Home Tags Apple Mac

Tag: Apple Mac

ByNeil J. Rubenking Vipre has been a name to conjure with in the antivirus business for quite some time.

The product has changed over the years, bouncing from company to company and, at one point, incorporating spyware protection from the well-regarded CounterSpy. Perhaps all that moving around wasn't the best for its health.

The current incarnation, ThreatTrack Vipre Antivirus 2016, isn't your best choice for comprehensive protection.
It did improve its antiphishing and malicious URL blocking scores significantly over the tests we ran on last year's edition, but it fared poorly in tests by independent antivirus labs. You have plenty of purchase options with Vipre. You can pick one, three, five, or 10 licenses and subscribe for one, two, three, or four years.

There's a discount for more licenses and longer subscriptions, of course. Protecting a single PC for one year costs $39.99, while a 10-license four-year subscription goes for $269.99, quite a bit less than what you'd pay for 40 single licenses (almost $1,600!). Installation is simple, if not precisely quick. You fire up the installer, copy and paste your license key, and click a button labeled Agree & Continue.

That's it.

The installer checks for program updates, performs the installation, downloads the latest virus definitions, and runs a scan for active malware. You don't have to do a thing, except perhaps get some coffee or a snack.
I found the full installation process took about 10 minutes. Vipre's main window retains the look introduced with the previous edition.

Buttons let you launch or schedule a scan.

A status panel reports on the latest scans and updates.

A couple of links let you manage your account or the program's settings.
It's very slick and simple. So-So Malware BlockingA full system scan with Vipre took 46 minutes, just a little longer than the current average.

Clearly the program performs some kind of optimization during that first scan, as a repeat scan completed in just five minutes.

AVG AntiVirus Free (2016) took 27 minutes for an initial scan on this system and two minutes for a repeat scan.

F-Secure Anti-Virus 2016 cut the time even more, with a 15-minute first scan and just over one minute to repeat the scan. Of course, speed means little unless it's coupled with accuracy. My hands-on malware blocking test starts when I open a folder that contains a few dozen known malware samples.
Vipre immediately leapt into the fray, eliminating 79 percent of the samples on sight. When I launched the surviving samples, it detected a few, but didn't completely prevent installation of executable files.
It managed 86 percent detection and an overall score of 8.1 points in this test. Two products share the top overall score.

Avast Pro Antivirus 2016 detected 100 percent of these same samples, and Bitdefender Antivirus Plus 2016 detected 93 percent.

Because Avast didn't completely prevent installation of malware traces, it earned 9.3 points, the same as Bitdefender.
Vipre's score puts it well below the median for this test. Of necessity, my samples in that hands-on test get used for many months. However, in my malicious URL blocking test the samples (provided by MRG-Effitas) are as new as I can manage, typically no more than a day or two old.

The test is simple enough.
I take the sample URLs and launch each in a browser protected by the product under testing.
I note whether it steers the browser away from the dangerous URL, eliminates the executable payload during download, or sits idly, doing nothing to prevent the download.
I continue until I have data for 100 malware-hosting URLs. When I tested Vipre's previous edition, it blocked just 38 percent, all of them during the download process.

This time around, Vipre's Search Guard and new Edge Protection components stepped up to raise the protection level impressively.

Between the two components, Vipre blocked access to 84 percent of the malware-hosting URLs.

Edge Protection did most of the work, though Search Guard (the one place you can still see Vipre's old snake icon) lent a hand. Vipre's 84 percent protection rate is pretty darn good; only five products have done better.

At the top of the heap are McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium, each of which managed 91 percent protection. See How We Test Malware Blocking Improved Phishing Detection Malware-hosting websites are definitely dangerous, but you can also get into serious trouble by voluntarily entering your login credentials on a fraudulent website.
Imagine if a phishing site snagged your Amazon password, or the credentials for your online banking! Last year Vipre tanked this test.

This year's results are much, much better. To start my antiphishing test, I visit a number of sites that track these frauds.
Specifically, I scrape URLs that have been reported as fraudulent but not yet classified and blacklisted.
I open each URL simultaneously in a browser protected by the product under test and by antiphishing veteran Norton.
I also try each URL against the native protection of Chrome, Firefox, and Internet Explorer.

