Computer Security
How to check for and get rid of a Mac Flashback infection (from Ars Technica)
Article from:
http://arstechnica.com/apple/news/2012/04/how-to-check-forand-get-rid-ofa-mac-flashback-infection.ars?old=mobile
How to check for—and get rid of—a Mac Flashback infection
So you’re a Mac user who has heard that more than half a million Macs have been infected by the recent Flashback malware. When the news began to spread about how the malware took advantage of a previously unpatched Java vulnerability on the Mac, the the horror stories began pouring in. “My dad heard about the Flashback malware and subsequently deleted his Java folder. Now his Mac won’t boot,” a friend told me.
Needless to say, this is not the way to properly nuke a possible Flashback infection or prevent yourself from catching one. Still, there is a reasonable level of concern out there. Maybe you haven’t been keeping up on your antivirus software (and let’s be honest, most Mac users don’t), or perhaps you simply have suspicions about your Mac acting funny. How do you check if you have Flashback, and if you do, how do you (properly) get rid of it?
Head to the Terminal to check for infection
These Terminal commands will give you an easy way to find out whether you have a possible Flashback infection.
First, launch Terminal from /Applications/Utilities on your Mac. Then individually type or paste these three lines into the Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
If the Terminal returns back to you lines that look like this:
The domain/default pair of (/Users/jacqui/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist
Then you’re home free and you’re not (yet) infected by Flashback. You can proceed to the “Run Software Update” section of this post. If they do return results, then it’s likely that you are infected. But worry not, as there are ways to get rid of the malware that will only hurt for a second.
How to get rid of Flashback
Here’s where things might get complicated. These removal instructions are from security research firm F-Secure’s removal page. Take us away, F-Secure! (Cue Keyboard Cat now.)
- Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment- Take note of the value, DYLD_INSERT_LIBRARIES
- Proceed to step 8 if you got the following error message: “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
- Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%- Take note of the value after “__ldpath__”
- Run the following commands in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/InfoLSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist- Delete the files obtained in steps 2 and 5
- Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES- Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
- Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%- Take note of the value after “__ldpath__”
- Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES- Finally, delete the files obtained in steps 9 and 11.
- Run the following command in Terminal:
ls -lA ~/Library/LaunchAgents/- Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
- Run the following command in Terminal:
defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments- Take note of the path. If the filename does not start with a “.”, then you might not be infected with this variant.
- Delete the files obtained in steps 15 and 17.
In addition to these steps, F-Secure recommends checking for another variant of Flashback, Flashback.K. The instructions can be found on another page on F-Secure’s website.
Run Software Update
Apple has now released some Java updates that will patch the vulnerability targeted by the current variant of Flashback, so if you’re free from infection, you can apply the patch via Software Update. (It’s a mystery as to why Apple waited so long to patch Java for Mac OS X when Oracle released an update in February.) You can also manually download the update for Lion and Snow Leopard, respectively, from Apple’s support site.
Do you really need Java running in your browser anyway?
This raises an important question: do you even need Java running in Safari? Some people do—my parents, for example, play bridge on a website that requires a Java applet to run, and they will not switch to another service—but many of us don’t. If you don’t, it could be worth turning off just to keep yourself extra secure. You can do this in Safari by going to the Safari menu and then Preferences. Then click over to the “Security” tab:
Uncheck “Enable Java.” (You can always turn it back on if you have to.) If you can live your life without it, this will be an extra step to help protect you against similar attacks in the future.
Conclusion
Once you’ve performed these steps and updated your installation of Java, you’re inoculated against the current version of the Flashback malware, but that doesn’t mean the variant won’t change again sometime in the future to exploit a different vulnerability on your Mac. Stay vigilant! Keep your software up to date, don’t ignore strange files that appear from strange places, and if you can, be aware of odd network behavior coming from your Mac. You can do this by installing software like Little Snitch to monitor your Mac’s network activity. (And a side effect of having Little Snitch installed is that the latest variants of Flashback won’t install themselves if you already installed Little Snitch!)
The files don’t necessarily come from spammers, either—a Google Image Search might bring you to a malicious website, for example, that could try to execute the code once you visit the site for that cute cat picture. So it’s not just about avoiding file attachments in e-mail; malware can be found lurking in all corners of the Web.
As for whether the “half a million Macs” number is accurate, Dr. Web malware analyst Sorokin Ivan said onTwitter that “BackDoor.Flashback.39 uses Hardware UUID (IOPlatformUUID) to identify bots,” and Dr. Web’s statistics are based on that ID. Even if the numbers aren’t accurate, the latest scare is another wakeup call for Mac users who have been ignoring malware and virus threats up to this point. What steps are you taking to make sure your Mac is protected?
