Apple Has Shut Down the First Fully-Functional Mac OS X Ransomware (techcrunch.com) 124
An anonymous reader writes: Apple has shut down what appears to have been the first, fully-functional ransomware targeting Mac computers. This particular form of cyber threat involves malware that encrypts the data on your personal computer so you can no longer access it. Afterwards, the hackers request that you pay them in a hard-to-trace digital currency — in this case, bitcoin — in order for you to retrieve your files. This ransomware, called KeRanger, was first reported by researchers at Palo Alto Networks. They also noted that Apple has now revoked the abused certificate that was used in the attack and updated its built-in anti-malware system XProtect with a new signature to protect customers.
So who decrypts your files for you? (Score:2, Funny)
Apple?
Re:So who decrypts your files for you? (Score:5, Informative)
Re: So who decrypts your files for you? (Score:5, Informative)
This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.
Re: So who decrypts your files for you? (Score:5, Funny)
They'd make more money by patenting (and then actively trolling and/or comercializing) this revolutionary technology that can encrypt off-site backups.
Because your backups are off-site... right?
Re: (Score:1)
Right, because our collective mothers and grandmothers are are thinking of, not to speak of capable of, doing anything other than what's already built in.
Re: So who decrypts your files for you? (Score:5, Interesting)
Right, because our collective mothers and grandmothers are are thinking of, not to speak of capable of, doing anything other than what's already built in.
I think there are plenty of apps that are user friendly enough for semi-literate computer years (grandmothers or otherwise). The big problem I see holding back offsite backups is the stingy upload speeds. The FASTED upload speed I can currently get is 512k and it takes multiple calls to tech support to even find out what your upload speed it. The upload speed also barely changes, if at all, whether you go with the 1M package or the 10M package. Even if they just opened up the upload speed at night, this would help the average user have access to better online backups.
Re: (Score:1)
I have 2 time machine backup disks. I keep one at home and one at work and switch them every so often. My car has tons of bandwidth.
Re: (Score:3)
The FASTED upload speed I can currently get is 512k and it takes multiple calls to tech support to even find out what your upload speed it. The upload speed also barely changes, if at all, whether you go with the 1M package or the 10M package. Even if they just opened up the upload speed at night, this would help the average user have access to better online backups.
This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.
Re: (Score:2)
This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.
Maybe so but I live in a residential neighborhood and have tried to get a business connection and I still can't and even if I could, this doesn't help the average internet user. There are probably quite a few new or potential technologies that are being hampered by this, not to mention would-be entrepreneurs. I think upload speeds should be part of net neutrality as limiting upload speeds stifles innovation. We would also all be better off if there were more creators instead of the average internet user
Re: (Score:2)
This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.
Maybe so but I live in a residential neighborhood and have tried to get a business connection and I still can't and even if I could, this doesn't help the average internet user. There are probably quite a few new or potential technologies that are being hampered by this, not to mention would-be entrepreneurs. I think upload speeds should be part of net neutrality as limiting upload speeds stifles innovation. We would also all be better off if there were more creators instead of the average internet user being restricted to being only a consumer of bits.
Oh I don't disagree with you - just saying why the telcos make it so.
Re: (Score:3)
Think you mean off-site, and not synchronized and off-line...
Yes, I do hard" encrypted backups but between "da cloud" hype and, frankly the convenience of on-line solutions ranging from Gdrive to rolling an OwnCloud server (great! try it) there's probably a whole bunch of folks for whom "off site backup" actually means "another unsecure attack surface"
Re: (Score:2, Informative)
Yes, I'm sure most home Apple users take weekly backups and drop them in their safety deposit boxes. Just like they constantly update their virus scanners.
Or they do neither of those things because Apple's marketing drum that's been beating for the last decade has been "you can't get malware and just use Time Machine to be perfectly safe!"
I'm not saying Apple is completely at fault, but they did go out of their way to make it sound like they take care of everything.
Re: (Score:1)
Yes, I'm sure most home Apple users take weekly backups and drop them in their safety deposit boxes.
I'm sure PC users do as well.
I'm working with a guy who had a windows 10 update bitch his computer up. No backup at all. We'll probably use Linux to retreive his data.
At least Apple users don't have their number one enemy be their OS provider.
Re: (Score:2)
It's not Windows' fault for not him disabling System Restore.
Yeah, yeah, nothing is ever Windows fault. What has been done to you that you would have the ridiculous reaction that Windows can fuck up your computer, and it is your fault?
There is something so fundamentally wrong with what a fucked up system Windows is, and the willinglenes for it's users to put up with them screwing up their computers.
I think that Windows 10 should be renamed Windows Stockholm Syndrome Edition.
Re: (Score:1)
The fundamental problem of the constant Apple vs WinTel argument or the iPhone vs Android argument is that almost all of the arguments are presented by people who are firmly encamped on one side and are blind to the degree to which they are unfamiliar with the other side. Moreover, the Dunning-Kruger effect is particularly telling in this regard: not only is the knowledge of the other side incomplete, individuals will overestimate their competence when their capabilities and/or knowledge is limited and und
Re: (Score:2)
They'd make more money by patenting (and then actively trolling and/or comercializing) this revolutionary technology that can encrypt off-site backups.
Because your backups are off-site... right?
Off site doesn't help if the backup files/drive remain accessible from the infected computer.
Re: (Score:2)
This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.
That's one form of backup, but it shouldn't be your only backup. I periodically clone the drive partition to external hard drives and copy disk images to the file server.
Re: (Score:2)
This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.
That's one form of backup, but it shouldn't be your only backup. I periodically clone the drive partition to external hard drives and copy disk images to the file server.
R'Amen to that. Hourly auto-backups (Time Machine) are great, but are not enough! Periodic (monthly) cloning to an external drive that you store in a different location is closer to a full backup scheme. I have two externals, and alternate them in my monthly backups, but for time's sake, do incremental backups.
My extra step is, once a year or so, to do a full clone to yet another external (or just keep the HD when I buy a new computer or upgrade storage). Why? I have a 23-year scientific body of work o
Re: (Score:2)
As far as I can tell, Time Machine is intended as an easy solution that's lots better than not having any backup scheme. My backup strategy is more effective, but then I actually know I need one, and actually consciously have one.
Re: So who decrypts your files for you? (Score:5, Informative)
Re: (Score:2)
Re: So who decrypts your files for you? (Score:2)
Re: So who decrypts your files for you? (Score:5, Interesting)
It tries but fails. Time Machine Backups are are read-only to everyone except the backupd process (which runs as root). The malware doesn't run as admin.
Re: (Score:2)
Re: So who decrypts your files for you? (Score:5, Informative)
It tries but fails. Time Machine Backups are are read-only to everyone except the backupd process (which runs as root). The malware doesn't run as admin.
Depends on how long the encryption is happening before you realize it vs. how much space you have on your time machine before older backups get erased and encrypted files are stored instead.
Re: So who decrypts your files for you? (Score:5, Funny)
No need to do anything to corrupt Time Machine backups.
Those weird non-standard Time Machine directory hard links do a great job of messing backups already.
Re: (Score:1)
You're too late.
A bounty has already been posted, and ironically,
will be paid in bitcoin once evidence is accepted.
Too bad it didn't go through KickStarter.
Re: (Score:2)
"stolen" uh huh.
Re:so much for the walled garden (Score:5, Insightful)
I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?
Nothing. However, what's good to know is that I no longer have to worry about this one - and the turnaround was pretty quick. Assuming Apple can keep up with any threats like this (it's not like they don't have enough money to justify it), it's just like doing a regular bit of weeding in your garden.
Re:so much for the walled garden (Score:5, Interesting)
Microsoft should adopt the same model.but it would require a herculean effort to get their products up to the same standard of quality.
What, you mean authenticating applications based on a central certification authority? Kind of like what this does: https://msdn.microsoft.com/en-... [microsoft.com] . Or maybe you mean not allowing the installation of any applications that don't posses a preapproved certificate, in THAT case what you want is this feature over here: https://msdn.microsoft.com/en-... [microsoft.com] . God forbid you would have to learn how to manage your own certificate chains, afterall the documentation is so difficult to find: https://msdn.microsoft.com/en-... [microsoft.com] . The only thing missing is the paywall, which isn't really missing since you can pay for a third party authority to verify your certificate. But as we can see by the premise of this article that isn't actually a deterrent is it?
The difference between Microsoft and Apple is the same as it has always been. Apple forces you to follow their policies, Microsoft forces you to live with the consequences of the policies you wrote yourself.
Re: (Score:3)
I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?
Apple revoked the cert, and now the threat is gone. So the fact that the software was signed protected you.
You can't buy these certificates. You have to get one from Apple, who will hopefully check out the company. In this case the company that Apple checked was careless and I hope they'll pay the price for that.
Re: (Score:2)
Apple doesn't check out the company. They shouldn't - after all, Apple should not be censoring programs on OS X as a general purpose PC. What buying a certificate does is validate the payment chain - in order to bill a credit card, you now have the billing address and name of the owner. Presumably the cr
Re: (Score:3)
Well, the $99 is a small barrier to entry. Considering Cryptowall has garnered nearly a third of a billion dollars [mcafee.com], there is probably some good money to be had if an enterprising blackhat can get a working ransomware trojan running on OSX long enough to do the trick. More than enough to justfy several $99 developer registrations.
Re: (Score:2, Insightful)
Then you are a trusting idiot.
Certs don't protect you from malware, they just make it so the spread of malware can be more easily contained when detected. (as shown here the cert can be revoked and the app itself added to the big list o' malware), and give the user the best chance to avoid malware by showing you who wrote the thing you're downloading.
Apple could potentially protect against ransomware by writing the OS to refuse apps access to files outside their own little corner of the drive (I think iOS d
Re:so much for the walled garden (Score:5, Informative)
Take a look at System Integrity Protection in the newest version of OS X. it doesn't limit an app to its app corner, but it definitely limits it to userspace. A description from Ars (full page here [arstechnica.com]:
System Integrity Protection does this by severing the automatic kernel-level blessing given to root’s commands. The end result is that in El Cap, root is no longer an account with effectively unlimited access to either the file system or to memory and running processes. SIP places kernel-level checks on root’s privilege that can (in theory, at least, until proven otherwise by an intrepid security researcher) only be bypassed by the kernel itself. SIP’s intention is to keep the operating system’s state—both on disk and in memory at runtime—as it was installed by Apple.
This is a pretty big change from how Unix-like operating systems are "supposed" to work, though it’s not without precedent (Ars IT Editor Sean Gallagher told us that SIP sounds a bit like Trusted Solaris, and this Quora thread has some details on the history of similar "rootless" privilege escalation schemes). Rather than adding yet another superuser account, SIP provides the concept of an additional file system and process flag, and file system objects and in-memory processes so flagged cannot be altered by processes not signed with Apple’s own code signing key.
There’s more, too—the file system protections are only the start. SIP consists of four major features:
Protected locations cannot be written to by root.
Protected system processes cannot be attached to with a debugger and cannot be subject to code injection.
All kernel extensions must now be signed (and old methods for disabling kernel extension signing are gone).
SIP cannot be disabled from within the operating system, only from the OS X Recovery partition.
Re: (Score:2, Insightful)
All very nice, I'm sure, but completely irrelevant. Ransomware is such a danger because it doesn't need to break any security or get elevated permissions, just attack the files to which the user has legitimate access.
Re: so much for the walled garden (Score:2)
Apple does that now with programs that use the Mac App Store. It would be nice if it worked with apps outside of the store.
Mac OS X does *not* have a walled garden (Score:5, Informative)
Re: (Score:2)
Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.
Hey! Stop screwing with hater's memes. I've got dozens of non app store programs on mine.
Re: (Score:2)
Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.
You say this but I don't think you have actually experienced the "process" that you go through to run a unsigned program that you have downloaded from the net.
I.e., control-click, select Open, and then say "yes, I know it's unsigned, I want to run it anyway" when asked, the first time you launch it?
Re: (Score:3)
Re: (Score:2)
Original Slashdot story linked to CNBC article [cnbc.com], that said:
An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.
What new information do we have?
Re:how did Apple shut them down (Score:5, Informative)
Congratulations Mac (Score:1, Funny)
Re: (Score:3)
Congratulations Mac, you final have a large enough installed base that malware developers are starting to support your platform. Maybe someday game developers will support it as well.
Seriously. If code is well-written, with portability in mind, then there is absolutely no reason for games to not come on Mac at release.
And yes they are written to be portable –PlayStation, Windows 7 or 8 or 10, Linux, X-Box. FFS, if a game is ported to Linux, then it should be trivial to slap together an interface for Mac OS X—It's based on the BSD of UNIX.
Gatekeeper is the real problem (Score:1)
Gatekeeper is the real problem. It only checks the certificate on the first app in a package, then lets any other app, legit or malware, through without checking. Bundle in malware and it gets right through. Apple only blocks the certificate the developer of Transmission was using. So, all they are doing is blocking the first app's certificate, Transmission. That's just a bandaid patch on the real problem, Gatekeeper itself. All that has to be done is to repackage the same malware with the new app, or
Nope (Score:3)
This incident had nothing to do with what you describe. And was stopped because the offending certificate got yanked and blocked by Apple, so in this instance Gatekeeper worked exactly as it should.
What you're talking about is a problem, no question 'bout that, just not this time
Re: (Score:2)
That is the problem. All that can be done by most protective offerings is to look at past reported issues and get that detail out to all users.
Actual understanding of what is been run, what other code an application could download with and then alters is still a missing step in real time.
If the application is not reported, it will pass as clean and can run and so
Wouldn't it be great if.... (Score:2)
Software developers invested this much effort in finding legitimate uses for Bitcoin? Crapware like this only helps to reinforce the notion that Bitcoin is only used by the criminal underground.
Re:Wouldn't it be great if.... (Score:4, Insightful)
Software developers invested this much effort in finding legitimate uses for Bitcoin? Crapware like this only helps to reinforce the notion that Bitcoin is only used by the criminal underground.
Well, actually it reinforces the purpose of anonymous transactions.
Let's not sit here and pretend that cash transactions (a.k.a. the other side of the coin) are somehow not heavily relied upon within the criminal community, and for the exact same reasons that bitcoin is.
Criminal activity will be a side effect of anonymous transactions no matter the medium. What should concern us more is when anonymous transactions are made 100% illegal, even for legitimate privacy reasons.
Re: (Score:2)
Re: (Score:2)
Cash is local. Notes can be traced in the mail. bitcoin and chums were designed to hide transactions. It also works globally, allowing little mafia org in Whoknowswhereville to conduct a global program of ransomware from the comfort of their cash laundering tea shop via VPNs and TOR - something you can't do with regular currency.
Regular currency is also shipped around the globe to be laundered.
As far as making even electronic transactions rather untraceable, seems many a US Company has done a damn good job of doing exactly that when it comes to paying taxes through offshore holdings. Microsoft and many other companies don't funnel billions through Ireland because they love the scenery.
And ironically, we can label even that loophole activity as a form of ransomware, since they're holding taxpayers accountable for their tax shortfall
How do you proceed if you've been infected? (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
I don't know if this is the "best" option, but I would withdraw the harddisk from the machine and mount it on a clean machine to check for damages and so the salvage.
Apple should be sued (Score:5, Funny)
Apple is depriving these software writers of their rightful revenue, and hopefully they'll be sued for it, and better yet a law passed banning this kind of practice. This is no different than ad-blocking and script-blocking software, which prevents upstanding advertisers from running JavaScript software on peoples' computers and rightfully earning revenue from it.
I know how to nail these guys (Score:2)
Apple would decompile the code for the malware and file a patent on it. Then dispatch the FBI to stake out the courthouse in Tyler, TX until the malware writers file a troll suit.
That was fast (Score:4, Interesting)
Well, that was fast. One day.
Sure, it's not a system patch but a certificate revocation, but still a responsibly swift resolution.
BTW, it was a malware Trojan, likely a double-Trojan, injected between the unwitting developer and the unwitting downloader, using the compromised certificate. Whether in transit if http downloaded, or by some other exploit, I dunno. Those more expert than me can answer that one.
It was not a virus. It was a Trojan inserted by a third party. I understand that it (probably) affected Linux and Windows as well. Please, everyone, just use proper terminology. It aids discussion.
Since when is Bitcoin "hard to trace?" (Score:1)
Bit coin is neither anonymous nor hard to trace. How long must we put up with this shitty reporting of disinformative nonsense?
Aghast (Score:4, Funny)
I live in fear that some ransomware is going to encrypt my collection of ASCII porn, so I've been printing it out little by little on my Okidata 320. The good news is that I'm protected from ransomware, but the bad news is my house is now a serious fire hazard. Stacks of paper everywhere.
Re: (Score:2)
I live in fear that some ransomware is going to encrypt my collection of ASCII porn, so I've been printing it out little by little on my Okidata 320. The good news is that I'm protected from ransomware, but the bad news is my house is now a serious fire hazard. Stacks of paper everywhere.
Don't worry too much. Neat stacks of paper are no more of a fire hazard than are wooden supports or furniture. Tightly-stacked paper does not burn well, which is why we have historical documents from many great minds, even though their will stated "burn all of my notes at death."
It's messy piles of crumpled paper, mixed in with pizza boxes (+ cheese), empty Cheetos bags, and semi-empty whiskey bottles that is the real fire hazard.
Re: (Score:2)
Now you tell me.
Re: (Score:2)
Ransomware canary (Score:5, Informative)
I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.
The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.
Re: (Score:2)
I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.
The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.
Or tripwire which I think should protect very well against cryptolocker type attacks:
http://hints.macworld.com/arti... [macworld.com]
Precisely why I jumped ship from Windows to Mac (Score:5, Interesting)
Apple tells the Feds to take a hike and focuses its resource to kill a nasty ransomware within a day.
Go Apple!
Finally (Score:1)
Re: (Score:3)
Re:That make anyone else nervous? (Score:5, Informative)
The difference is that all of the XProtect & related functionality can be disabled. It’s not easy to disable it (easy in the sense you’d stumble on it accidentally), and your average parent / grandparent user of Mac OS would never figure out how to disable it. Which is good, because they have no clue of the implications of doing so.
If as a trained and knowledgable IT professional, you want to run completely unprotected, you set some kernel flags in your EFI, and reboot. Execute whatever you like, overwrite anything on the drive as root, no questions asked. That’s probably not a great idea as the vast majority of the time those features protect even seasoned (or is that salty) professionals from shooting themselves in the foot. But if you really want to run something Apple has determined to be dangerous, you can still do it.
My opinion of Apple would fall sharply if they ever removed the disable options on their desktop OS. So long as that option is there, having it default to ON is the right option for the vast majority of users.
Re: (Score:2)
XProtect isn't the same as rootless.
You're right, to disable rootless (which protects a bunch of system files from being modified/deleted, even as root) you can do this.
XProtect is a signature-based anti-malware system - Apple pushes out silent updates to the signature definitions on a regular basis, but XProtect doesn't save you from shooting yourself in the foot when running as root.
Re:That make anyone else nervous? (Score:5, Informative)
XProtect does one other thing that is very welcome in most circumstances as well - expiring old versions of browser plug-ins like Java and Flash, which are known to have massive gaping security holes in them.
And, again, if this gets in the way of a proper administrator who is saddled with some ancient piece of shit that requires some ancient plug-in, it can be disabled on a per-plug-in level
Re: (Score:2)
They've already started by making it so that even root is blocked from editing files in locations such as /etc, /usr, and /bin, and blocks root from removing "important system apps" like iTunes and Photos (both of which have third party competitors).
Do they also prevent you from installing those competitors and prevent the competitors from registering to handle the file types handled by default by iTunes and Photos?
Re: (Score:2)
There is no way to permanently change this behavior, to the point where the recommended method of using a third party photo suite was to "sudo rm -rf /Applications/Photos.app" - which you can't do any more.
...unless you turn off System Integrity Protection.
Re: (Score:2)
What you have just said is tantamount to saying this:
"I'm not smart enough to figure it out and if I was then the first thing I'd do is shoot myself in the foot because I want to be the boss of me. You're not the boss of me!"
You *can* (fairly easily) do each and everything you're complaining that you can't do. It's not even difficult. That you don't know how to is a good indicator that you're unqualified to do so. However, if you want to do so then you can - it just means that you're an idiot. It is not com
Re: (Score:2)
This capability is not one Apple came up with. It has long been a capability of FreeBSD and probably other BSD systems. It can be overridden if you know what you are doing, but it is an added safety belt to save you from yourself.
Re: I thought Macs were secure? (Score:1)
They were.
It's really Apple just playing catch up. I mean this was their first instance of ransom ware , and Windows has had it for how long ?
Apple copy catting again.
And they couldn't help themselves and got all control freaky , shutting it down with their mind control rays. None of this letting ransom ware to fester in the wild for years.
FFS, it was a viable commercial malware product, that had its ROI shut down inside 32 hours of its release into the wild. That's great cooperation between Palo Alto, App