MacInTouch Amazon link...

malware and security

Channels
Security
Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
While I doubt I will have the ultimate solution, as a matter of troubleshooting, I ask this: have you tried (temporarily, of course) changing the affected browsers to some other setting that is neither Google nor Bing (important!), like DuckDuckGo? When that is done, do they then respect that setting, or do the redirects persist?
 


I recently bought a new Mac with Mojave as the OS. One of the “features” that may have come with it is that my Safari topic searches, e.g., “baking powder”, are being redirected from Google to Bing. I’ve checked my Safari preferences and Google is the specified search engine. I tried Firefox (redirected to Bing), Chrome (Google), and Opera (Google). There are three other Macs in my household, all running High Sierra. They don’t have this problem. Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
Delete or move ~/Library/Preferences/com.apple.safari.plist (the file may likely be in ~/Library/Containers... but I don’t have the full path handy). I just went through some truly bizarre Safari behavior. Was really embarrassed I took so long to remember that.
 


I recently bought a new Mac with Mojave as the OS. One of the “features” that may have come with it is that my Safari topic searches, e.g., “baking powder”, are being redirected from Google to Bing. I’ve checked my Safari preferences and Google is the specified search engine. I tried Firefox (redirected to Bing), Chrome (Google), and Opera (Google). There are three other Macs in my household, all running High Sierra. They don’t have this problem. Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
Thanks to Will M and Will Blume for your suggestions.

I did a Google search and got to an Apple message board which had the same question. One of the replies suggested downloading "Malwarebytes" and running it under a 14-day free trial. I ran it, got a list of about 29 suspicious files, and had Malwarebytes delete them. Empty Trash. Restart Mac, and the problem is gone.
 


I recently bought a new Mac with Mojave as the OS. One of the “features” that may have come with it is that my Safari topic searches, e.g., “baking powder”, are being redirected from Google to Bing. I’ve checked my Safari preferences and Google is the specified search engine. I tried Firefox (redirected to Bing), Chrome (Google), and Opera (Google). There are three other Macs in my household, all running High Sierra. They don’t have this problem. Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
You may be a victim of ISP deep packet inspection and/or NXDOMAIN hijacking. If you have access to a VPN, try it and see if that changes the result. If it does, then your ISP is messing with you.

If that's the case, Chrome may be unaffected due to the way it does non-standard HTTP. Opera has a built-in VPN.
 



What, specifically, is non-standard with Chrome's HTTP method? And who is the arbiter of this standard?
What I was thinking of is SPDY and QUIC. SPDY became HTTP/2 and QUIC became HTTP/3, so now it is a real standard.

This is why network monitors, such as Little Snitch, show Chrome making a lot of UDP connections.
 


Discovery of what sounds like potentially nasty remote control [Linux] malware, HiddenWasp, was just announced yesterday. It's unclear what threat this might be to macOS's Unix underpinnings.
Dan Goodin said:
Advanced Linux backdoor found in the wild escaped AV detection
Researchers say they’ve discovered an advanced piece of Linux malware that has escaped detection by antivirus products and appears to be actively used in targeted attacks.

HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer’s post went live, the VirusTotal malware service indicated Hidden Wasp wasn’t detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.
 


Getting on for a week of misery with my (bought as refurb) trashcan Mac Pro. We had an impressive thunderstorm last Wednesday with a couple of very close lightning strikes. The whole house is surge-protected, and the computers (and hifi, which is basically a bunch of computers these days, albeit it in prettier boxes) are further protected by UPSes.

However, next day, email was almost non-working on the Mac Pro, and internet was flaky. But all worked well on the MacBook 13". And on a resurrected-for-the-purpose-of-checking G4 PowerBook Ti (!).

After doing all the reasonable things (try WiFi instead, swap ethernet ports, faff with the ethernet switches, reset cable modem, create new account... over several days), still unresolved.

Quick chat with Apple said oopsy - take it in to the Apple Store for repair. Not a good idea (I'd become mostly convinced the I/O board needed replacing, which would be expensive and not something I'd want to do myself), so I determined to buy a new Mac Mini (2018), and settled on the bottom-end Core i5 model. Bought it, dragged it home, set it up. Phew, all works!

Attached the external disks from the Mac Pro (my home folder is on an external RAID), and the problems started anew.

