar array and fuel cell facility Apple is dropping among the Fightin’ Maidens.

Thing is, the numbers supplied by Greenpeace may be a bit off, according to both AllThingsD and Apple. Apple says — at full capacity — its Maiden, North Carolina, data center requires 20 megawatts of power. Greenpeace says it requires 100.

While AllThingsD can’t prove that Apple’s 20 megawatt claim is correct, they do find it odd that Apple’s data center would require 100 megawatts, as Greenpeace contends, while a data center of the exact same size run by Microsoft is only said to require 27 megawatts of power. And a bigger one run by Microsoft only requires 60 megawatts.

And the AllThingsD piece wonders, “how is it that Apple’s Maiden data center is running on 55.1 percent coal,” when the power supplied to it by Duke Energy is only 46-percent from coal?

Apple spokesperson Kristen Huguet said,

Our data center in North Carolina will draw about 20 megawatts at full capacity, and we are on track to supply more than 60 percent of that power on-site from renewable sources, including a solar farm and fuel cell installation which will each be the largest of their kind in the country … We believe this industry-leading project will make Maiden the greenest data center ever built, and it will be joined next year by our new facility in Oregon running on 100 percent renewable energy.

To that Greenpeace says Apple’s information doesn’t fit with the factors it used in making its estimates.

That sounds like a convoluted way of saying they guessed wrong. But you can’t say that simply because then you’d have to acknowledge that you were just guessing in an attempt to get attention. And then you’re just half a step up from a Daisey.

The Tim Cook Influence
And finally this week, Time Magazine has put Apple CEO Tim Cook on its list of the 100 most influential people in the world. Given the task of writing up the Apple CEO’s blurb, Apple Board member and former U.S. Vice President Al Gore.

“It is difficult to imagine a harder challenge than following the legendary Steve Jobs as CEO of Apple,” begins Gore’s passage, “Yet Tim Cook, a soft-spoken, genuinely humble and quietly intense son of an Alabama shipyard worker and a homemaker, hasn’t missed a single beat.”

Calling Cook “protective of Jobs’ legacy and deeply immersed in Apple’s culture,” Gore points out that the new CEO has already led the company on a stock-market tear “while implementing major policy changes smoothly and brilliantly.”

The long and the short of it, Gore’s a fan.

Also on Time’s 100 most influential people list: Steve Jobs-biographer Walter Isaacson, President Barack Obama, Stephen Colbert, Chelsea Handler, and 95 other people.

Collect ‘em all!

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Joe

Unfortunately, when your at the top, everyone wants to punch you in your junk.

Lee Dronick

it appears to be exploiting malformed Word documents instead

I get a lot of malformed Word documents. Overuse of bolding, two spaces after a sentence stop, body copy in Arial, ugly color combinations, that sort of stuff.

BurmaYank

“How many Macs are still infected with the Flashback malware? I?m gonna go with ?no one knows for sure,? but a few organizations are willing to tell you how many they think.
  On Tuesday, security firm Symantec said infections were down to 140,000, which sounded good compared to the 600,000 a couple of weeks earlier, but was still worse than the 99,000 to which they thought we should be down.
  Maybe people have become more vigilant in the past few days. Or maybe we should just ask someone else. Say, Kaspersky Labs.
  AppleInsider says that security firm held a press conference Thursday morning to announce that Flashback infections were down to 30,000. At that rate, if we find one more firm to ask we could be down to negative 110,000 infections by Monday.”

Well, maybe not, according to today’s AppleInsider article: “Flashback discoverer bucks claims of malware’s decline”:

  “In a status report released on Friday, the Russian security firm that first discovered the Flashback trojan disagrees with recent findings from Symantec and Kaspersky Labs, warning that the number of machines affected by the malware is not declining.
  Citing data from its own analysis of the largest Mac botnet to date, Dr. Web notes that around 650,000 computers are still affected, which is stark contradiction to the 30,000 number provided by well-known security companies Symantec and Kaspersky.
  Analysts from the Russian firm researched the discrepancy and found that the raw data coming in from the larger companies’ servers were likely inaccurate due to Flashback’s use of complex domain name creation techniques and a unique TCP connection operation that effectively masks bots from command and control servers.
  “BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain names is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its pre-defined priorities.”
  When the malware was first discovered in early April, Dr. Web registered for the main domains used as Flashback command servers while other security firms most likely use “hijacked servers” that are in this case less reliable. The report explains that Flashback’s mode of operation allows its network of bots to go largely unnoticed by the hijacked servers which could be the reason for the precipitous drop reported this week that saw the number of affected machines fall from 140,000 to 30,000.
  ‘On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network, which is indicated on the graph.’
  Dr. Web notes that the trojan send requests to a server run by an unidentified third party, which in turn communicates with the bots but fails to close the TCP connection. This action is critical to researchers as it puts the bots in standby mode which means they do not communicate with other command servers monitored by information security specialists.”

Neil Anderson

punch you in your junk

Ouch. Right in the solar panels.

Log-in to comment