OS X Malware Demands $300 FBI Fine For Viewing, Distributing Porn

An anonymous reader writes "A new piece of malware is targeting OS X to extort money from victims by accusing them of illegally accessing pornography. Ransomware typically uses claims of breaking the law and names law enforcement (such as the CIA or FBI) to scare victims, but it is usually aimed at Windows users, not Mac users. The security firm Malwarebytes first spotted this latest threat, noting that criminals have ported the ransomware scheme to OS X and are even exploiting a Safari-specific feature. The ransomware page in question gets pushed onto unsuspecting users browsing high-trafficked sites as well as when searching for popular keywords."

Ok?

[i kan reed]

I thought we were past the "being surprised that apple products get malware" stage years ago. This seems like a pretty run-of-the-mill scam. I can't really see what's notable about it. Someone help?

Re:

[Anonymous Coward]

Apple never have bugs, everything is perfect. Move along now, citizen.

Re:

[Anonymous Coward]

You know the "x on the internet" effect in which it is somehow more novel than x by itself?
Well "x on a mac" effect is even worse.

Re:

[Anonymous Coward]

Don't let the patent office hear that.

Re:Ok?

[SSpade]

It's not malware. It's just a webpage.

Gullibility isn't OS-specific.

Re:

[SJHillman]

Safari isn't OS-specific either, but the primary Safari market is OS X users. So if it's exploiting Safari, then it's probably aimed at Mac users.

Re:

[fazey]

Depends on the payload really. I dont know the details of the exploit, but if it requires dumping shellcode... that would make it OS specific.

Re:Ok?

[Rosyna]

there's no payload and no exploit involved. it's just a webpage that opens another webpage when you try to close it.

Re:Ok?

[fazey]

So how is this "mac specific" or an "exploit"... and not just... a popup?

Re:Ok?

[Gr8Apes]

and easy enough to kill by disabling JS

Re:

[terrab0t]

Based on another article I read, it only works in the Safari browser.

Re:

[tlhIngan]

Safari isn't OS-specific either, but the primary Safari market is OS X users. So if it's exploiting Safari, then it's probably aimed at Mac users.

It was demonstrated on Safari, but apparently it works on Chrome as well. And I'd say it'll probably work on Firefox too.

It's especially annoying since the browser helpfully restores your last session when they crash, so this site and its 150 popups make it persistent indeed.

Re:

[jbolden]

Exactly my first thought. This isn't malware there is nothing particularly OS X about it.

FTFY

[SuperKendall]

I thought we were past the "being surprised that websites get hacked" years ago.

This is not malware, it's a hacked site with annoying javascript. The only news here is how desperate some people are to show that OSX is vulnerable to malware - even when the malware never is installed on the system...

Re:

[meerling]

It's software that is intended for a malicious purpose contrary the wants and needs of the user.
It is malware, it's just not running from a platform usually used for such things.
I guess you think that the various ms word worms aren't malware because they are scripts that run on ms word.
(And yes, those ms word worms are viruses because they are infecting an executable code, even if it's something most people don't realize is executable code. And executable code does not mean .exe files, though those are one

Re:

[SuperKendall]

I guess you think that the various ms word worms aren't malware because they are scripts that run on ms word.

No, they are all location on your system. And they have wide access to your system.

Javascript going a bit wild is not malware, any more than any advertisement or popup is. It's just a hacked site.

Re:FTFY

[jimicus]

It is malware, it's just not running from a platform usually used for such things.

True, but the important point is the platform in question is not OS X and it is somewhat disingenuous to pretend it is. The platform is "any web browser that automatically reloads the last visited site if you force it to quit".

Re:FTFY

[SuperKendall]

No, I am saying OS X is much LESS vulnerable to malware, and that some people are desperate to make it SEEM as though OS X gets malware to the same extent PC's do even when facts do not bear that out.

So desperate in fact, that they jump the gun and claim a Javascript hack is the same as system level malware... all because they didn't simply try to look at the facts at what it was, just react to the presence of "OSX" in the headline.

Re:

[SuperKendall]

I thought the annoying thing about the infection was the ransom notice put up by the bad guys.

Apparently not since the headline was about OS X even though the "malware" is cross-platform thanks to it being only in a web browser.

Don't look at me, chide the person who wrote the article and summary.

Re:

[interkin3tic]

A few weeks ago, the computer in my lab that is connected to two somewhat expensive bits of equipment came down with this. That was more surprising to me. It's connected to the gel imager and is in a common area. People put agarose gels in the imager and then forget to take off their gloves to use the computer. The keyboard is probably covered in ethidium bromide. [wikipedia.org] Why someone would be watching porn on it is beyond me.

I guess on the bright side, semen being on the keyboard isn't a huge concern compar

Re:

[Samantha Wright]

...well, there's a pretty simple way to check whether or not your fears are founded. Just shine a UV lamp on the keyboard and examine the shapes of the stains. This is like the forensic chemistry equivalent of a textbook physics problem set in a textbook factory.

Re:

[interkin3tic]

I could, but I'm just going to continue wearing nitrile gloves and assume there's semen and ethidium bromide all it and everything else in the lab.

Malware

[AlreadyStarted]

Is this really malware? It's just a webpage with annoying javascript...

Re:

[sjames]

In a minor sense, since the javascript is software.

really there should be a good way to kill the page without resetting everything in the browser.

Re:

[AlreadyStarted]

Looks like holding shift while starting safari solves the problem. No browser reset required. Holding shift tells safari not to open previously open tabs/windows.

Re:

[FellowConspirator]

You could enable the the "Develop" menu in preferences and then select "Disable JavaScript" on the problematic page without having to reset anything (you could also open the JavaScript console and stop it). This really has nothing to do with OS X and isn't even browser-specific. There's, of course, a browser-specific answer to it (it only takes a few minutes to create a Safari plug-in to block it).

Re:

[acariquara]

But MACS!!! ARE!!! NOT!!! IMMUNE!!! TO!!! BAD!!! THINGS!!! is way catchier.

Filter: I know it's yelling, I am trying to make a point here.

Re:

[SJHillman]

The definition in the article is "ransomware is malware which restricts access to the computer it infects, spamming the user with prompts that demand a ransom paid for functionality to be reinstated"

I'd say it qualifies. It restricts access to the computer. Malware usually follows the KISS principle better than most other software, which is one of the reasons why it can become so widespread even though a commercial software package can be a pain in the ass to get it to work. If your software absolutely, pos

Safari related bug

[sosume]

Clever use of a bug in Safari, who would have thought of that.. I'd say the US should be able to knock out this site in a few minutes, by using the provisions in the SOPA act. Right?

Sounds like...

[kylus]

...a good security measure for the guy suing Apple for not filtering the porn he was addicted to [slashdot.org].

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[fermion]

Not really a bug, but rather an implementation. Unfortunately Safari, like IE, allows websites to change the display of a browser window(for instance, no longer display the URL) and to display modal windows that effectively hijack the browser. While there are a few legitimate reasons to allow this, for the most part they are used to keep people on a page against their will.

A lot of this comes from the effort of MS to turn the web browser into an application front end, and many of the legitimate uses are

obviously fake

[stenvar]

Law enforcement is never that straightforward and efficient.

Re:

[SJHillman]

Or that cheap.

Not malware

[Qzukk]

It's just a site that uses javascript to try and keep you from leaving, which is hard to get out of on safari because if you forcequit safari, safari "recovers" the page when you open it again.

Re:Not malware

[93 Escort Wagon]

Hold down "Shift" when you re-launch Safari - that'll solve that problem.

Art (or spam) imitates life?

[xtal]

The cynic in me wonders how long before this stops being malware and starts being efficient delivery of government policy.

Does not appear to be Safari-specific

[sootman]

It takes advantage of Safari's "restore last window" feature, which is optional (though on by default in some versions) and also available in Firefox and Chrome (and possibly also on by default in some versions.)

And the OS X version is limited to a browser, as opposed to the Windows versions (which I've seen) which lock you out of the whole OS and can be VERY hard to get around.

The author's suggestion is to reset Safari (as in, clear cache, remove cookies, etc.) but wouldn't you also just be able to turn off the "restore session" option and then force-quit and relaunch? Also, you could relaunch, and press 'escape' or 'command-period' repeatedly to keep the page from loading.

Disable JavaScript

[Dak RIT]

Disable JavaScript[1], close page, there's no step 3.

[1] Preferences -> Security Tab -> uncheck 'Enable JavaScript'

Re:

[zieroh]

Or just select the Reset Safari menu option.

See: http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/ [malwarebytes.org]

So Safari is broken?

[140Mandak262Jamuna]

Even if the user knows it is a fake warning, and even if the user knows it is the site that has been hacked, if Safari will not let the user close the page and move on, it is broken. It should be fixed. Does Safari always restore the old sessions without allowing the user a chance to start fresh sessions? If not it is broken.

Re:

[zieroh]

There's a simple menu option to reset Safari, which completely eliminates the lingering web page. See: http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/ [malwarebytes.org]

Re:

[MachineShedFred]

You can turn off that behavior in the app Preferences, which is not locked out by this "malware." Also, hold shift while launching Safari after the force quit, and it won't re-open to last visited.

Desperate

[zieroh]

Calling this malware is a pretty desperate stretch.

We've had these for years

[vikingpower]

Dudes, in Germany and Austria and Switzerland, these scams have been around for years. They usually tell you that your computer has been locked by the police, and that you need to pay a fine in order to get it unblocked. Nothing new here. News at eleven.

Re:

[acariquara]

2003 called, they wanted their scaremongering back.

If you use OSX and practice safe computing (that means NO JAVA FOR YOU), then yea, you're tough as nails to crack. No OS is idiot-proof, though.

The same can't be said for many variants of Windows, especially those still using XP where inserting an infected thumb drive will wreck havoc on your system, hell no, on your entire enterprise network.

Re:

[war4peace]

If your 2013 enterprise network is vulnerable to infection spread from a Windows XP machine... trust me, the cause isn't that an unpatched Windows XP installation caught a cough.

Re:

[acariquara]

Absolutely no contest there, man, although that doesn't mean it does not happen.

Our hospital network just changed from a major XP install to a Seven one, and most clients are running WITH admin priviledges. Hey, that's not a bad thing on my side: I'm just a practicing MD, but I bet my workstation is far safer than everyone else's because I can fix the dumb stuff they did via GPOs.

Re:

[war4peace]

Oh it happens, of course. Did happen in the company I work for. However, only the workstations themselves got infected, nothing did spread over the network

Re:

[desdinova 216]

obligitory http://xkcd.com/875/ [xkcd.com]

Re:

[MachineShedFred]

Our corporate Macs which I maintain have an antivirus installed due to policy, but the only thing it ever finds is Windows viruses that arrive via email attachments that manage to get through the email gateway scanner.

The #1 thing that protects our Macs: The user does not have administrative credentials.
The #2 thing that protects our Macs: Applications are all deployed via a centrally managed repository, which allows for #1.

Re:

[LordLimecat]

The user does not have administrative credentials.

Ditto on all versions of windows released in the last 7 years.

Re:

[LordLimecat]

XP is more than a decade old. Lets compare XP to a similar vintage of OSX-- what would that be, 10.3? 10.2?

Re:

[jbolden]

XP is still on about 40% of Windows machines. The Windows user culture is a big part of why they have a much worse malware problem.

Re:

[acariquara]

>Also, last time I inserted any USB into my XP box, it popped up a dialog asking what I should do with it.

Then I have two bad news for you: one, you're not up to date on your security patches, namely disabling autorun from removable drives, and two, you are one social engineering step away from being infected. That's how it starts, you click on an icon that looks like a folder but you're actually running malware.

Re:Not so Invulnerable now, huh...?

[MachineShedFred]

This isn't malware. It's a javascript on a web page.

Calling this malware is like calling a firecracker a weapon of mass destruction.

Re:

[AmiMoJo]

So the GP's point still stands then, any platform with a web browser isn't immune to malware or malware-like scams.

Re:

[hjf]

Is it? A malware program like this has been attacking windows computer lately. It scans IPs for port 3389 (remote desktop) and then tries to brute force into the system. Once it's inside, it runs a script that RARs all your files with a huge random password. Then they demand a $2000 ransom to recover it.

It happened to a customer of mine who "refused to run a VPN because it slowed things down" and had port 3389 open to the public. There are also scans on port 5900 (VNC server).

To be fair: neither an antiviru

Re:

[zieroh]

This isn't that malware. This is just an annoying bit of javascript.

Re:

[JazzLad]

When convenient, simple IEDs get declared WMD [philly.com], ironically by the same people that say (rightfully) that GWB lied about Iraq having WMDs.

It is convenient for some to call this OSX malware, it's called hyperbole [wikipedia.org] and it's disgusting whoever uses it to fearmonger.

Now that I've insulted everyone but Mac users, hopefully they'll keep me from being modded into oblivion ...

No, still pretty invulnerable...

[SuperKendall]

No product is totally invulnerable. But it's a simple fact that an OSX user can go a long, long time before ever seeing a virus or malware.

That said - this is not an example of the OS being vulnerable, the whole "malware" is Javascript that takes over Safari a bit, basically a hacked website. I'm not even sure if it works if you have popup blocking on. The computer is never compromised.

Re:

[dragon-file]

No product is totally invulnerable. But it's a simple fact that an OSX user can go a long, long time before ever seeing a virus or malware.

A user can go along time without seeing virus and malware in OSX because OSX holds 7.18% of the market as opposed to Windows 7 and XP at a combined total of 81%.

If I were to write malicious code with the intent to prey on the gullible and make quick money which OS would I target?

Re:

[SuperKendall]

A user can go along time without seeing virus and malware in OSX because OSX holds 7.18% of the market as opposed to Windows 7 and XP at a combined total of 81%.

Who cares why it is true when it *is* true?

It's still the case that by far a non-technical user is vastly safer running a Mac.

If I were to write malicious code with the intent to prey on the gullible and make quick money which OS would I target?

Obviously people too stupid to choose the safer, instead of the more popular, choice.

Re:

[jedidiah]

> A user can go along time without seeing virus and malware in OSX because OSX holds 7.18% of the market as opposed to Windows 7

That's just the deluded nonsense of a Lemming.

There have been virus ridden minority platforms before. This was quite common back when there were actually other platforms to choose from. Operating systems in those days were much less robust. Viruses were common because those platforms suffered from similar nonsense that Windows does now.

Windows is crap. It gets viruses because it

Re:

[uglyduckling]

That's right, no-one uses a Mac to get actual work done. Well done.

Re:

[thoromyr]

Whatever it takes to make you sleep better. But the illogic of that has long been shown (e.g., compromised web servers used to be nearly all IIS despite it having a minority share -- yeah, times have changed, but that just further illustrates that "market share" is not a controlling factor). Your overly facile argument reveals how little you know of the business.

In reality malware was originally written by people trying to show off their "super skills" or who had a grudge of some sort. By and large they wer

Re:

[jbolden]

On paper Windows has always been more secure than Mac OS. It isn't the OS

1) A user community that upgrades quickly
2) A willingness to break backwards compatibility
3) Apple's ability to get their community to fall in line if there is a crisis
4) A community with a heavy percentage of computer enthusiasts.

etc... means that Apple doesn't have the problems that Windows does.

Re:

[ClaraBow]

But this is not Malware! Just a rouge website with some crafty Javascript! The Windows version actually locks the computer and you are forced to Re-install Windows! ! On the Mac version, all you have to do is reset safari from the menu-bar and all is well again! It is very annoying to the end user, but that's all!

Re:Not so Invulnerable now, huh...?

[93 Escort Wagon]

Just a rouge website with some crafty Javascript!

What does the color of the web page have to do with anything?

Re:

[ClaraBow]

Oops! Should have read: rogue! Oh, but rouge rogue does have a nice ring to it!

Re:

[93 Escort Wagon]

"The Rouge Rogue" sounds like a supervillian from the 1950s!

Re:

[hjf]

Different viruses. The one for windows attacks through RDP port. I've seen scans on port 5900 too. Nothing would keep a similar virus from attacking Mac if you run any sort of remote access and a weak password.

The virus for windows encrypt your files and demands a ransom. Nothing would keep a similar virus from doing the same on a mac, since you don't need admin privileges or any sort of exploit to manipulate your own files.

Re:

[jimicus]

The virus for windows encrypt your files and demands a ransom. Nothing would keep a similar virus from doing the same on a mac, since you don't need admin privileges or any sort of exploit to manipulate your own files.

Almost certainly would be a trojan rather than a virus in that case.

Mind you, it's a bit rich to equate "Macs don't get viruses" (true) with "Macs are immune to all forms of malware" (patently false).

Re:

[thoromyr]

There is no meaningful distinction between a "trojan" and a "virus". The old, simplistic application of the terms "trojan", "virus" and "worm" never really made that much sense, but it is pretty meaningless now. Each of those designations simply refers to a method of infection and nothing prevents multiple vectors from being employed. And plenty of malware does that. In fact, the majority I run across do none of those things.

The predominate vector in use today is malvertising. It generally exploits a vulner

Re:

[jimicus]

That's pretty much my point - Macs may not get viruses in the traditional sense of the word, but the computer virus in its traditional sense is more-or-less extinct. They're sure as hell vulnerable to malware, which is a far better term for modern use.

Re:

[jedidiah]

> Nothing would keep a similar virus from attacking Mac if you run any sort of remote access and a weak password.

It's funny you should mention that because I run a daemon that checks /var/log for suspicious activity. When it finds something that looks like a brute force attack, it blocks the attacker with a firewall rule.

Now this thing is a nice ready made app available through my distro's standard repos. But in the old days, I cobbled the same thing together with a bash script.

If you aren't operating un

Re:

[hjf]

Good for you. I use port knocking.

But for the non-tech folk out there who just thought it was going to be cool to be able to check his home computer from work, you can't blame him for trying. Maybe he thought clicking "enable remote access" didn't have such heavy security implications.

We learn from our own mistakes. Given your 4 digit UID, I seriously doubt your record is spotless. I'm sure you had a system or two compromised until you learned to become almost paranoid about security.

Not a virus, how does your foot taste?

[raymorris]

How does that foot in your mouth taste? It's not a virus, and not OSX specific - it's just a web page with some annoying Javascript.

Pretentious? Or maybe just realistic?

[King_TJ]

I love how the Windows users get *so* irritated when Mac users point out to them how their machines generally "just work" without all the virus and malware hassles, need for (often costly) anti-virus software and subscriptions, etc.

The only people I see really trying to "pound some sense" into OS X users to use anti-virus software are the companies hawking the stuff.

I use both Windows machines and Macs practically every day. I work in a corporate environment where we're pretty much a 50/50 mix of both platf

Re:

[jbolden]

Has it occurred to you that PC users get nailed all the time while Mac users mostly don't. They are pretentious because it is justified by experience.

And no a misbehaving website is not going to "pound sense into them" because they are being quite sensible.

Re:

[Holi]

What good does anti-virus software even do. Every machine I have come across that is infected has an up to date av package on it. It doesn't even slow down an infection anymore.

Re:

[SJHillman]

A proper anti-virus should work quietly behind the scenes. There's no such thing as a fool-proof AV any more than there's a 100% effective vaccine. For every infected machine we have, we have several dozen more that report blocking infections or at least crippling the malware.

Re:

[flyingfsck]

Antivirus - to do what? Your ignorance is astounding and you work in IT? Sigh...

Re:

[SJHillman]

Are you saying you don't use an AV on any of your machines?

Re:

[Vidar Leathershod]

Well, I certainly don't. As far as I am concerned, it is the same attitude you hear when people say "But we have to do something!!!". It doesn't work. Don't bother. Use a more secure browser. Use an ad-blocker. Have a decent firewall installed. These will help. Perhaps you can enlighten us on which Antivirus program you use on the networks you manage. Then tell us which infections it stopped. I have customers who own solutions from Symantec, VIPRE, Kaspersky, McAfee, AVG, Avira, and Trend (among ot

Are you sure?

[fuzznutz]

[...] and so far Windows Defender and MS Internet Essentials have blocked everything.

That you know about...

Re:

[jbolden]

I've been running OSX since 10.1 no anti-virus no problems. And since then: wife, daughter, parents, inlaws, friends.

OSX people mostly don't get virus. They aren't immune but they are rare and Apple often handles them on their end.

Re:

[Rosyna]

Perhaps you should become aware of XProtect.

Re:

[LDAPMAN]

If "any old one would do" then you should realize that unless they are running ancient version of OS X that all macs have antivirus built in. Apple added it several years ago and updates it regularly.

Re:

[SJHillman]

It's more of a liability issue, that's why we're not too concerned with which AV they use. They sign off on their computer being protected, and if it gets infected, it's on them. Most people bitch about having to sign off on having some form of malware protection because "it's a Mac"

Re:

[uglyduckling]

So, essentially, you're tickboxing the installation of antivirus software. I'd install ClamXav and tick that box, if it was me. Macs aren't necessarily totally invulnerable, but I've never had active antivirus on my Mac, and I've taken it all over the world and used all sorts of dodgy free WiFi, and never had an issue. The only thing I do is a scan of removable media using Clam if I think it's come from someone who's unlikely to have protection on their Windows box. I put my 3G dongle on my parents' XP

Re:

[LordLimecat]

A pre-installed antivirus is worse than useless.

Note, for example, that MSSE was a perfectly good antivirus until Microsoft baked it into Windows 8. Then, surprise surprise, it started failing every AV comparatives, because a every virus was compiled specifically to evade detection.

Lets put it another way. If every OSX box has the same anti-virus updated on the same schedule, why would anyone release a virus for OSX that didnt 1) evade current detections and 2) break the updating mechanism so that it cant

Re:

[jbolden]

You can't break the updating mechanism. That runs in a protected mode applications don't have access to it. That's one of the differences between capabilities and permissions, which NT supports too but Microsoft can't use as aggressively because of worries about backwards compatibility.

Re:

[beelsebob]

Right, that's not because these users are not aware that there's a threat of getting some kind of malware on their machine. This is because the problems caused by the antivirus software are as bad as the problems caused by a virus, so basically, you're asking them to guarantee that they have something malicious on their system, rather than simply having a 1 in a million chance that they do.

Re:

[FellowConspirator]

... and copyright infringement is a tort, not a crime.

Re:

[JazzLad]

It was a tort when the wealthy did it, it's a crime now that the common man can do it.

Re:

[Spy Handler]

I find a surprising number of people who don't know the difference, not just dumb people but even those with normal intelligence who are competent in their fields.

Perhaps we can illustrate with movie examples. CIA = Jason Bourne, assassin we send abroad to kill foreign nationals who create trouble for the U.S. gov't. They only operate outside the USA, as they are forbidden by law to spy on or kill anyone inside the USA.

FBI = Jodi Foster in Silence of the Lambs, police who catch criminals inside the USA. The

Re:makes sense

[93 Escort Wagon]

Still bitter about that Mac user stealing your girlfriend, I see...

Re:

[zieroh]

Wow. 1999 called. They want their meme back.

Re:

[betterprimate]

echo 'Mac user here.'
echo 'Hello!'
sudo killall -u slashmydots

echo 'Goodbye!'