Long story short, there was a SOCKS proxy set in Networks Systems Preferences (Advanced). And that was set by turning on Content Caching in the Sharing Systems Preference.

Turned off Content Caching and removed the SOCKS proxy, and all is well now.

Content caching is a Very Good Idea (especially for those with limited internet feeds and speeds), so I'd turned it on, despite our internet connection being north of 300 Mbits, to get the experience that would let me rely on it at our place in Normandy this summer (LTE wirelss internet only, and only 50GB per month).

But I shall not be using it until it's fixed. Grrr.

(I'll take the Mac Pro for use there - it'll take over from a pair of 2011 Mac Mini Servers, one being a spare just in case...)...
 


Getting on for a week of misery with my (bought as refurb) trashcan Mac Pro. We had an impressive thunderstorm last Wednesday with a couple of very close lightning strikes. The whole house is surge-protected, and the computers (and hifi, which is basically a bunch of computers these days, albeit it in prettier boxes) are further protected by UPSes.

However, next day, email was almost non-working on the Mac Pro, and internet was flaky. But all worked well on the MacBook 13". And on a resurrected-for-the-purpose-of-checking G4 PowerBook Ti (!).

After doing all the reasonable things (try WiFi instead, swap ethernet ports, faff with the ethernet switches, reset cable modem, create new account... over several days), still unresolved.

Quick chat with Apple said oopsy - take it in to the Apple Store for repair. Not a good idea (I'd become mostly convinced the I/O board needed replacing, which would be expensive and not something I'd want to do myself), so I determined to buy a new Mac Mini (2018), and settled on the bottom-end Core i5 model. Bought it, dragged it home, set it up. Phew, all works!

Attached the external disks from the Mac Pro (my home folder is on an external RAID), and the problems started anew.

Long story short, there was a SOCKS proxy set in Networks Systems Preferences (Advanced). And that was set by turning on Content Caching in the Sharing Systems Preference.

Turned off Content Caching and removed the SOCKS proxy, and all is well now.

Content caching is a Very Good Idea (especially for those with limited internet feeds and speeds), so I'd turned it on, despite our internet connection being north of 300 Mbits, to get the experience that would let me rely on it at our place in Normandy this summer (LTE wirelss internet only, and only 50GB per month).

But I shall not be using it until it's fixed. Grrr.

(I'll take the Mac Pro for use there - it'll take over from a pair of 2011 Mac Mini Servers, one being a spare just in case...),

So, be warned; Content Caching can be harmful.
But wait - there's more.

(i) Further investigations showed that the SOCKS proxy settings were re-established every power-on. This suggests that it wasn't the Content Caching which did the dirty deed. And indeed, after a hunt through the web, someone suggested malware. So I downloaded Malwarebytes, and scanned. It found something which called itself "VirtualBoardScan" (which I'd noticed in Activity Monitor, but could find out nothing on the web about it). Malwarebytes extinguished said software, and after a reboot the SOCKS re-activation is definitely not recurring.​
(ii) So time to give Content Caching a second try.​
(iii) Apologies to all for leaping to conclusions and publishing.​
 


Ric Ford

MacInTouch
None of us should be stupid enough to download a "cracked installer" trojan, but this new Mac malware uses novel techniques worth noting.
Thomas Reed said:
New Mac cryptominer Malwarebytes detects as Bird Miner runs by emulating Linux
A new Mac cryptocurrency miner Malwarebytes detects as Bird Miner has been found in a cracked installer for the high-end music production software Ableton Live. The software is used as an instrument for live performances by DJs, as well as a tool for composing, recording, mixing, and mastering. And while cryptomining is not new on Mac, this one has a unique twist: It runs via Linux emulation.

... Qemu is an open-source emulator, somewhat like a command-line-only VirtualBox, that is capable of running Linux executables on non-Linux systems. These copies of Qemu are being used to run the contents of image files, named Poaceae in the above example, using Apple’s Hypervisor framework for better performance.

The final piece of the puzzle lies inside the Poaceae file. This file is a QEMU QCOW image file. This is a file format somewhat similar to Apple’s disk image (.dmg) format, but specific to Qemu, and not as easy to open. With some work, however, it is possible to peek inside the Poaceae file. In this case, the image contains a bootable Linux system. The specific variant of Linux that it uses is Tiny Core.
Bleeping Computer said:
Linux Cryptominer Uses Virtual Machines to Attack Windows, macOS
A new cryptocurrency mining malware dubbed LoudMiner uses virtualization software to deploy a Linux XMRig coinminer variant on Windows and macOS systems via a Tiny Core Linux virtual machine.

