The Mac Security Blog
When we inform you about new security updates, we often specify the version numbers of the new applications. In some cases, you can run an application’s built-in updater to see if you’re up to date, but in others you may want to check an application and see what version it is. Here’s how you can check for version numbers in different types of applications.
Getting version information for Mac OS X
To find which version of Mac OS X you are using, you need merely check in a menu. Click on the Apple menu, then choose About this Mac. A small window displays, giving you information about your Mac, and which version of Mac OS X you’re using:
As you can see in the screenshot above, the version of Mac OS X is 10.6.7. If you click on that text, you will see the build number (a sort of sub-version number), and if you click again, you’ll see the serial number of your Mac.
Below this is a Software Update button. This opens the Software Update application, and checks for new versions of Mac OS X and other Apple software. We discussed using Software Update in an earlier Mac Security Tip.
As you can see, there is more information in this window: the type of processor, the amount of memory, and the name of the startup disk. If you click More Info, the System Profiler application opens, giving much more detailed information about your Mac, its hardware, peripherals, software and more.
Getting version information for applications
There are several ways you can find out the version of a specific application. If the application is running, choosing the application name > About application name menu displays an About box giving you information. For example, in iTunes, you would choose iTunes > About iTunes and see this window:
You can also find version numbers from the Finder. Click on an application to select it, then press the spacebar; a QuickLook window displays, showing the version number, size and last modification date.
Finally, you can select an application and press Command-I, to see the following:
You see the kind, size and location, creation and modification dates, and the version number.
Getting version information for browser plug-ins
Plug-ins are software elements that are used by web browsers, often to display certain types of content, such as Flash, Java or others. Your web browser can tell you which plug-ins you have installed, and which versions. In Safari, choose Help > Installed Plug-Ins. A web page displays giving a list of the plug-ins, their versions, and the types of content they manage. In Firefox, choose Tools > Add-Ons to see not only plug-ins, but also extensions and other types of add-ons. (To view Safari extensions, choose Safari > Preferences, then click the Extensions icon.)
While there are several procedures above to view information for different elements, it’s pretty simple to find out which versions of software you are running. Whenever you have doubts about whether your software is update, use these techniques to find out whether you need to download new versions of your software.
Malware: OSX/HellRTS.D
Discovered: April 14, 2010
Risk: Low
Description: Intego has discovered a new variant of a malware for Mac, called HellRTS, which, when installed on computers running Mac OS X, opens a backdoor that allows remote users to take control of infected Macs and perform actions on them. Intego identifies this backdoor as OSX/HellRTS.D, a variant of an early Mac OS X malware first spotted in 2004.
HellRTS, built in RealBasic, and a Universal Binary able to run on both PowerPC- and Intel-Based Macs, is able to perform a number of operations if installed on a Mac. It sets up its own server and configures a server port and password. It duplicates itself, using the names of different applications, adding the new version to a user’s login items, to ensure that it starts up at login. (These different names can make it hard to detect, not only in login items, but also in Activity Monitor.) It can send e-mail with its own mail server, contact a remote server, and provide direct access to an infected Mac. It can also perform a number of operations such as providing remote screen-sharing access, shutting down or restarting a Mac, accessing an infected Mac’s clipboard, and much more.
This backdoor requires installation on a Mac, which could be carried out via a Trojan horse, or by exploiting a vulnerability in a program that accesses the Internet (such as a web browser). While Intego has not found any instances of Macs being infected by this in the wild, the fact that this malware is being distributed on a number of forums shows that it will be accessible to a large number of malicious users who may attempt to use it to attack Macs.
Means of protection: Intego VirusBarrier X5 and X6 detect and eradicate this malware, which it identifies it as OSX/HellRTS.D, with its threat filters dated April 15, 2010 or later.
Malware: iPhone/iBotnet.A
Discovered: November 21, 2009
Risk: Medium
Description: For the third time this month, malware targeting the iPhone has surfaced. The first such malware changed wallpaper on iPhones, and the second harvested personal data from iPhones. This new malware, that Intego calls iBotnet.A, is by far the most sophisticated iPhone malware yet: it is not only a worm, capable of spreading across a network, but also hijacks iPhones or iPod touches for use in a botnet.
It is important to note that standard, non-jailbroken iPhones or iPod touches are not at risk; it is extremely dangerous to jailbreak an iPhone because of the vulnerabilities that this process creates. (Estimates suggest that 6-8% of iPhones are jailbroken.) Jailbroken iPhones at risk are those where ssh is installed, and where the default password has not been changed.
This worm starts by searching its local network, as well as a number of IP address ranges, for available devices to infect. The address ranges it scans include those of ISPs in the Netherlands, Portugal, Hungary, Australia, and if an appropriately unprotected iPhone is found, the worm can copy itself to these devices.
When active on an iPhone, the iBotnet worm changes the root password for the device (from “alpine” to “ohshit”), in order to prevent users from later changing that password themselves. It then connects to a server in Lithuania, from which it downloads new files and data, and to which it sends data recovered from the infected iPhone. The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices. (A botnet is a network of infected computers or devices that can be controlled by hackers to attack other computers, serve malware, send spam, serve pages or images, and much more.)
The worm also gives each infected iPhone a unique identifier; this to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server. Finally, it changes an entry in the iPhones /etc/hosts file for a Dutch bank web site, to lead Dutch users who connect to this bank site to a bogus site, presumable to harvest user names and passwords.
Means of protection: Intego VirusBarrier X5 detects and eradicates this malware, which it identifies it as iPhone/iBotnet.A, on iPhones that it can scan from Macs with VirusBarrier X5 installed, with its virus definitions dated November 22, 2009 or later. The only other way to remove this malware is to totally wipe and restore the iPhone using iTunes.
We would like to stress that users who jailbreak their iPhones are exposing themselves to known vulnerabilities that are being exploited by code that is circulating in the wild. If users install ssh, they should change the default password, which is widely known. While the number of iPhones attacked may be minimal, the amount of personal data that can be compromised, and the ability of this new worm to create a botnet, strongly suggests that iPhone users should stick with their stock configurations and not jailbreak their devices.
Intego thanks Scott McIntyre, Chief Security Officer of the Dutch ISP XS4ALL, for his help in isolating and analyzing this worm.