ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Guy Kawasaki's Twitter account hijacked, pushes Windows and Mac malware

By | June 24, 2009, 11:54am PDT

Summary: The Twitter account belonging to venture capitalist and Mac evangelist Guy Kawasaki was hijacked yesterday and used to push malware to some 140,000 Twitter users. The attack (screenshot above) included a link to what purported to be a “sex tape video free download” linked to Gossip Girls star Leighton Meester but, after a series of [...]

The Twitter account belonging to venture capitalist and Mac evangelist Guy Kawasaki was hijacked yesterday and used to push malware to some 140,000 Twitter users. The attack (screenshot above) included a link to what purported to be a “sex tape video free download” linked to Gossip Girls star Leighton Meester but, after a series of clicks, the end result was a malicious Trojan.

[ SEE: Coming in July: Month of Twitter Bugs ]

Kawasaki would later apologize but, as Trend Micro’s Rik Ferguson explains, the damage was significant for any of his tens of thousands of followers.

In this case, following the link would be a Very Bad Idea because it will lead you to a malicious website designed to infect both Macs and PCs with a DNS changing Trojan which at the time of writing has low-to non-existent detection rates by security vendors…

On Windows machines, a user falling for the bait gets to a series of Web pages featuring pornographic content and, at the end, a prompt to update a video codec.   That fake codec is a piece of malware.

On the Mac platform, Intego reports that the download is a  disk image called ActiveXsetup.dmg.  Here’s the end result:

This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.

It is not yet known how Kawasaki’s Twitter account got compromised but there is speculation is security circles that he fell victim to a Twitter phishing attack that swiped his password.

It is clear that Twitter’s popularity is now at the stage where it is ripe for these types of targeted attacks.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Web, Apple Macintosh, Malware, Guy Kawasaki, Twitter, Spyware, Adware & Malware, Phishing, Cyberthreats, Spyware, Channel Management, Corporate Communications, Web Site Development, Domain Names, Desktops, Viruses And Worms, Security, Spam And Phishing, Marketing, Internet, Hardware, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

65
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Guy Kawasaki's Twitter account hijacked, pushes Windows and Mac malware
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
More details about severity of attack
NonZealot 24th Jun 2009
On Windows machines, a user falling for the bait gets to a series of Web pages featuring pornographic content and, at the end, a prompt to update a video codec. That fake codec is a piece of malware.

Hmm, sounds like significant user interaction is required for this to work on Windows. Good to know!

On the Mac platform, Intego reports that the download is a disk image called ActiveXsetup.dmg.

This is far more worrisome since the default configuration of Safari will silently (without user interaction), mount downloaded disk images! From the sounds of this, OS X users can get infected with far less user interaction than is required on Windows.
0 Votes
+ -
I'm OS X stupid...
JoeMama_z 24th Jun 2009
but doesn't changing TCP/IP parameters in OS X trigger a password prompt?

0 Votes
+ -
Several privilege escalation attacks
NonZealot 24th Jun 2009
http://www.macrumors.com/2006/11/21/multiple-security-vulerabilities-found-in-apples-disk-image-software/

The first vulnerability, rated "highly critical" by security-firm Secunia, can lead to privilege escalation, denial of service, and system access by a remote user (if Safari's open "safe" files option is checked).

I'm not sure if that particular vulnerability was fixed but there have been several more found. I don't think anyone can say with any real confidence that there are no more privilege escalation vulnerability in OS X's disk image mounting routines.

This is truly quite alarming and you would be doing your OS X using family and friends a huge favor by telling them to install AV software and start using a safer browser like Firefox.
0 Votes
+ -
Mac OS X will not...
CowLauncher 24th Jun 2009
launch a downloaded app without the user OKing it first, nor will it
change system settings without an admin name and password. But at
this point the user has already done a number of stupid things...so who
knows...perv
0 Votes
+ -
Factually incorrect
NonZealot 24th Jun 2009
Mac OS X will not...launch a downloaded app without the user OKing it first

The default settings in Safari most certainly will launch "safe" apps without a user OKing it first.

nor will it change system settings without an admin name and password

It most certainly will if the code is running with elevated privileges and OS X's disk mounting routines have had many privilege escalation vulnerabilities in them.

But at this point the user has already done a number of stupid things...so who knows...perv

Are you blaming the user for this one then?
0 Votes
+ -
No...
olePigeon 24th Jun 2009
"The default settings in Safari most certainly will launch "safe" apps
without a user OKing it first."