The malware comes bundled within cracked copies Windows and macOS VST software such as Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor, and AutoTune.

LoudMiner is distributed via an attacker-controlled website which currently links to 137 VST-related apps, 42 of them for Windows and 95 for the macOS platform, all of them frequently updated and hosted on 29 servers, as discovered by ESET Research's detection engineer Michal Malik.
 


Ric Ford

MacInTouch
Here's a good overview of a huge security problem:
Cisco Talos said:
Malvertising: Online advertising's darker side
One of the trickiest challenges enterprises face is managing the balance between aggressively blocking malicious advertisements (aka malvertising) and allowing content to remain online, accessible for the average user. The days of installing a basic ad blocker on your web browser and expecting full protection are gone. Between the sites that require them to be disabled and the ability for advertisers to pay to evade them, ad blockers alone are not sufficient.

As this blog will cover in detail, malvertising is a problem not strictly associated with basic web browsing. It can also come with other software programs including adware or potentially unwanted applications (PUA). These latter examples require the most attention. In today's enterprise, an aggressive approach to advertising is required to be protected against malicious threats. That may include securing your DNS or adding additional layers of inspection through a firewall, intrusion prevention system, or a web security platform. Regardless of the approach, it needs to be thorough and take into account not just the security impacts, but the potential of cascading impact on your users.

Advertising is a key part of the internet as a whole and, whether you realize it or not, is one of the most foundational aspects of it. It is one of the reasons that a large chunk of the content available on the internet is free. It allows people to support their passion projects, their small businesses, and the food blogs of people around the world. However, it is a highly complex and convoluted system that is ripe for abuse. This is an issue that should not be ignored by the public, as these malicious ads can deliver malware out of nowhere and trick traditional internet users who may not be aware of the threats that exist on some pages.

This blog is going to walk through how online advertising works, what malvertising is and why it's dangerous including real life examples, and finally the options that exist for organizations and private citizens to try and protect themselves from these threats.
 


Here's a good overview of a huge security problem:
Cisco Talos said:
Malvertising: Online advertising's darker side
The days of installing a basic ad blocker on your web browser and expecting full protection are gone. Between the sites that require them to be disabled and the ability for advertisers to pay to evade them, ad blockers alone are not sufficient.
uBlock Origin does a much better job than basic ad blockers.
maketecheasier said:
The Ultimate Superuser’s Guide to uBlock Origin
uBlock Origin is the most powerful and versatile ad blocker available. Unfortunately, the design is also a little obscure. This guide will explain the ins and outs of uBlock Origin’s advanced features...
There's also network blocking, e.g., Pi-hole.

As an Android user, I have only the Firefox browser active on my phone and depend on uBlock Origin to offer some protection against malvertising, as rogue ad networks are a major source of Android malware.

Informative as the Cisco article is about the underlying problem, [doesn't it also highlight] Cisco's products and services?
Cisco said:
Malvertising: Online advertising's darker side

... There are many different ways to block ad networks at the domain or nameserver level, but it does require you to make use of some sort of DNS product like Cisco Umbrella to achieve that goal. Another advantage to a product like Umbrella is its ability to block the gate and TDS domains. This may allow the organization an extra layer of protection that will stop known bad domains from serving content to users, without blocking ads unilaterally. Below is a table illustrating how the controls need to balance between risk and user impact.

From a consumer perspective there are plenty of options, including open-source solutions that can help mitigate the issue at home, as well. Among them is the pi-hole project which leverages a raspberry pi to achieve ad protections. We at Cisco also offer some options for consumers to take advantage of the protections available in Umbrella.

Regardless, of how you approach it, digital advertising is one of the biggest battlegrounds on the threat landscape for drive-by attacks delivering malicious content around the globe. Both enterprises and consumers need to be prepared and make a decision on how aggressive they want to be on blocking it. However, it's a unique challenge since the risk is eliminating large chunks of free content on the internet as it becomes increasingly difficult to generate revenue from that content. These are just a couple of the major issues we will be forced to confront over the next several years and the quicker you realize you are going to need to address it, the better served you will be.
 


uBlock Origin does a much better job than basic ad blockers.
Any thoughts on AdGuard DNS?

I have a Roku device, and the only way I found to block ads for cable news channels and misc. freebie channels that also have ads was to install AdGuardDNS DNS settings on my router.

I changed the DNS settings on my Netgear router to the AdGuardDNS ones, which not only block ads on the Roku but also other devices, including phones and computers. I haven't tried turning off my adblockers in Firefox, but in theory, it should work fine without them now.
 



[I also recommend] Pi-hole. I have it deployed at a cabin, which has metered satelite-based internet access, and if we have a house full of folks, Pi-hole will block thousands of ads a day. That's a lot of bandwidth!

(For what it's worth, I also block off the Apple and Android store update sites and other automated update sites at the firewall.)
 




One option: sign up for a Google Voice account. You will get a phone number that accepts SMS messages that can be relayed to the Google Voice app, not to the mobile phone number associated with your carrier. Further, you can minimize privacy and data harvesting concerns by opening a Gmail account that you use only for Google Voice.
Another benefit is that using Google Voice for forced-SMS situations, such as on websites that do not support authenticator apps or physical tokens for 2-factor authentication, reduces the risk of somebody gaining control of your online accounts through SIM-swapping scams.
The reader comments to this article can help you decide if this is a good solution for you:
As someone who has considered using Google Voice in the past, are there not concerns here about the amount of information Google would be scraping from your transmissions and calls? I had been thinking about signing up for Google Voice and then setting all my online accounts to that phone number. After some time to contemplate, I abandoned the idea.
 


As someone who has considered using Google Voice in the past, are there not concerns here about the amount of information Google would be scraping from your transmissions and calls?
Yes. This is Google we're talking about, after all.

Consequently, I have isolated Google Voice as much as possible from all my other online activities:
* I opened a single-purpose Google account using a fresh email address from a provider not linked to any of my existing email providers. I never use this account for anything other than Google Voice.​
* The Google account has all of its privacy settings on the most restrictive options possible.​
* I only use Google Voice for receiving a small number of texts; I do not use it to make or receive voice calls nor to send texts.​

Of course, Google can see that I receive texts with 2FA codes from certain senders periodically. But that's pretty much all it knows. All other account communications occur away from Google. And if I decide to obscure things even more, I'll sign up for a VPN service.

Why did I go to all this trouble? Because I feel letting Google see a very small slice of what I do is worth the great reduction in SIM-swapping risk (finally, a benefit from online-only, totally unresponsive customer service!). To my mind, it is far too easy to socially engineer a call center rep or, worse, bribe an underpaid and unappreciated retail store worker to transfer my real mobile phone number to a SIM card controlled by a criminal.
 


Ric Ford

MacInTouch
Here's some widespread, Apple-signed software you probably don't want on your Mac:
Talos Security said:
MOST PREVALENT MALWARE FILES August 8 - 15, 2019

SHA 256: b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a
MD5: 125ef5dc3115bda09d2cef1c50869205
Typical Filename: helpermcp
Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos
VirusTotal said:
helpermcp

File Version Information
Date signed May 15, 2019 at 2:17:02 PM
Identifier com.pcv.hlprmcp
Authority Apple Root CA
Date Signed May 15, 2019 at 2:17:02 PM

Team Identifier Q58HTDVM2R

Files opened
/Users/user1/Desktop
/Users/user1/Desktop/file
/etc/master.passwd
/var/db/timezone/zoneinfo/posixrules


Files written
/private/var/root/Library/Logs/(null).log

Processes created
/Users/user1/Desktop/file

Processes tree
600 - /Users/user1/Desktop/file
 


Ric Ford

MacInTouch
Beware!
ZDNet said:
macOS users targeted with new Tarmac malware
Named Tarmac (OSX/Tarmac), this new malware was distributed to macOS users via online malvertising (malicious ads) campaigns.

These malicious ads ran rogue code inside a Mac user's browser to redirect the would-be victim to sites showing popups peddling software updates -- usually for Adobe's Flash Player.

Victims who fell for this trick and downloaded the Flash Player update would end up installing a malware duo on their systems -- first the OSX/Shlayer malware, and then OSX/Tarmac, launched by the first....

... Since Tarmac payloads come signed by legitimate Apple developer certificates, features like Gatekeeper and XProtect won't stop its installation or show any errors.

Users and companies looking to see if they've had Mac systems infected by this malware can find indicators of compromise (IoCs) in Karim's Tarmac report.
 


I don't know the provenance of this strange event, but I suspect some form of malware: my wife was browsing the Mayo Clinic website and got a large pop-up window informing her that her computer was infected with three viruses which could be fixed by clicking the large red "Scan" button. Of course, she didn't. But... the page seemed to be fairly well crafted, with these exceptions:
1. The warning claimed to be from AppleCare Protection Plan and featured a large red Apple logo. As far as I know, AppleCare covers hardware, not malware, and (probably) uses a monochrome logo.​
2. The warning stated that she only had 1 minute and 46 seconds to click the "Scan" button before the damage would be permanent. Panic-inducing tactics like that always raise red flags.​
3. The text warned of "...system system damage, loss of Apps, Photos or other files." Sketchy grammar.​
My wife tried to Quit Safari using the keyboard but was stopped by another pop-up claiming to be "From: your-mac-security-analysis.net.eczjbp.mrqhkumqr9qsihc.xyz": (including those quotation marks and colon) and offering options to Stay on Page or Leave Page. Rather than clicking either, she simply force-Quit Safari.

All in all, one of those nasty irritations that makes you run a couple of anti-malware programs "just to be sure.
 




Ric Ford

MacInTouch
Another one to beware:
PCMag said:
Scammer Uses Fake iPhone Jailbreak for Fraud Scheme
The jailbreaking community is currently working on a legit tool for older iPhones, dubbed Checkra1n. But in the meantime, a scammer is capitalizing on that name with a website that pretends to offer the tool but is really just a click-fraud scam.
Bleeping Computer said:
Scammers Use Fake Checkra1n iOS Jailbreak in Click Fraud Campaign
Scammers have already been spotted baiting Apple users using a recently developed iOS jailbreak dubbed checkra1n as the lure in a campaign designed to help the crooks earn money via click-fraud and boost App Store rankings for several apps.

checkra1n makes use of the Checkm8 jailbreak-enabling iOS bootrom exploit released on Twitter last month by security researcher axi0mX.

As Cisco Talos researchers found, a scam group has noticed the attention this new jailbreak tool has amassed lately and reacted by registering and hosting checkrain[.]com, a "fake website that claims to give iPhone users the ability to jailbreak their phones."

"However, this site just prompts users to download a malicious profile which allows the attacker to conduct click-fraud."
 


Ric Ford

MacInTouch
Not good news...
BleepingComputer said:
PureLocker Ransomware Can Lock Files on Windows, Linux, and macOS
Cybercriminals have developed ransomware that can be ported to all major operating systems and is currently used in targeted attacks against production servers.

The new name is PureLocker. Malware researchers analyzed samples for Windows but a Linux variant is also being used in attacks.

The malware is carefully designed to evade detection, hiding malicious or dubious behavior in sandbox environments, posing as the Crypto++ cryptographic library, and using functions normally seen in libraries for music playback. ... For the past three weeks, PureLocker evaded the detection of antivirus engines on VirusTotal almost entirely.

The name of the ransomware derives from the programming language it's written in, PureBasic, an unusual choice that provides some benefits, the researchers say in a report.
 


Ric Ford

MacInTouch
Ugh...
Duo Security said:
Lazarus Group Deploying New macOS Backdoor
A newly discovered backdoor written specifically for macOS shares a number of similarities and functions with an older piece of malware attributed to the Lazarus APT group that has been associated with the North Korean government.
Patrick Wardle (Objective-See) said:
Pass the AppleJeus
... In Kaspersky’s original writeup, they detailed an interesting attack whereas the Lazarus APT group targeted various cryptocurrency exchanges “with a fake installer and macOS malware”. One of the more interesting aspects of this operation, is that the APT group actually fabricated an entire fake company (“Celas Trade Pro”) and website in order to increase the realism of the attack.
 


I have anti-ransomware protection installed on my computer (I'm pretty sure I found out about it here, on MacInTouch) called RansomWhere. I don't remember exactly when I installed it, but it's probably close to a year ago. It hasn't caused any problems on my 2017 iMac running High Sierra and Mojave.

Warnings occur infrequently, given my configuration and usage patterns, except with the Chromium browser. After a Chromium update, the Chrome Helper application associated with Chromium wants to encrypt files. Other than that, I forget RansomWhere is running most of the time.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts