KeRanger Mac Ransomware Based On Linux Forebear, Not Windows

An anonymous reader writes: It appears that the KeRanger ransomware that's been tormenting Mac users for the past days is actually based on a ransomware variant that targets Linux servers, and not on a ransomware family coming from Windows. That particular Linux ransomware is also based on an open-source ransomware called Hidden Tear that was uploaded to GitHub by a Turkish security researcher. So obviously, the conclusion is that GitHub is to blame for the KeRanger Mac ransomware. (Note to readers: That last bit is tongue in anonymous cheek.)

Is that surprising?

[Harlequin80]

I would have assumed that it would have come from a Linux or BSD based one rather than a windows one.... The systems are much closer than windows to mac.

Or am I being overly simplistic?

Re:

[vux984]

Or am I being overly simplistic?

I'm not 'surprised' by it, but I'd have expected it to be derived from a windows variant, simply because there are so many more of them out there, that I'd have thought someone targeting OSX would be coming from Windows and have familiarity with a windows version, and would make that their starting point.

Yes the relative similarity of OSX to *nix makes it perhaps slightly less effort to port; but the relative lack of *nix ones means that I'd still have put better odds on a windows port.

Re:

[vux984]

criminals usually like to take the path that requires the least effort.

Which, if they were already, familiar with windows variants, having worked directly on windows variants already, would make starting with a codebase they already knew that path.

The path of least effort also accounts for the authors own knowledge and experience. For example, if I wanted to create ABC for OSX, and I'd ALREADY created ABC for Windows. I'd probably start by trying to port my ABC to OSX rather than start with someone elses DEF codebase for something similar on Linux. It may be objectively less

Re:

[Big Hairy Ian]

Isn't OSX based on a side port of Linux anyway?

Re:

[MikeMo]

No. It has kind of a complex heritage [wikipedia.org], but, essentially, OSX is based on FreeBSD with a Mach-derived kernel. It does come with a load of Linux-originated utilities and code. This is particularly the case of the server variant.

Re:

[evolutionary]

Makes sense. MacOS was created from BSD.

Re:

[AdelieMan]

My exact thought. They are both NIX right?

Re:Well Duh Max OS is Based on Linux

[nawcom]

Mac OS X was based on NeXTSTEP which predates Linux, and NeXTSTEP was based on 4.3FreeBSD and CMU Mach.

Re:

[nawcom]

Bah I can't edit. *4.3BSD

Re:

[geekmux]

Mac OS X was based on NeXTSTEP which predates Linux, and NeXTSTEP was based on 4.3FreeBSD and CMU Mach.

Well, this certainly shows that trying to label an OS as a purebred these days is as pointless as mapping Frankenstein's DNA.

Re:

[WinstonWolfIT]

Frankenstein was simply the creator. Did you mean The Monster?

Re:

[Anonymous Coward]

No, he meant the doctor. Have you tried to look through his family tree? It's impossible, you can't find anything, it's almost as if he's a fictional character.

Re:

[imboboage0]

https://xkcd.com/1589/ [xkcd.com]

Problem solved.

Re:

[Bing Tsher E]

It's not that hard to snip away the historical dross.

NetBSD was first, or rather second, as a fork of 386BSD. Everything else came from splitters. And it's not 4.3FreeBSD. Omit the 'Free' part and you're closer.

FreeBSD is a modern fork of BSD where they decided to not emphasize portability. It's historically an ugly x86-only kludge like Linux where they abandoned an open architecture, and only later bolted on 'cross platform' support.

Rules

[Anonymous Coward]

The first rule of getting infected by ransomware is you do not fund the criminals.
The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

Re:

[Rob MacDonald]

And considering most ransomware is asking for payment via bitcoin or any number of other cryptocurrencies.... the fact that law enforcement says "pay up so we can track the money" should be a wake up call. Not for us, we read slashdot and already know bitcoin is anything but anonymous, but for the average joes who have heard the terms but don't grasp the concept.

Re:

[Applehu Akbar]

"It's impossible to discover the source of the ransomware, but it might be possible to track the money"

So why has there been no case in which this has actually worked?

Re:

[Harlequin80]

Because it is a low priority case with a high resource investment needed to solve. It is why hitting that hospital was such a bad idea. Someone's how PC is irrelevant, potentially killing someone in a hospital - hugely important.

Re:

[geekmux]

The first rule of getting infected by ransomware is you do not fund the criminals. The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

The FIRST rule of ransomware is understanding that you own a computing device capable of connecting to the internet. Therefore, you should fucking know what the word backup means.

Failure of that basic rule will ensure that you will be forced to make hard decisions about funding criminals when no one should be forced to even question that in the first place.

Re:

[penguinoid]

The first rule of getting infected by ransomware is you do not fund the criminals.
The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

The first rule of ransomware is restore from backups.
The second rule of ransomware is don't worry, that's why we have backups.

tagging sarcasm

[sittingnut]

"That last bit is tongue in anonymous cheek."
inability to get sarcasm and irony, or even just humor, (without tags, cues cards, laugh tracks, etc etc) seem to be widespread and growing here in slashdot and in usa in particular, and west in general.

one faces all sort of nastiness if attempted; moded down, branded for "hate speech",etc etc. no wonder several comedians are boycotting universities.

this seem to be linked to regrowth of political correctness and sheepish acceptance of so called 'liberal', elitist

Re:

[Black LED]

Sarcasm can only be expressed if you know the thoughts of an individual (such as a character in a book), through verbal intonation or body language. There are people who would say something like in seriousness so you can't just assume that someone was being sarcastic when they say something that sounds silly to you, especially when it's a stranger.

Ah, The Reactionary GOTOs

[cmholm]

this seem to be linked to regrowth of political correctness and sheepish acceptance of so called 'liberal', elitist, ideology by the western young . bankrupt irrational ideas can't tolerate humor that show their absurdity.

And the lickspittles of the conservative elite bleat whatever cliches their paymasters order up.

Blow me, reactionary mouthpiece.

Re:

[DNS-and-BIND]

Way to show how tolerant and open-minded you are. I love the anti-gay slur at the end, too. I suppose all that talk about gay rights was just a bunch of bullshit to piss off badthinkers. Do as I say, not as I do.

Re:

[Zibodiz]

This. Just try cracking a joke when you're pulled over by a cop, or when you're going through a security checkpoint at a government building. From first hand experience, I can tell ya that it doesn't end well.

Thing is, for a lot of us, humor is how we deal with stress, and there is no such thing as a non-stressful government interaction. It's all a recipe for disaster.

Uhh?

[easyTree]

This appears to be a doubly-impossible scenario as both Linux and Mac are secure by default.

Re:

[Anonymous Coward]

Well, because it wouldn't work on Linux is why it was ported to Mac.

Re:

[dargaud]

How widespread is this ransomware on Linux ? Any reports in the wild, or is it just a proof of concept ?

Re:

[_merlin]

People have been using vulnerabilities in CMS and forum software (and their plugins) to attack web and mail servers with this ransomware. I know it's hit some schools and small companies.

Re:

[fermion]

To take this bit seriously, not secure by default, but the mac use case is not the same for as many MS Window users.

For example, most of my work is continuously backed up to iCloud and Dropbox. iCloud for Apple Apps, and Dropbox for LaTex, Python and other stuff. My computers are backed up by Time Machine, especially my photography machine.

It would seem for most stuff, a simple wipe and restore would fix the problem. I suppose for some enterprise customers it would be a problem, but it people are not

2016 is the year of the Linux desktop

[Anonymous Coward]

Because someone has finally figured out how to make money using Linux!

Re:

[tetraverse]

'Why would a so-called "security researcher" manufacture and publish ransomware?

The Anti Virus industry are making a good living out of malware. It's similar to a drug pusher distributing free samples to get people hooked before coming after them for revenue.

Re:Note to readers: That last bit is tongue in che

[TheRealHocusLocus]

No it isn't, it's editorialising. And it's inappropriate.

No it isn't, it's a clarification. Wording a bit

"(Note to readers: That last bit is tongue in anonymous cheek.)"
The phrase 'tongue in cheek' is an idiom meaning in (sarcastic or ironic) jest that risks being misunderstood if it is broken up. Could also have been worded,
"(Note to readers: That last bit is anonymous' tongue-in-cheek.)"

The real problem is that anonymous wrote a summary as a series of factual sentences --- but then added a sarcastic comment at the end in the same style, so there is no clear cue that it is a sarcastic comment. I figured it out by what was said and empathizing with the writer, but editors strive for clarity, even if they feel the need to interrupt your flow by adding a comment of their own. Try to make the editor's job easier. Try this, anonymous,

"[...] uploaded to GitHub by a Turkish security researcher. So... obviously, the conclusion is that GitHub is to blame [...]"

You have two tone-changers that set the sarcasm aside, even bring attention to it. "So..." is a pause-for-irony that cues readers that they are now listening to the author's voice, and italics underscore the tone change. You can also add ", right?" to make sarcasm crystal clear. So... now that fucktard blowhard Hocus is giving style advice, right?

what to you think will generate more traffic? being a part of the technology community, or garbage that makes people angry?

What if we're talking about discussion, not website traffic? Isn't that a community? And what if technology itself contains a lot of garbage that makes people angry?

Like dumbfuck LED indicators on modern tech devices that are supposed to indicate network and disc access, but blink late, on simple blink-on-blink-off timers, extended by capacitors until tiny blips disappear, on by default to add useless 'glow' to your room and dim (slowly) to indicate activity (fuck that shit). Or completely software driven so the indication is late or bogus. Like my AT&T Uverse modem which is the stupidest modem in the world with indicators as useless as CSS 'Loading...' animation on web pages, noise and fury signifying nothing. The modem can completely lock up while the front panel still shows the useless thumb-sucking blinky-state the software left it in. Like no one wants to lay down a single PCB trace from controller chip to LED anymore, it's too... fucking... difficult.

That's garbage. And Slashdot is the place to discuss it.

Re:

[Rob MacDonald]

I feel sad you needed to take the time to craft that post. But I do hope a lot of people read it.

Re:

[cas2000]

> but then added a sarcastic comment at the end in the same style,
> so there is no clear cue that it is a sarcastic comment.

Only americans need a clear cue. To the rest of the English-speaking world, it's fucking obvious.

Presumably, that's why you invented the devastatingly ingenious sarcasm style of saying something stupid or obviously false, pausing for a few seconds and then yelling "NOT!!!!"

Linux ransomware torments Mac users?

[tetraverse]

How does this 'Linux ransomware' get onto the computer without the end user visiting a malicious site and explicidly downloading and installing the program?

Re:

[Rob MacDonald]

Magic? Malware delivering pixie fairies? I'd suspect it's the same way this junk ends up on other systems. HINT: it's not always the user doing stupid things directly. How you say? Ah well, lets say your linux admin is a lazy fuck and fails to disable root ssh on a server. And since he's a lazy fuck, he does manual patching instead of using a deployment system. Since he does it the "right way" he misses a box, and leaves a compromised version of openssh or some other shit there. And then someone lev

Re:

[Anonymous Coward]

An SSH daemon that doesn't allow root logins still runs as the root user so it can setuid to other users when they log in.

That and you don't really need to be root on a server, you just need to break into any administrator's user account and trick them into logging in, or wait. You'd do that anyway to be able to log into other systems. Set their PATH to "~/.hax0red:$PATH". Fill up a disk, run the cpu up or consume memory with something appearing to be vi, or eat lots of IO, that'll drive them nuts. One t

Re:

[silentcoder]

It's disguised as a video of Natalie Portman, naked and petrified.

Damn... showing my age there... for the young'uns - the reference is to an issue of the long defunct comic strip Userfriendly in which the "evil genius" Petr spreads a version of Microsoft's Clippy (a satanic paperclip which tried to take over the world and bring about the apocalypse -not in the comic in real life) as a plugin for the VI editor by disguising it as such a video.

Re:

[Bing Tsher E]

Mae Ling Mak was 'naked and petrified' in the meme.

Newbies latched on to Portman for some reason. Possibly did Mae Ling sue somebody??

Re: Linux ransomware torments Mac users?

[samkass]

In this case, by someone hacking the installer to a BitTorrent client, hacking the server that distributes it, and signing it with a valid Apple developer cert and swapping their version in. Then hoping no one notices until the few days pass before it does its job and triggers. That last part didn't happen. Apple patched the built-in anti-malware, the company released a new version that removes the malware, and it was only downloaded about 6,500 times before disappearing. Unless any of those machines stayed completely off the internet in that time, it probably didn't strike anyone in the wild. That's what bein "tormented" by a Trojan Horse looks like on the Mac.

Re:

[rworne]

Hacking the installer?

I thought the binary itself was infected (well the app bundle) that required just the app dropped from the dmg file onto the system and executed.

Programs like transmission do not need installers. Anyone looking to put a simple utility on their system should look at .pkg installer files with a great deal of suspicion.

Re:

[fizzup]

As I understand it, the installer was "hacked" with a compromised version. If you already had the client installed and it automatically updated itself, you were not at risk.

Re:

[rworne]

That's the thing. There was no installer. Just an application on a disk image. Drag and drop it into your App folder.

An "Application" on OS X is really a directory with ".app" as an extension with the MacOS binary and supporting files in it. The Transmission binary was altered to launch the payload which was disguised as an rtf file in the directory. This is worse than what I've seen in the past - MPlayerX is a well-known video player that comes packaged with an installer. The author of that decided he

oh no - how the candidates will weigh-in...

[Anonymous Coward]

trump will want to buy github outright before his election,
cruz will say he'll eliminate github when he's the prez,
rubio will want to give github a lifetime greencard; but will tell it differently in English and spanish,
kasich can't spell g-i-t-h-u-b,
sanders will want to nationalize github,
and clinton will have chelsea leer at github until it gives the 'clinton crime family foundation' a donation.