No. First it'll warn that the disk image contains an application and ask
if you want to continue. Then after it mounts the disk image, it'll warn
a second time that the application was downloaded from the internet.

I do agree that it is the single dumbest feature, and I don't know
why the hell Apple keeps it there.

"It most certainly will if the code is running with elevated privileges
and OS X's disk mounting routines have had many privilege escalation
vulnerabilities in them."

Except it isn't.

"Are you blaming the user for this one then?"

Yes.
0 Votes
+ -
Whats with all these OSX warnings? It sounds worse than Vista!!
Cayble 24th Jun 2009
If I am correct, it seems to me the Mac pundits have been having a heyday the last couple of years crowing about how much people hate Vista because of excessive warnings. Seems to me if its correct that OSX has all the warnings you speak of that Mac users must hate OSX with an absolute passion if warnings are a problem for users.
0 Votes
+ -
@Cayble
NonZealot 25th Jun 2009
Seems to me if its correct that OSX has all the warnings you speak of that Mac users must hate OSX with an absolute passion if warnings are a problem for users.

You are coming to a sad realization. Cancel or Allow?

happy
0 Votes
+ -
NonZealot
macpipkin 24th Jun 2009
Bro, for your sake and sanity...

Put the mouse aside, step away from the computer, exit your parent's
basement, walk out doors to the bright light (that shiny thing up in the sky
is called the sun) and do something other than posting to ZDNet forums.

What else do you do? Do you get paid per word, or do you live in a bubble?
Are you, in fact, simply a bored bubble boy?!?

I read the stories and blog entries that interest me and post a response if I
want and then I MOVE ON!!!

Does any of this matter THAT much?

Get a life already... sad
0 Votes
+ -
Nonzi, you're clueless...
GSavage777 24th Jun 2009
You're wrong on this one. Every time I download a .dmg file and try to open it, it reminds me it's a download from the internet AND may contain malicious code. Also, to install a new program, I have to type my admin. password.

Hile!
0 Votes
+ -
You get multiple Cancel or Allow prompts?
NonZealot 25th Jun 2009
You are about to read something that isn't 110% full of glowing praise for OS X. Would you like to Cancel or Allow?

You get multiple Cancel or Allow pro? Even worse, one of those Cancel or Allow prompts requires you to enter your username and password? And Apple was poking fun at Vista for being annoying?!?!
0 Votes
+ -
Is OS X losing its "safety" advantage?
NonZealot 24th Jun 2009
With countless mega-patches and 2 straight losses at PWN2OWN, we always knew that OS X wasn't any more "secure" than Windows but considering few bothered to take advantage of these countless holes, OS X users felt quite safe. Is that advantage disappearing?

On the one hand, this could be celebrated as proof that OS X's marketshare has grown big enough to start making it a juicy malware target. On the other hand, "safety" used to be a big selling feature of OS X. With that feature disappearing fast, there is much less reason for the less security conscious members of the computing world to switch. Note that security conscious computer users have never needed to switch for safety and security which is why I specifically mention the less computer savvy members of our population.

Very interesting times indeed!
0 Votes
+ -
Is OS X losing its "safety" advantage?
DougAlder 24th Jun 2009
Lost it long ago technically - particularly with the switch to the x86 architecture. For all operating systems now the real danger is in 3rd party apps and social engineering with the latter being the big one.
0 Votes
+ -
intersting
jdbukis@... 24th Jun 2009
because Intel x86 processsors support hardware DEP and Power pc chips dont as far as im aware.
Of course If osx doesnt use it then it wont make any difference.
0 Votes
+ -
I think the point was ...
de-void-21165590650301806002836337787023 25th Jun 2009
... that since Apple have moved to the x86 chipset that the hackers can now target one CPU instruction set rather than two. THis makes it easier for the hackers.
0 Votes
+ -
It never had an advantage to begin with
georgeou 25th Jun 2009
Security was always more lax on Macs because the
botnet herders target Windows.
0 Votes
+ -
Clicking through links on a pornographic website...
urbandk 24th Jun 2009
and then downloading a codec. It would take some real stupidity to compromise your computer.

OS X has stripped out a lot of what made BSD a secure system for the sake of a "user friendly" environment, as Win 7 now does with the idiotic default UAC settings.
0 Votes
+ -
Just like seat belt law
LiquidLearner 24th Jun 2009
Why was it that seatbelts were in cars for years and years before they really started having an affect? Because it became law. UAC is similar. At first it's annoying and uncomfortable. After a few weeks you don't even notice it is there anymore.

People want to blame everyone else for them not taking the time to protect themselves and pay a little bit of attention. You click through all those links and blindly accept installs and blame Microsoft (or Apple) for your own stupidity. If I went and bought a guitar and got home and couldn't play, could I sue?
0 Votes
+ -
The first sophisticated OSX attack
honeymonster 24th Jun 2009
This marks the first time an attacker actually put some effort into exploiting OSX.

Until now the attacks have been half-hearted and somewhat amateurish (a fake codec just doesn't play in the same league as most of the established stealthy Trojan attacks).

This could be significant if one of the established criminal groups have turned their attention to OSX. Then mac users (and Apple) are in for some tough learning.
0 Votes
+ -
This is not the first OSx attack...
Narg 25th Jun 2009
This is not the first sophisticated OSx attack, and it will definately not be the last.

ANY computer is a viable target. In the latest Black Hat conventions, the coveted security for Macs and Linux were comprimized in minutes. Vista, for those so inclined, took much longer, but was still comprimised.

Don't EVER buy a computer with the thought that you are safe. You're only as safe as your computing habits. First, back up and back up often to multiple sources. Second, be ready to dump everything and start fresh. Last, use a little common sense.

If you a ready to handle total meltdown, then your are ready to use a computer.
0 Votes
+ -
DIY Removal
brunerd 25th Jun 2009
Although I haven't seen how this DNSChanger works I suspect it's like
OSX/RSPlug-F which I 'tore apart':
http://www.brunerd.com/blog/2009/03/30/tearing-apart-
osxrsplug-f/

To put it out there again, here's a script to blow away any DNS values
hidden away by scutil:

#!/bin/sh
if (( $(id -u) != 0 )); then echo "Please run with sudo" && exit 1; fi
PSID=$( (/usr/sbin/scutil | /usr/bin/grep PrimaryService |
/usr/bin/sed -e 's/.*PrimaryService : //') EOF
get State:/Network/Global/IPv4
d.show
quit
EOF
)


/usr/sbin/scutil EOF
remove State:/Network/Service/$PSID/DNS
quit
EOF

echo "Please toggle your network adapter on/off to refresh DNS
servers from DHCP"
### end script ###

Basically it nukes the DNS entries that got hosed, then pulls down the
DHCP info, uless you have manually entered DNS settings, in which
case, you should know what you?re doing.
0 Votes
+ -
This will affect Windows users more than Mac users Non-Zealot
AdventTech67 24th Jun 2009
After all Microsoft has the largest market share, with the
most non tech savvy users in the world. remember
market share Non-Zealot. As for this affecting OS X , just
uncheck auto mounting of disk image within safari and the
issue has been mitigated.

Windows users have way more to worry about than Mac
users. Look below & you will see how the hits just keep on
coming for Microsoft. Bing, Bing, Bing, Bing, etc,,,

http://blogs.zdnet.com/security/?p=3664

http://blogs.zdnet.com/security/?p=3465

http://blogs.zdnet.com/security/?p=3648

http://blogs.zdnet.com/security/?p=3507

http://blogs.zdnet.com/security/?p=3658

http://blogs.zdnet.com/security/?p=3553

http://blogs.zdnet.com/security/?p=3476
0 Votes
+ -
Microsoft leads in security
honeymonster 24th Jun 2009
Pigs fly! Microsoft leads in security!

Microsoft's success with Security Development Lifecycle has security experts buzzing and offers lessons -- along with a heap of free resources -- for your company

http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19
0 Votes
+ -
With all said and done
AdventTech67 24th Jun 2009
why does Microsoft still have myriads of problems if they are becoming
more and more secure. Oh yeah, lets blame it on the end user.
0 Votes
+ -
Losing that "advantage"?
GuidingLight Updated - 24th Jun 2009
if it could have ever been called that wink

The more time goes by, the more excuses the anti-Microsoft crowd offer up in defense of the weekeing "security" of operating systems like OS X.

It appears that this affects OS X users just as much as Windows users, but let us just once again ignore that fact and pretend it had never existed, and instead point to Windows and cry wolf again.
0 Votes
+ -
Just uncheck auto mount in safari and issue is mitigated.
AdventTech67 24th Jun 2009
Is there anything you wish to say now.
0 Votes
+ -
Running as standard user or using UAC
jdbukis@... 24th Jun 2009
Mitigates 92% of flaws in windows.
0 Votes
+ -
Got ya.....
OhTheHumanity 24th Jun 2009
Looks like you can't defend the statement. It was a perfect analysis of how many are and how they point fingers away to avoid the truth.

Keep on with your ignorance, it must be bliss.
0 Votes
+ -
How is the user supposed to know this?
NonZealot 24th Jun 2009
Does Apple contact every user and tell them to do this? Shouldn't OS X be secure out of the box?
0 Votes
+ -
Would I know?
FanaticGeek 24th Jun 2009
If I wasn't reading this forum, I would never know. If the user has to do something specific to protect himself, then there is a security flaw, plain and simple.
0 Votes
+ -
let me answer this in simple terms
kaninelupus 6th Jul 2009
ANY OS has vulnerabilities and flaw.... enen the much hailed UNIX architecture. ANy user that is so wrapped up in the so called "invulnerability" of his/her OS, that they go on without AV and firewall active and updated, almost deserves to have their bubble burst!

"why does Microsoft still have myriads of problems if they are becoming
more and more secure."

OK, let look at an open-source developer competing with one of MS's babies - Firefox. Now I think most of us can agree that FF is more secure than IE, and with less market share than IE, probably a smaller target. Yet, how many updates, patches and build upgrades has FF gone though over the last few yrs, as new holes get picked up on, or simply because devs saw a better way of doing things.

NO OS - or any other application for that matter - is perfectly written, completely bug free. The more an OS or application gets pushed and tested, the more bugs will surface... period!
0 Votes
+ -
Try telling that......
OhTheHumanity 24th Jun 2009
To IBM's X-Force research that rates Windows higher than any other besides AIX. Are you talking about like 10 years ago? Get with the times.

And by the way IBM is not a Microsoft fan at all, zip zero ziltch so I think I will truth their research and you should get a clue.
0 Votes
+ -
Infact
jdbukis@... 24th Jun 2009
After the fallout over OS/2 They strongly dislike Microsoft.
0 Votes
+ -
Abysmal security record compared to what?
NonZealot Updated - 24th Jun 2009
Windows actually has the very best security record when compared to all other consumer desktop OSs with 90%+ marketshare.

If you want best security record PERIOD then Microsoft MinWin has a perfect security record, 0 worms, 0 trojans, 0 viruses, EVER. Linux can't claim that. OS X can't claim that.
0 Votes
+ -
Let's be fair though...
Wolfie2K3 Updated - 25th Jun 2009
MinWin may have a perfect security record - but then again, MinWin wasn't EVER released into the public. It's a heap of test code Microsoft cooked up to figure out how to optimize the Windows kernal. It's never left the lab! It doesn't even sport a GUI...

So... What's your point?
0 Votes
+ -
Marketshare
NonZealot 25th Jun 2009
So... What's your point?

We keep hearing that marketshare has nothing to do with it. happy
0 Votes
+ -
N Z - Nicely Done! (NT)
Dave S2 26th Jun 2009
N Z - Nicely Done! (NT)
0 Votes
+ -
Not quite right
NonZealot Updated - 24th Jun 2009
This will affect Windows users more than Mac users Non-Zealot

This will almost certainly affect more Windows users but it will affect Mac users more because the default settings in OS X are not very good. Combine those default settings with a privilege escalation bug in OS X's disk image mounting libraries and we have something that could silently affect OS X users.

And what do those links to other attacks have to do with this one? Please stay on topic and do not spam this blog.

Thank you.
0 Votes
+ -
There's one more reason
rtk 24th Jun 2009
Most Windows users have AV, virtually no OS X users can say the same.
0 Votes
+ -
I have clamx av installed on my Mac.
AdventTech67 24th Jun 2009
I never had a reason to use it yet.
0 Votes
+ -
Get ready and hold on.
Cayble 24th Jun 2009
And pray its up to the task.
0 Votes
+ -
Ugh!
FanaticGeek Updated - 24th Jun 2009
Never had a virus on my Windows machine. That's not the point. the point is that if the Mac's security is weaker than what end-users think, we might be in to a surprise. Almost nobody dreams of using Windows without AV, but what if security problems start popping up with the MacBooks' proliferation? What if users are not expecting an attack?
Could get ugly
0 Votes
+ -
Could? No.. WILL get ugly...
Wolfie2K3 25th Jun 2009
I can just see it now... A new Mac Vs PC ad. PC visits the Mac guy who's laid up in the hospital, under quarantine. Seems he caught some nasty virus.