Useful Software links
Please bookmark this page for useful software links. It will updated regularly…
The ABCs of securing your wireless network (from arstechnica.com)
By Joel Hruska | Published: April 29, 2008 – 11:46PM CT http://arstechnica.com
Introduction
Ars Technica’s original Wireless Security Blackpaper was first published back in 2002, and in the intervening years, it has been a great reference for getting the technical lowdown on different wireless security protocols. As a sequel to the original blackpaper, we wanted to do something a little more basic and practical, because the number of devices with 802.11x support has greatly expanded since 2002. Wireless security is no longer the domain of geeks and system administrators, but is now an issue in the lives of everyday users, from the worker with a home office who wants to keep sensitive files secure to the homemaker who wants to avoid an RIAA lawsuit because the teen next door is a wireless-leeching P2P addict.
In this practical introduction to the basics of securing your home wireless network, we’ll cover the important, high-level points that ordinary users need to know in order to secure a network of game consoles, phones, and PCs. Along the way, we’ll also recap some of the relevant information from the original wireless blackpaper, which I recommend if you want to pursue the topic further. So look through the guide, and if you’re already technically savvy then send it along to your uncle or your sister-in-law, and you may get one less phone call when it comes time for them to set up their new WLAN.
Note: This short guide will focus on securing 802.11g/802.11 draft-n routers, since these are the two most common types on the market today. Most of the information we’ll present should be applicable to older 802.11b or even 802.11a routers as well, assuming that your device’s manufacturer provided appropriate firmware updates.
First things first
The first thing to understand about wireless security is that by default, you have none. The router you buy from Newegg or Best Buy is going to come preconfigured for open access, which means that all of your neighbors can hop on and begin snarfing up MP3s with your bandwidth. This makes the router easier to set up—on a modern OS, you shouldn’t have to do much more than plug in both adapter and router—but it leaves the wireless access point (WAP) completely open to attack. Most manufacturers use a simple login/password combination, and such information is easily available online.
The first step to securing any wireless network, therefore, is to change the default router password. Most manufacturers set the default password to something along the lines of “admin,” “password,” or “changeme,” and the router IP address is almost always a simple variation on 192.168.x.1, where x = 0, 1, or 15. A nonstandard, strong password is no substitute for actual encryption, but it’s a step in the right direction. The next step should be to check for a firmware update for your router, particularly if it’s an older model. Many routers that didn’t support more advanced security settings (i.e., WPA, which I’ll describe later) had such support added via later firmware updates.
Setting a password for your router should be one of the first things you do
Debunking myths
You’re likely to get some bad wireless security advice from the guy at your local electronics superstore who sold you your router, because many of the commonly recommended wireless security tips floating around out there aren’t actually all that useful and may even do more harm than good by lulling the end-user into a false sense of security.
Hiding the SSID
The SSID (Service Set Identifier) is an identification code (typically a simple name) broadcast by a wireless router. If a wireless device detects multiple SSIDs from multiple access points (APs), it will typically ask the end-user which one it should connect to. Telling a router not to broadcast its SSID may prevent basic wireless access software from displaying the network in question as a connection option, but it does nothing to actually secure the network. Any time a user connects to a router, the SSID is broadcast in plaintext, regardless of whether or not encryption is enabled. SSID information can also be picked up by anyone listening to the network in passive mode.
Changing the SSID
This is sometimes touted as a security measure. It isn’t. Changing your access point’s SSID will change the identification code the router is broadcasting, but it won’t change anything else. It doesn’t prevent the router from being detected, snooped, or hacked in any way.
Disable DHCP
Switching DHCP off and using static IP addressing is no defense against hacking. Anyone snooping the network can usually figure out the pattern that has been used to assign the IP addresses in question and then make a specific request accordingly.
Filtering MAC addresses
In theory, this sounds great. Every NIC has its own unique MAC address, and wireless access points can be configured to block all but a handful of specified NICs. The problem with filtering by MAC address, however, is that these addresses are easily faked and readily detected by anyone using appropriate monitoring software. In addition, this approach requires a great deal of overhead in corporate environments, and even for a large home network with multiple machines and gadgets (consoles, phones, and consumer electronics) it quickly becomes untenable.
Of the above bogus “security” measures, filtering MAC addresses is the only one with even a minimal level of value. MAC address filtering can keep obnoxious and non-tech-savvy neighbors from easily freeloading on your wireless network, but it won’t do much else. To keep more determined intruders off of your network, you’ll have to use encryption.
Encryption methods
Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) are the two encryption standards that are widely used in today’s wireless devices. Of the two, WPA is far superior in every respect, and should be used in any situation where it’s available, but the sheer number of people using WEP requires that we discuss it here as well. Each of these standards contains several specific implementations, which we’ll also discuss.
WEP: Old, busted, and better than nothing
Wired Equivalent Privacy (WEP) was the first wireless security protocol. Originally, WEP used a 40-bit encryption key, but this was later extended to 104 bits due to concerns over the security of the WEP standard. This change, however, was little more than a stop-gap measure, meant to make WEP less susceptible to brute-force attacks. WEP used a 24-bit initialization vector (IV) when encrypting both 40-bit and 104-bit ciphers. This 24-bit IV is vulnerable to cracking due to the low number of possible permutations (16,777,216 for those of you keeping count). Just last year, researchers succeeded in cracking 104-bit WEP encryption in about two minutes using an old Pentium-M machine.
Unfortunately, WEP’s flaws have yet to drive it from the market. As recently as last November, surveys showed that up to 25 percent of WAP hotspots were still using WEP, and the largest data theft in US history is thought to have been caused by the use of WEP encryption. Now that even WEP’s 104-bit encryption can be brute-forced easily, this standard should no longer be considered secure by any measure.
Easily cracked, but still used about a quarter of the time
There is, however, a reason to mention it here. Despite its numerous flaws and weaknesses, running WEP is still better than running your wireless access point completely in the clear, and it’ll at least keep your neighbors (or random passers-by) from surfing on your network. WEP should also be compatible with virtually any router ever made, including orphaned models that haven’t seen firmware updates in years. Your best bet when dealing with this kind of situation is to replace the router, but if that’s not possible for whatever reason, WEP may be all you’ve got.
There have been a few other WEP-related encryption standards worth mentioning here. WEP2 was a short-lived attempt to improve on the original standard by incorporating both a 128-bit encryption key and a 128-bit initialization vector. WEP2 doesn’t improve on any of the inherent weaknesses of the WEP model, but it does make brute-force attacks substantially more difficult. In the absence of support for other standards, WEP2 is a better option than standard WEP.
Several other vendors have developed their own specific and proprietary technologies to address WEP’s flaws. These typically require a matched WAP and adapter combination, and their efficacy may vary widely. Again, such solutions should only be considered only when they represent the best alternative to a standard WEP configuration or no security whatsoever.
WPA and WPA2
WPA was developed in response to the flaws in WEP, and it’s a much better security protocol than its predecessor. Unlike WEP, WPA uses a 48-bit initialization vector and a 128-bit encryption key. More importantly, however, WPA uses what’s called the Temporary Key Integrity Protocol (TKIP). Whereas WEP recycles the same key for encrypting all the packets flowing across the network, WPA’s TKIP changes the encryption key every single time a packet is transmitted. This, combined with the use of longer keys, prevents a hacker from compromising a router simply by passively observing a large enough set of packet transmissions.
The WPA2 standard is a 2004 update to the WPA specification that includes support for a US government-approved encryption protocol called Advanced Encryption Standard (AES). (AES can also now be used with WPA, though the presence of this option will probably depend on how recently your router received a firmware update.) Unlike WPA, WPA2 was not explicitly developed with backwards compatibility in mind; older routers that are capable of handling WPA encryption via TKIP may not be able to use WPA2, as WPA2 mandates both AES and TKIP compatibility. If possible, you should use WPA2 instead of WPA.
WPA2 is more secure, but lacks the backwards compatibility of WPA
There are two security levels built into WPA and WPA2, WPA Personal (or WPA-PSK) and WPA Enterprise. WPA-Personal uses a preshared authentication key between all the systems on a network. This means that the network is potentially vulnerable to dictionary-based attacks if strong passwords are not used. Home networks don’t have much to worry about here, provided your authentication key isn’t something along the lines of “cat.”
Enterprise-level WPA implementations make use of a separate RADIUS (Remote Authentication Dial In User Service) server. In this case, the adapter attempts to connect to the wireless access point, which then demands a set of credentials. The access point forwards this request and any associated information to the RADIUS server. The RADIUS server then checks these credentials against its own stored data. At this point, the RADIUS server can authenticate the user’s login, deny it, or return a request for further information in the form of a second password or equivalent source.
RADIUS servers are typically reserved for enterprise-level deployment, where they provide both an additional level of security and an increased level of control over how network resources are allocated on a per-user level. As such, they fall outside the realm of what most home users are likely to encounter.
Once you understand the terminology, the basics of wireless security fall firmly into place. If you want a secure configuration, use the WPA protocol in combination with a strong passkey. Past that point, we’re mostly splitting hairs. AES-based WPA2 is more secure than TKIP-based WPA, but either solution is light-years beyond WEP.
Securing your media network
Wireless support is now a common feature in many different types of consumer devices. All current-generation game consoles support wireless connectivity, and it’s a built-in feature on any decent laptop, handheld device, or Internet tablet. Wireless networking is on its way to becoming a ubiquitous home technology, but there’s a difference between having a home full of network devices and having those same devices happily sharing a single wireless network. It can be difficult to find a single encryption standard that all the devices can agree on.
The table below should be some help the next time you have to synchronize security settings between a mishmash of hardware.
| Device | WEP | WPA-PSK | WPA2-PSK |
| PlayStation Portable | Yes | Yes | No |
| Nintendo DS | Yes | No | No |
| PlayStation 3 | Yes | Yes | Yes |
| Wii | Yes | Yes | Yes |
| Xbox 360 WiFi adapter | Yes | Yes | No |
| iPhone | Yes | Yes | Yes |
| Nokia N800/N810 | Yes | Yes | Yes |
| Asus Eee PC | Yes | Yes | Yes* |
*The EEE PC’s hardware supports WPA2, but the native ASUS Linux install may not expose this capability.
We’ve listed a number of the most popular Wi-Fi-capable devices above. The good news is that all of them support some kind of encryption. The bad news is that the choice between TKIP and AES complicates the picture a bit. For instance, the Nintendo Wii supports AES for both WPA and WPA2, but not TKIP for WPA2. So if you’re looking for maximum compatibility among all your networked devices, your first choice in router settings should be WPA2 (AES) and your second should be WPA (TKIP). Forget about permutations like WPA2 (TKIP) and WPA (AES) and stick with the two options just mentioned.
Unfortunately, the Nintendo DS is the odd man out here, and only includes support for WEP. If you plan on running a wireless network that includes a Nintendo DS, you’re stuck on an awful security protocol. This was downright shortsighted on Nintendo’s part. The DS itself may have no particular need for strong wireless security, since there’s virtually nothing a hacker could do with your DS, even if he broke into it—but as we’ve already observed, an increasing number of homes deploy a WAP as a general access point for multiple wireless devices. The DS might not need much security, but the same can’t be said for the desktop, laptop, and PS3 that might all be sharing the same connection.
Set the DS aside, and WPA is easily the way to go. All of the other devices listed above support it and you’d be hard-pressed to find a router on the market today that didn’t include WPA as well. WPA2, however, is still hit-and-miss. The newest encryption standard doesn’t share WPA’s near-universal backwards compatibility, and some routers on the market may not support it. In all honesty, this shouldn’t be much of an issue—WPA2 is more secure than WPA, but WPA is still considered a secure standard, and it’s still recommended as a general solution.
Enabling a wireless security standard
Actually enabling a security standard (assuming you don’t already run one) is simple. I’ll provide a few sample screenshots from a Linksys WRT150 router (802.11n Draft 2.0 compliant); the procedure should be similar on any other product. Drop into the “Wireless Security” of the WRT150 and open the selection tab, and this is what you see:
We’re going to ignore WEP, since you really shouldn’t be using it, and focus on the various WPA options. WPA Personal (aka, WPA-PSK) and WPA2-Personal are configured more-or-less identically. Select the option, choose your encryption method (TKIP or AES), and enter your chosen encryption key. There should be no need to change the default key renewal time (3,600 seconds) but if you need to do so, you can do that, as well. From this point, all you need to do is configure your various wireless adapters with the same information, and you should be up and running.
Linksys’ options for switching to RADIUS mode are a bit misleading. WPA Enterprise and WPA2 Enterprise are the options you’d choose for a RADIUS server using one of those two protocols. The actual RADIUS option refers to a RADIUS server combined with WEP, and probably isn’t used much at this point.
Configuring WPA/WPA2 Enterprise is also simple: Choose your encryption standard (TKIP or AES), and punch in the IP address and port number for the RADIUS server that handles authentication, as well as your shared secret. Once you’ve finished these steps, the router itself should be ready—make the appropriate configuration changes for your wireless adapters, and you’re good to go.
Conclusion
It’s actually quite easy to secure a wireless network, once you have a handle on what works and what doesn’t. Don’t waste time manually configuring MAC addresses or disabling DHCP when enabling an appropriate encryption standard is both faster and more effective.
WPA2 (AES) is the best encryption method currently available, followed by WPA2 (TKIP), WPA (AES), WPA (TKIP), and WEP. The relative gap between WEP and WPA, however, is far greater than the gap between WPA (TKIP) and WPA2 (AES). Generally speaking, any router that supports WPA is “good enough” in terms of its overall security. WEP, as we’ve previously stated, is an “only if you must” protocol, but it’s still a better option than transmitting in the clear.
Follow these simple guidelines and you’ll soon be leeching off your neighbor’s wireless network in peace, confident in your assurance that he can’t do the same to you.