There's a lot of variation in the types of phishing URLs, and in their cleverness, so I report the difference between the detection rate of the various products, rather than hard numbers. Vipre's detection rate was just 6 percentage points behind Norton's, the same score managed by BullGuard Antivirus (2016).
Vipre also handily beat all three browsers. Roughly two-thirds of current products failed to beat at least one of the browsers, and half of those performed worse than all three browsers. See How We Test Antiphishing Sad Lab Results Vipre's scores in my own tests ranged from so-so malware blocking to excellent phishing protection.
It didn't fare as well with the independent testing labs.
ICSA Labs does certify Vipre for malware detection and cleaning, and West Coast Labs certifies it for detection.
It managed VB100 certification in eight of the last 10 tests by Virus Bulletin.

But the scores go downhill from there. In the latest three-part test by AV-Test Institute, Vipre earned 3 points for protection, 3 for performance, and 6 points for usability.

This last figure means that Vipre avoided screwing up by identifying valid apps and URLs as malicious.

But with 6 points possible in the important protection category, a score of 3 points is pretty bad.

Avira Antivirus 2015, Bitdefender, and Kaspersky Anti-Virus (2016) all managed a perfect 18 points in this same test. Vipre's one success with AV-Test involved avoiding false positives, but in tests by AV-Comparatives false positives proved problematic.

This lab tags products with Standard certification as long as they meet all essential capabilities.

Better products can earn Advanced or Advanced+ certification, while those that don't make the grade just rank as Tested.

And whatever the basic rating, enough false positives can drag it down. I follow five tests out of the many performed by this lab.
In latest instances of those tests, Vipre earned Advanced once and Standard twice, but failed the other two tests, both times due to false positives.

That looks especially bad compared with Bitdefender and Kaspersky, which took Advanced+ ratings in all five. See How We Interpret Antivirus Lab Tests Bonus FeaturesThe Email and Privacy settings pages demonstrate that Vipre offers a number of features above and beyond the basics of antivirus.
It checks your incoming and outgoing email for malware, quarantining any problems it finds.

And it quarantines phishing messages—but not spam; antispam is reserved for the Vipre suite.

The email protection works with desktop clients only, not Web-based email, and if your email client uses non-default ports you'll need some technical skills to make it work. Vipre's Social Watch component scans your Facebook page for malicious links. Naturally you have to log in to Facebook in order for it to work. You can stay logged in and set it to scan every so often, or log out for privacy.  When you enable the secure file eraser feature, it adds an item to the right-click menu for files and folders.

After you confirm that you want a particular file or folder gone forever, it overwrites the file's data before deletion, to prevent forensic recovery of sensitive data.
I'm just as happy that it doesn't let you configure this feature, since most users aren't remotely qualified to select between the available algorithms. As you browse the Web and use your computer, you leave behind a trail of clues that a nosy person could use to reconstruct your activities.
If that bothers you, the history cleaner component can help.
It will wipe out browsing traces for many popular browsers, recent file lists for popular applications, and a number of Windows-based traces.

There's a checkbox to show only programs that you actually have installed, but in my testing it did not seem to work.
I definitely don't have Safari, Opera, or ICQ in the test system, yet they remained visible even when I checked the box. Some Ups, Some Downs ThreatTrack Vipre Antivirus 2016 performed significantly better than the 2015 edition in some areas.
It scored quite a bit better in my antiphishing and malicious URL blocking tests, probably thanks to the new Edge Protection.
Its score in my hands-on malware-blocking test was so-so, much the same as last year, but if I see top scores from the labs, I give them more weight than my own test. Unfortunately, Vipre's labs scores aren't good at all. Antivirus is a big field, and I've identified a number of Editors' Choice products.

Bitdefender Antivirus Plus and Kaspersky Anti-Virus routinely take top honors from all of the independent labs. McAfee AntiVirus Plus does well in lab tests and my own tests, and one subscription protects all of your Windows, Mac OS, and mobile devices.

And Webroot SecureAnywhere Antivirus remains the tiniest antivirus around, with an especial focus on ransomware.

Any one of these will be a better choice for your system's antivirus protection.
NEWS ANALYSIS: The first known attempt to spread ransomware on Macs was quickly spotted and disabled by security researchers and by Apple, but it won’t be the last. The first try at creating ransomware for the Macintosh was a bust, according to a spokesperson at Apple who told eWEEK that the company acted to invalidate the developer certificate tied to the malware to protect users from installing it.The malware was initially found by researchers at Palo Alto Networks, who alerted Apple and Transmission, the software developer that made the Tor file transfer app that was infected to spread the malware.Macintosh users who downloaded the Transmission software can get rid of the malware, now called KeRanger, by downloading the updated version 2.9.2 of the Transmission installer, which among other things, contains code that will find and remove the malware.Meanwhile, Apple updated XProtect so that it would recognize the KeRanger malware, and prevent it from infecting more Macintosh computers. XProtect is Apple's built-in anti-malware software for the Macintosh. Of the approximately 6,500 Mac users that downloaded the infected Transmission software, most won't actually have their files encrypted by the malware nor have to pay the hackers a Bitcoin ransom to get the decryption key because the necessary file, called General.RTF, won't execute. Unfortunately, a few Mac users will have had their files encrypted before the malware was detected and thwarted.

These users will either need to pay to decrypt them, or if they're lucky, restore their files from a backup.The vast majority of Macintosh users dodged the bullet this time, but it's not safe for them to assume that the hackers won't have better luck and better malware, the next time.Then Mac users will find themselves in a situation similar to what Windows users have been dealing with for years.

The only safe approach is to assume that any software you don't personally know to be safe probably isn't.The reason that Mac users haven't had to worry about ransomware or other malware until recently isn't that the Macintosh is immune, because it's not.

The reason that Macs haven't had a problem is mainly that their market share has been so low that malware writers didn't have the economic incentive to write malware.

But that's all changed.As Apple's market share has grown, so has the temptation to create malware and Apple's XProtect is the first approach at fighting it.

But XProtect is only a basic, signature-based security package, so it's limited in what it can do against advanced threats.

Fortunately, all of the familiar antivirus packages are also available for your Mac, including software from Symantec, McAfee, Avast, Trend Micro and many others.But ransomware isn't always picked up by antivirus software or by corporate firewalls. What happens then is that you could still end up with your data encrypted and find yourself stuck with no means of getting your work done except to pay the ransom.Unfortunately, the problem is only going to get worse. "This is the first really functional ransomware on the Mac," said Dodi Glenn, vice president of cyber-security for PC Pitstop, a security vendor. 
Quick detection by Palo Alto Networks, Apple and the affected open-source project means most users likely disabled the software before it started to run. A ransomware group targeted Mac users with the first fully functional malware program capable of encrypting data and demanding a ransom of 1 Bitcoin, about $412, for providing the key to unlock the data, Palo Alto Networks said on March 7.Users of the open-source Transmission Bittorrent client, who downloaded the latest version of that software on March 4, may have infected their system with the malware, dubbed KeRanger by Palo Alto.

Because the security firm identified the threat within six hours of its posting and warned Apple and the developers that the open-source software had been infected, the ransomware's impact will likely be blunted, Ryan Olson, director of threat intelligence for Unit 42, the research group at Palo Alto Networks, told eWEEK."We will see now whether people report whether they had files encrypted, but we think the impact will be small because we were able to work quickly to find this and work with our peers in the industry to remove the threat before it had an impact," Olson said.KeRanger is designed to encrypt more than 300 different file types on Macs and to replace the files with encrypted versions.

After installation, however, KeRanger waits three days before starting its encryption cycle, a technique that can foil some defenders' attempts to detect potentially malicious files.
In this case, Palo Alto hoped the delay allowed users to uninstall the malicious program before it started its encryption routine, Olson said. While ransomware is a very successful attack on Windows systems, making criminals millions of dollars in payments, the Mac had not seen a significant ransomware attack. However, the advent of KeRanger shows that criminals are targeting the operating system. The ransomware attack took a lot of effort, Olsen said. Not only did the criminals write the malware, but they also had to steal a legitimate software certificate to bypass Apple's Gatekeeper software for blocking non-legitimate apps.In addition, the criminals behind the malware had to somehow gain access to the site from which the Transmission Bittorrent client could be downloaded. On March 4, the criminals replaced the Transmission client with a copy infected with the KeRanger malware.

Any users who downloaded version 2.90 of the program are at risk of being infected by the malware, Palo Alto Networks warned on March 6.The Transmission project posted a warning on its Website for its users."Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file," the company stated. "This new version will make sure that the 'OSX.KeRanger.A' ransomware … is correctly removed from your computer."KeRanger is not the first attempt to use ransomware against Mac OS X users.
In June 2014, antivirus firm Kaspersky Lab found an unfinished program on malware-classification site VirusTotal.

The ransomware, dubbed FileCoder, appeared to have been an early test version of a program that had not been completed."At this point, it became totally clear that (FileCoder) is a relatively harmless program, which could be turned into a fully functioning Trojan encrypter demanding money from its victims, but for some reason this had not been done," Kaspersky Lab stated at the time.
The first known working ransomware aimed at Macs contained hints that the cybercriminals were working on a way to encrypt backups in an attempt to force payment, security researchers said today. Dubbed "KeRanger" by Palo Alto Networks, whose researcher...
A type of malware that locks computer files and demands a fee for their release has successfully targeted Apple computers.The security researchers from Palo Alto Networks believe it is the first time ransomware has appeared on Macs.The KeRangers m...
Weirdly, it also lets Eastern Europeans go free Ransomware miscreants have developed a strain of malware that lets victims known that their computer has been encrypted verbally. The Cerber ransomware encrypts users' files using AES encryption before demanding an extortionate payment of 1.24 Bitcoins ($500) in order to supply a private key needed to decrypt files. The Windows-based malware first generates a series of fake system alerts in an attempt to persuade a victim into accepting a system shutdown. Once a machine reboots the malware begins encrypting documents' filename and adding a .CERBER extension to them. Currently, dormant features in the code allow the malware to map and encrypt files on network drives linked to a compromised machines. Once the file encryption process is finished, the malware generates three ransom notes. One of theses message services, through a VBScript, allows the computer to verbally read out the blackmail message to victims.

Twelve different languages are supported by the polyglot menace, which was first detected by two independent malware analysts nicknamed BiebsMalwareGuy and MeegulWorth. But the ransomware is deliberately programmed not to infect computers in eastern Europe. “The fact that Cerber has the ability to target network shares, not to mention its decryptor's compatibility with 12 difference languages, attests to the increasing sophistication of today's ransomware campaigns,” commented veteran security expert Graham Cluley in a blog post. “It is therefore recommended that users maintain regular backups of their data, that they avoid clicking on suspicious link, and that they maintain an updated anti-virus solution on their machines.” Web security forum BleepingComputer has a fuller write-up of the threat here. A video of the ransomware in action has been uploaded to YouTube here. The appearance of Cerber comes shortly after the arrival of the first example of Mac OS X ransomware.

The Mac nasty came bundled into downloads of the popular Transmission BitTorrent client, as previously reported. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware. The incident is believed to be the first Apple-focused attack using ransomware, which typically targets computers running Windows. Victims of ransomware are asked to pay a fee, usually in bitcoin, to get access to the decryption key to recover their files. Security company Palo Alto Networks wrote on Sunday that it found the "KeRanger" ransomware wrapped into Transmission, which is a free Mac BitTorrent client.  Transmission warned on its website that people who downloaded the 2.90 version of the client "should immediately upgrade to 2.92." It was unclear how the attackers managed to upload a tampered version of Transmission to the application's website.

But compromising legitimate applications is a commonly used method. "It’s possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto wrote on its blog. The tainted Transmission version was signed with a legitimate Apple developer's certificate.
If a Mac user's security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple's GateKeeper that the application could be dangerous. Apple revoked the certificate after being notified on Friday, Palo Alto wrote.

The company has also updated its XProtect antivirus engine. After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system.
It is coded to encrypt more than 300 types of files. The ransom is 1 bitcoin, or about $404. There are few defenses against ransomware.

Antivirus programs often do not catch it since the attackers frequently make modifications to fool security software. The best method is to ensure files are regularly backed up and that the backup system is isolated in a way to protect it from being infected as well. Disturbingly, KeRanger appears to also try to encrypt files on Apple's Time Machine, its consumer backup drive, Palo Alto wrote. Ransomware schemes have been around for more than a decade, but over the last few years have spiked. At first the attacks struck consumer computers, with the aim of extracting a few hundred dollars.

But it appears attackers are targeting companies and organizations that may pay a much larger ransom to avoid disruption. Last month, a Los Angeles hospital said it paid a $17,000 ransom after saying it was the quickest, most effective way to restore its systems.

The ransomware had affected its electronic medical records. Although Apple's share of the desktop computing market is much lower than Windows, cyberattackers have been showing increasing interest in it.

But so far, ransomware hasn't been a problem, although some researchers have created proof-of-concept file-encrypting malware for Macs. Last November, Brazilian security researcher Rafael Salema Marques published a video showing how he coded ransomware for Mac in a couple of a days. He didn't release the source code. Also, OS X security expert Pedro Vilaca posted proof-of-concept code on GitHub for Mac ransomware he wrote, another experiment showing how simple it would be for attackers to target the platform.
If you downloaded 2.90, you've got a few hours to get rid of it The first "fully functional" ransomware targeting OS X has landed on Macs – after somehow smuggling itself into downloads of the popular Transmission BitTorrent client. Transmission's developers have warned in a notice splashed in red on the app's website that if you fetched and installed an afflicted copy of the software just before the weekend, you must upgrade to a clean version. Specifically, downloads of version 2.90 were infected with ransomware that will encrypt your files using AES and an open-source crypto library, and demand a payment to unscramble the documents. Transmission has millions of active users.
It is possible the app's website was compromised, and the downloads tampered with to include the KeRanger nasty. Those who have had files encrypted will be asked by the malware to cough up US$400 in Bitcoins, paid to a website hidden in the Tor network, to get their files back. "Everyone running [version] 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file," the Transmission authors posted on Sunday. Palo Alto Networks researchers Claud Xiao and Jin Chen found the KeRanger ransomware hidden in the BitTorrent software on Friday, and warned the Transmission team of the infection. The pair and a group of seven others from Palo Alto Networks detected the infiltration hours after miscreants somehow injected the malware into the downloads.

They noted that KeRanger is programmed to encrypt victims' files three days after the infected Transmission client is installed. The website warning Mac fans who installed Transmission for OS X 2.90 from the official website between March 4 and March 5 are probably at risk.

Those who upgrade to the latest clean and ransomware-free version of Transmission – version 2.92 – by Monday, 11am PT (7pm UTC) should avoid having their files encrypted. The malicious code has a process name of kernel_service, which can be killed, and it stores its executable in ~/Library/kernel_service, which should be deleted.

The latest safe version of Transmission, v2.92, includes a tool to remove the KeRanger ransomware. "On March 4, we detected that the Transmission BitTorrent installer for OS X was infected with ransomware, just a few hours after installers were initially posted," Xiao and Chen wrote. "As FileCoder (earlier Mac ransomware) was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform. "It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred." Attackers could potentially alter the ransomware through its command-and-control server so that KeRanger immediately encrypts files rather than lying in wait for a few days. KeRanger was cryptographically signed using a now-revoked Apple-issued developer certificate, but will still be accepted by OS X's Gatekeeper protection system.

That means if an OS X system is configured to only run software from trusted developers, KeRanger will be allowed to start as it is signed by a developer cert.

Apple has added the ransomware's signature to OS X's XProtect mechanism, which screens downloads and blocks malicious code. KeRanger also contains other dormant features that could encrypt Mac TimeMachine backups preventing users from restoring their machines.

As an interesting aside, the malware's executable was smuggled in an .RTF README file within Transmission. ® Sponsored: Managing business risk
nrkbeta A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines. "This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Ryan Olson, of Palo Alto Networks, told Reuters.The KeRanger malware, which imposes a 72-hour lockout window unless the victim pays 1 bitcoin ($410 as of this writing), appears to have been first discovered via a rogue version of Transmission, a popular BitTorrent client. For some time now, ransomware has primarily targeted Windows machines—threatening total data destruction if the ransom isn't paid. Recently, even a Los Angeles hospital was infected, which resulted in the payment of a $17,000 ransom.
In June 2015, the FBI said it had been contacted by 992 victims of CryptoWall, a similar ransomware scheme, who have sustained combined losses totaling over $18 million. On Saturday evening, some Transmission users noticed the strange activity on a discussion board—users concluded that the 2.90 version of Transmission was infected with the ransomware.
It appears that somehow the Transmission website may have been compromised as it was served via HTTP rather than the primary HTTPS Transmission website. Soon after, Transmission posted this message on its website: "Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file." In a technical analysis, Palo Alto Network’s Claud Xiao and Jin Chen wrote: The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.
If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network.

The malware then begins encrypting certain types of document and data files on the system.

After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data. Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4.

Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems. Apple did not immediately respond to Ars’ request for comment. Palo Alto Networks also added: Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.
If the Transmission installer was downloaded earlier or downloaded from any third-party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now. This story is developing. Please check back for updates.
According to security expert Pedro Vilaca, the malware suggests that Hacking Team might have resurfaced. A security researcher has identified new Mac malware that he says points to Hacking Team, a controversial Italian firm that sells surveillance tools to government and law enforcement agencies, legitimate and repressive alike. According to SentinelOne OS X security expert Pedro Vilaca, the malware suggests that Hacking Team might have resurfaced after it was hacked in July.

That resulted in 400GB of internal documents, including details about Hacking Team's clients, source code, and email communications being posted online. Vilaca pointed to a Trojan known as Morcut, which was uploaded to Google's VirusTotal scanning service last month and had stayed under the radar.
It pointed to Hacking Team's Remote Control System (RCS), however. "Hacking Team appears to have resumed their operations but they are still using their old source code for this," Vilaca wrote in a blog post.  It remains unclear, however, whether they are using old and new source code, the latter which was promised at the time of the July hack. "Or were they just lying about it and resumed operations with the old code since they are probably on a shortage of engineering 'talent?'" Vilaca wrote. Days after the summertime breach, Microsoft released an emergency patch for a security hole, which could allow an attacker to take full control of a remote system if the user opened a particular document or visited a booby-trapped website. Adobe also pushed out a fix for a bug in Flash Player uncovered in the leak. Based on internal documents, Hacking Team sold surveillance tools to government and law enforcement agencies in Australia, Azerbaijan, Bahrain, Chile, Colombia, Cyprus, Czech Republic, Ecuador, Egypt, Ethiopia, Germany, Honduras, Hungary, Italy, Kazakhstan, Luxembourg, Malaysia, Mexico, Mongolia, Morocco, Nigeria, Oman, Panama, Poland, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sudan, Switzerland, Thailand, the United Arab Emirates, the US, Uzbekistan, and Vietnam.
EnlargePatrick Wardle Researchers have uncovered what appears to be newly developed Mac malware from HackingTeam, a discovery that's prompting speculation that the disgraced malware-as-a-service provider has reemerged since last July's hack that spilled gigabytes worth of the group's private e-mail and source code. The sample was uploaded on February 4 to the Google-owned VirusTotal scanning service, which at the time showed it wasn't detected by any of the major antivirus programs. (Ahead of this report on Monday, it was detected by 10 of 56 AV services.) A technical analysis published Monday morning by SentinelOne security researcher Pedro Vilaça showed that the installer was last updated in October or November, and an embedded encryption key is dated October 16, three months after the HackingTeam compromise. The sample installs a copy of HackingTeam's signature Remote Code Systems compromise platform, leading Vilaça to conclude that the outfit's comeback mostly relies on old, largely unexceptional source code, despite the group vowing in July that it would return with new code. "HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have show us," Vilaça wrote. "If you are new to OS X malware reverse engineering, it's a nice sample to practice with.
I got my main questions answered so for me there's nothing else interesting about this.

After the leak I totally forgot about these guys :-)." Patrick Wardle, a Mac security expert at Synack, has also examined the sample and says that while it appears to install a new version of the old HackingTeam implant, it uses several advanced tricks to evade detection and analysis.

For one, it uses Apple's native encryption scheme to protect the contents of the binary file, making it the first malicious implant installer Wardle has ever seen to do so. Wardle was nonetheless able to break the encryption because Apple uses a static hard-coded key—"ourhardworkbythesewordsguardedpleasedontsteal(c)AppleC"—that has long been known to reverse engineering experts.

Even then, he found that the installer was "packed" in a digital wrapper that also limited the types of reverse engineering and analysis he wanted to perform. The sample still leaves many questions unanswered.

For example, it's not clear how the malware gets installed. One possibility is that targets are tricked into believing that the file installs a benign application.

Another possibility is that it's bundled with an exploit that surreptitiously executes the installer. People who want to know if a Mac is infected should check for a file named Bs-V7qIU.cYL, which is dropped into the ~/Library/Preferences/8pHbqThW/ directory. Vilaça said he can't conclusively determine that the new sample is the work of HackingTeam.
Since the 400 gigabytes of data that was obtained in the July breach included the Remote Code Systems source code, it's possible that a different person or group recompiled the code and distributed it in the new installer.
Still,Vilaça said evidence from the Shodan search service and a scan of the IP address in VirusTotal show that a command and control server referenced in the sample was active as recently as January, suggesting that the new malware is more than a mere hoax.
Powerful Web User Interface, Intuitive Task Definition and Configuration Features with Detailed Access Control Deliver Improved Management and Security Across Devices for IT Teams and Authorised UsersLondon, 25th February, 2016 – Ipswitch Inc. today announced the release of MOVEit™ Central 9.0, the task and workflow automation product for the MOVEit Managed File Transfer product suite (MFT). MOVEit™ Central 9.0 features a new secure and visually advanced web user interface to enhance productivity and empower business users. MOVEit log in MOVEit Central enables secure and automatic routing of files to and from any FTP server or shared network drive based on a schedule or triggered by events.
It provides the automation required to control access to trusted networks and reduce the manual repetition and risks associated with user-initiated manual file transfer. Uniquely, MOVEit Central improves business agility by enabling authorised business users to define and manage their own file transfer workflows and tasks. MOVEit Central 9.0 further extends business agility with an industry-leading intuitive user interface that enables business users to easily define, monitor, schedule and modify automated file transfer tasks. Key features and updates in MOVEit Central 9.0 include: A new HTML5 user interface that provides access from any platform or device, including Windows, Mac and Linux based systems facilitating seamless remote access and after hours monitoring scenarios An improved, intuitive navigation and configuration experience that enhances task execution and monitoring for business users Additional industry leading platform, database, and library support, including .NET 4.5, Windows Server 2012 R2, SQL Server 2014 and 64-bit API “The new, simplified MOVEit Central user interface makes creating automated business workflows easier than ever,” said Michael Hack, Senior Vice President of EMEA Operations at Ipswitch. “It means IT leaders will be able to confidently delegate task management responsibilities to those closest to the business, requiring no programming skills, while ensuring security of critical data.” Eliminating the need for IT intervention, business analysts can use the web user interface to easily adapt automated tasks to meet changing business requirements, and get visibility into task events that impact service level agreements. “We've created and are managing over 4000 automated tasks that support bank operations including our same day electronic mortgage approval process.”, commented Robert Skinner, Team Lead Distributed Services at State Employees’ Credit Union. “The new web UI cuts through the complexity and further streamlines how we create, reuse and group tasks aligned with business processes, enabling us to better manage the large volume of tasks and number of end-points – all of which reduces the workload burden on IT teams.” “Enterprise-grade managed file transfer (MFT) solutions provide secure and reliable transfer of data-in-motion and can enable integration across business processes allowing enterprises to have end-to-end visibility and control of the file transfer process” said Chandana Gopal, Research Manager at IDC. “Easy, intuitive user interfaces to complex MFT application allow IT to empower business users to perform day-to-day MFT related tasks, while they retain critical control over the application itself thereby improving efficiencies and productivity. MOVEit Central 9.0 is available to new customers and it can be downloaded by subscription customers from the Ipswitch Customer Portal. END About IpswitchIpswitch helps solve complex IT problems with simple solutions.

The company’s software has been installed on more than 150,000 networks spanning 168 countries to monitor networks, applications and servers, and securely transfer files between systems, business partners and customers.
Ipswitch was founded in 1991 and is based in Lexington, Massachusetts with offices throughout the U.S., Europe, Asia and Latin America.

For more information, visit www.ipswitch.com. Media Contact:Touchdown PRRichard Wolfe / Robert Fretwellrwolfe@touchdownpr.com / rfretwell@touchdownpr.com01252 717040