The PC guy offers to donate blood in an effort to help his stricken "friend" - but the Doctors say it would be a waste of time - they're not compatible.

Of course, we won't EVER see that scenario...
0 Votes
+ -
I am on topic son.
AdventTech67 Updated - 24th Jun 2009
Windows users have far more serious problems than Mac users. Currently
there is an exploit in the wild affecting 100's of millions of users who use
adobe shockwave . You say Mac is weakening, and I say even with the
new vista and 7 OS. you still have far more problems than Mac users. It's
high time you admit non-zealot that any windows version is not more
secure than Mac OS X.
0 Votes
+ -
Wrong.....
OhTheHumanity 24th Jun 2009
It is much more secure, but you have a tough time admitting that nothing is perfect. The ones here defending Windows are not defending with blind eyes. We understand that Windows and every other OS has vulnerabilities. Windows has much more in place to mitigate and if you don't run as an admin or turn UAC off you are at high risk. With it on you got a tough time compromising it.

This compromise has shown that you can run malicious software that can do more than just hijack DNS. We are not in denial, just trying to get the truth out and I don't see any of these people claiming that Windows is 100% secure.
0 Votes
+ -
The first half was on topic
NonZealot 24th Jun 2009
Your links to other malware attacks are off topic. We are talking about THIS attack. THIS attack affects OS X users more than Windows users since OS X will happily download the image file, mount it, and infect the machine, all silently. On Windows, THIS attack requires a lot of user intervention.
0 Votes
+ -
Ha! I beg your pardon!?!?
Cayble 24th Jun 2009
Trying to say, with any authority, that OSX is more secure then Windows is like saying that putting your cash under your mattress is more secure then putting it in a bank because a higher percentage of banks get robbed then peoples homes get robbed with their mattresses getting flipped over.

Honestly, I hate to sound like I have something personal against Mac users, but some of the sorry things they say just makes me think about the day when someone decides that a Mac is actually worth attacking in a serious way. It may just happen, if Apple can get even a reasonable amount of market share, but they will have to make a more Apple "positive" commercial than the Windows "negative" commercials they have been running with those Apple Guy commercials.
0 Votes
+ -
so let me get this straight...
kaninelupus 6th Jul 2009
Adobe buggars up (again) and MS is to blame??

But if Mac users has swallowed the one-lines dribbled out by Apple Corp and as such have left their systems wide open without ANY AV protection, so that ANY elevated app cun jump on board with the OS X user completely oblivious and horridly underprepared.

One other MAJOR flaw OS X has had for a long time now, is the fact that ANY installed app can prompt for an update, with the user having absolutely no means of verifying either authenticity or update contents. This means ANY app which has DLed and silently installed via elevated priveleges, can then upgrade itself... it may well pop up a message nicely asking the user "do you want to update?", but because the average OS X user is both blindly trusting of Apple's update system and usually has no malware protection, 99% of users will blindly accept and cook their system.

End of story!
0 Votes
+ -
I'm glad you admit the truth.
Cayble 24th Jun 2009
There are so many more Windows users then Mac users it would inevitably affect more Windows users then Mac users. Simple math. With such an overwhelming market share that Windows has it would be ludicrous to argue otherwise. The math is the math.

Don't forget to mention all this to your insane Apple buds the next time they try to explain that the constant drive to infect Windows computers has nothing to do with market share. Its great to see that at least one Apple enthusiast has seen the light. I hope it didn't take this event shining right into your eyes to see the reality.
0 Votes
+ -
It still comes to stupidity...
Phantom.si 24th Jun 2009
First of all, opening a link to a porn site = stupid. If
you like porn buy a magazine or dvd, dont use the web -
thats the worst idea ever. Second, opening links,
downloading, giving personal data on pages like
mentioned, hmmm. Smart - not.
0 Votes
+ -
RE: Guy Kawasaki's Twitter account hijacked, pushes Windows and Mac malware
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix