Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
OS X Encryption Security Apple

Proof-of-Concept Ransomware Affects Macs (vice.com) 163

sarahnaomi writes: Ransomware, the devilish family of malware that locks down a victim's files until he or she coughs up a hefty bounty, may soon be coming to Mac. Last week, a Brazilian security researcher produced a proof-of-concept for what appears to be the first ransomware to target Mac operating systems (Mac OS X). On Monday, cybersecurity company Symantec verified the researcher's findings. "Mabouia is the first case of file-based crypto ransomware for OS X, albeit a proof-of-concept," Symantec wrote in a blog post. "It's simple code, I did it in two days," [said] the creator of the malware.
This discussion has been archived. No new comments can be posted.

Proof-of-Concept Ransomware Affects Macs

Comments Filter:
  • That's special... (Score:5, Insightful)

    by Aaden42 ( 198257 ) on Tuesday November 10, 2015 @02:30PM (#50903335) Homepage

    Great! You can encrypt some files. You're amazing!

    Show me a zero-click network infection vector, then I'll be a little worried. Yes, I've already removed Flash and never installed Adobe Reader. No, getting me to execute an email attachment (after disabling Gatekeeper) doesn't count.

    • zero-click? that is a very low bar to set given that most of the ransomware that plagues windows these days is zero-click.
      • Re: (Score:2, Insightful)

        by macs4all ( 973270 )

        zero-click? that is a very low bar to set given that most of the ransomware that plagues windows these days is zero-click.

        In case you haven't noticed, OS X appears to be somewhat (read: Insanely) more Robust in that regard than any version of Windows to date.

        I offer as proof the fact that we are at SIXTEEN YEARS of OS X, without a single infection that did not exclusively rely on Social Engineering and active participation by the User.

        • Re: (Score:2, Insightful)

          by andydread ( 758754 )
          what you are deliberately leaving out is that OS X has a fraction of the marketshare of windows and that is the main reason.
          • by Anonymous Coward

            Millions of users over a decade and a half should have produced at least something. But you keep on enjoying your superior market share, dude...

            McDonald's is prolific but that doesn't make it "the best food."

          • Comment removed based on user account deletion
            • by Gr8Apes ( 679165 )
              And yet Linux just got it's first malware target also. And how big is that desktop market compared to OS X?
              • And yet Linux just got it's first malware target also. And how big is that desktop market compared to OS X?

                Actually, not to pick on poor ol' Linux (it means well, afterall!); but there are quite a few ACTUAL Viruses [wikipedia.org] (rather than Trojans, which any OS is vulnerable to) listed for Linux, as opposed to, um ZERO (EVER!) for OS X. To be fair, most of these have been rendered ineffective by Updates; but...

                And OS X has been out nearly as long as Linux, and has TEN TIMES the marketshare (especially on the Desktop).

                • by Gr8Apes ( 679165 )
                  OSX has been out since 2001. I was running Slackware v2.1 back in 1994. So there's a significant difference there, but yes, Apple is leaps and bounds beyond all Linux versions combined on the desktop, and for good reason. Apple is also estimated to be near 10% in desktops, which is a huge number considering the size of the market and that they were less than 2% 10 years ago.
                • have you clicked and read the descriptions of ANY of those? osx has had just as many of these "viruses that require the user to be stupid AND do most of the virus' work".

                  btw, does "flashback" ring any bells? it forced apple to remove the "doesn't get pc viruses" from its "why you'll love a mac" page.

                  http://www.welivesecurity.com/... [welivesecurity.com]
                  http://securitywatch.pcmag.com... [pcmag.com]

            • When I used to use a Mac, security updates came in via Software Update every week or two. There obviously were security holes galore in the operating system (and don't get me started on early versions of Safari automatically downloading and opening files without asking permission first...), it's just nobody bothered exploiting them.

              I agree that that was a boneheaded Default, and it amazed me even more that it persisted even after the weakness was pointed-out. However, as you know, the fix was simple: Uncheck the checkbox.

              However, I believe you would agree that we are LONG-past the "Security Through Obscurity" point with OS X (and really never were there with iOS); and now are FAR into the "Look at Me! I actually Infected a Mac!" bragging-rights territory (e.g. TFA). So, it is pretty clear that OS X really DOES have some serious Secu

              • by tnk1 ( 899206 )

                CVE-2015-6988 - CVSS score 10.0
                https://web.nvd.nist.gov/view/... [nist.gov]

                The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not initialize an unspecified data structure, which allows remote attackers to execute arbitrary code via vectors involving an unknown network-connectivity requirement.

                That's just the highest score. I'm not sure why you think OS X does not have any scores above 2. There are large numbers of CVEs above 2.

          • by guruevi ( 827432 )

            The funny thing is that marketshare keeps coming up but Linux has had a greater marketshare for the last decade as far Internet-connected devices go. Mac has been increasing but there is no proportional increase in attacks on either Linux kernel or OS X or BSD/Solaris/...

            • The LInux kernel is extremely widespread, but mostly in Android phones and tablets, embedded devices, and servers. If you're looking to target desktops and laptops, it has very little marketshare. Android does seem to have its share of security problems, most crackers don't care about embedded devices, and servers tend to be administrated competently (whether Linux or Windows).

          • what you are deliberately leaving out is that OS X has a fraction of the marketshare of windows and that is the main reason.

            If smaller marketshare is the main reason OS X has much less malware than Windows, isn't that still a compelling reason to buy a Mac? Let all the cheapskates who want to save a few hundred bucks on their computer deal with the mass insecurity.

          • by cfalcon ( 779563 )

            Windows apologists have been saying this for going on two decades, yet the fact remains that Windows still has drive by owning showing up a few times a year, and essentially no other platform does- even phones don't suffer from this often or ever, and there's sure as shit plenty of those.

            This is a Windows problem. It's not because there aren't enough OS X, or enough Linux, or enough ios, or enough Android. It's because Windows.

            It's always been because Windows.

          • by jedidiah ( 1196 )

            This nonsense again.

            Anyone who wasn't born yesterday is well aware that older platforms with smaller market share and a smaller number of total users were ripe environments for all manner of malware.

            That "market share" argument simply doesn't agree with actual real world results.

    • Great! You can encrypt some files. You're amazing!

      Show me a zero-click network infection vector, then I'll be a little worried. Yes, I've already removed Flash and never installed Adobe Reader. No, getting me to execute an email attachment (after disabling Gatekeeper) doesn't count.

      I'm with you.

      I've been Flash-Free on my MBP since I bought it in 2013, and same with Adobe Reader.

      I've only missed Flash a couple of times, but not enough to make me want to install it; as as for Adobe Reader, I think that recent versions of Preview are actually getting better than Reader for most things.

      What really pisses me off are the sites that won't play a video without Flash on OS X; but if I visit the same site with my iPad, it happily plays the video (without using Flash, of course)! WTF is up

      • by Aaden42 ( 198257 )

        Setting your User-Agent to something that looks iThing-ish is sometimes enough to get sites to serve their mobile versions with MP4 based video instead of flash.

        • Setting your User-Agent to something that looks iThing-ish is sometimes enough to get sites to serve their mobile versions with MP4 based video instead of flash.

          Too much work to get around someone else's sloppy coding; but thanks for the tip!

          • Safari > Preferences > Advanced > Show Develop menu in menu bar

            You only need to do that once to enable the new menu. After that, if a website gives you "Flash is required to view the video", try the following:

            Develop > User Agent > Safari iOS X.X - iPad

            If the website does support iOS/iPad, it'll be sending your browser HTML5 code linked to a standard H.264 video file that will play without any problem.

            Fight for your bitcoins! [coinbrawl.com]

            • Safari > Preferences > Advanced > Show Develop menu in menu bar

              You only need to do that once to enable the new menu. After that, if a website gives you "Flash is required to view the video", try the following:

              Develop > User Agent > Safari iOS X.X - iPad

              If the website does support iOS/iPad, it'll be sending your browser HTML5 code linked to a standard H.264 video file that will play without any problem.

              Fight for your bitcoins! [coinbrawl.com]

              Cool, thanks! Maybe I'll give that a try. I have to admit, I do far more web-browsing on the iPad than my MBP anyway, though.

    • Yeah, I never understood the need to install Reader on a Mac. Probably most people did it by accident when installing something else. Flash isn't a problem as long as it can't run without asking first.

  • Just to note... (Score:5, Informative)

    by Ecuador ( 740021 ) on Tuesday November 10, 2015 @02:33PM (#50903379) Homepage

    This is NOT a proof of concept of stealth ransomware using some 0-day exploit etc. You have to actually download it, choose to run it, close the warning box that is popping up to warn you exactly of this sort of software. That's where I stopped reading, I mean, most competent programmers can write a program that ransom your documents in two days. Heck, I bet there are some who in two days of coding could even manage to bundle in a multi-level FPS game. The hard part is to get ransomware to run without the user explicitly installing it.
    Unless I am missing something, in which case you can enlighten me..

    • Re: (Score:2, Insightful)

      by tepples ( 727027 )

      The idea is that anyone could take this program, disable the warnings, and combine it with some exploit package to create ransomware.

      • by mark-t ( 151149 )

        How would you propose that the the program disable those warnings, exactly?

        Here's a tip for you that you evidently were not aware of, those warnings that pop up aren't being issued by the software.

      • The idea is that anyone could take this program, disable the warnings, and combine it with some exploit package to create ransomware.

        But, point is, that's the hard part. Doing what this guy did isn't particularly difficult. It's not a "proof of concept" if most programmers could easily figure it out on their own.

        • Re: (Score:2, Insightful)

          Most grade school kids could figure this out:

          man openssl

          Combine OpenSSL with a little AppleScript, and voila, you have the same "proof of concept" that TFA is basically showing. What a fucking joke.

          • Most grade school kids could figure this out:

            man openssl

            Combine OpenSSL with a little AppleScript, and voila, you have the same "proof of concept" that TFA is basically showing. What a fucking joke.

            The fix is simple. Just find another vulnerability in openssl and use it to recover the key used to encrypt the data.

      • That's been true all along. As the OP said, many of us here are confident in our ability to write ransomware in somewhere between a couple of hours and a couple of days, simply because the actual software is rather trivial to write. After all, it's just a matter of encrypting pretty much everything on the drive and then sending the key off to a destination you control. The hard part is in delivering the ransomware to your victims, and nothing about this proof-of-concept changes any of that. The people writi

        • by KGIII ( 973947 )

          While I did author a variety of programs for my own use a long time ago (think 1990s in C) and have done some other programming over the years - including some horrific stuff in Perl, even *I* could write this in a couple of days if properly motivated to do so. Err... Can I write a wrapper for PHP and have it display a web page and then use that code internally? I might be able to do it a little quicker. I do hope that such is not allowed, by the way.

          Wow... That would be all too easy. The reason being, the

    • by phantomfive ( 622387 ) on Tuesday November 10, 2015 @02:50PM (#50903535) Journal

      I mean, most competent programmers can write a program that ransom your documents in two days.

      The big question I'm having right now is why it took him two days. Did he get distracted by Foosball?

    • Yeah this story is a bit silly. What concept was proved, exactly, that Macs can run encryption software?

      Still, it is a reminder that bad things can happen on any computer, so have regular backups, test those backups, and don't store the backups right next to your main system.

      Lately I've seen a lot of people with "back ups" to read/write network storage, where the machine pushes it's backup to a network drive it can write to. No bueno. Ransomware will encrypt any accessible network drives too, so your "back

    • Re:Just to note... (Score:5, Insightful)

      by MachineShedFred ( 621896 ) on Tuesday November 10, 2015 @03:11PM (#50903761) Journal

      Hey look! I have a "proof of concept" too!


      #!/bin/bash
      openssl aes-256-cbc -in ~/Documents/* -out ~/ransom.aes -d -pass $up3r$ecretPassw0rd!

      Pay me or you'll never see your documents again!

      • Re: (Score:2, Funny)

        by Anonymous Coward

        can some one help me, I couldn't get this installed...

      • by KGIII ( 973947 )

        Damn you! That works in Linux! How much do I owe you for the password???

      • by Ecuador ( 740021 )

        Pay you? How? My bitcoin wallet was in ~/Documents!!!

    • Sounds much like the honor system virus. You send an email to someone that politely asks them to randomly delete half the files on their hard disk and forward it to ten friends. (I believe it's the only virus I have ever propagated, but obviously I can't be sure.)

    • Agreed. It would be worse if it was able to circumvent some of the sudo protections, or if it was able to also lock Time Machine backups, or exposed some social engineering flaw in the install procedure that lulls users into a false sense of security, and so on. It just reinforces the principle of never installing software from dodgy sources, and even trusted sources require a bit of wariness.

  • to get his ransomware I have to download the file. launch it, give it administrator rights, type in my admin password.

    ZOMG we are all gonna die!!!!!!

    Come on, there has to be an exploit that get's completely around all security and can install silently on OSX. are these guys not trying?

    • by cfalcon ( 779563 )

      Don't forget that you have to use a Microsoft product. No exploit, even one with all these hoops, is complete without a Microsoft product in the loop.

  • We already know that the typical Mac users is naive "there are no viruses for Mac!" and we also know there's a whole niche market of Apple users with more money than brains. I expect these people to haul in more money than the Windows ransomeware guys.
    • We already know that the typical Mac users is naive "there are no viruses for Mac!" and we also know there's a whole niche market of Apple users with more money than brains. I expect these people to haul in more money than the Windows ransomeware guys.

      It is not "naive" to be aware that there are currently no "No user intervention required" viruses for OS X or iOS. It is the truth.

      It IS "naive" to NOT be aware that there ARE a few (very few!) pieces of Malware that require a Social Engineering component and User Intervention to install. HOWEVER, Mac users are (justifiably) secure in the knowledge that, before these can infect more than a few dozen Macs, Apple will push out a detector-blocker into XProtect (which runs on every OS X machine running Snow L

      • by NoZart ( 961808 )

        I manage 1200 windows systems at my work. The only infection i ever had to fight in the last 3 years was a "User-intervention-required" virus. Your point being?

    • We already know that the typical Mac users is naive "there are no viruses for Mac!" and we also know there's a whole niche market of Apple users with more money than brains. I expect these people to haul in more money than the Windows ransomeware guys.

      One potential problem - those Apple users with more money than brains also probably bought a Time Capsule backup device (because it's shiny and Apple says you need one and here's my credit card!), which means they've got constant incremental backups of all their files. Ransomware pops up, just roll back to pre-encryption.

    • by fermion ( 181285 )
      Apple users with too much money also have real time incremental backup in terms of time machine, have money to buy space on Dropbox, and have music backed up on Apple and Amazon. It might be worth $100 to some to buy the password and save the few hours it might take to restore a computer, but for many of us we simply will switch to our second or third Mac for use while the ransomed machine is restoring. I mean if you have a huge project that has to be completed that day and you are going to lose $1000 for
  • If not for the ongoing application compatibility issues with El Capitan :)
  • Interview with the malware's creator: http://news.softpedia.com/news... [softpedia.com]
  • Time Machine, instead of letting it sit in your I'll-get-to-it-someday pile of shit-to-do.

    If Windows users are any indication, they might learn the value of backups by the third formatted hard drive.

    • TimeMachine is a push backup on the same computer. Thus vulnerable to being encrypted too. You want a pull backup from a second system ( maybe with TimeMachine on that secondary computer).
      • by Jeremi ( 14640 )

        TimeMachine is a push backup on the same computer. Thus vulnerable to being encrypted too.

        Only if the malware gains root access -- not that that couldn't happen, of course.

        You want a pull backup from a second system ( maybe with TimeMachine on that secondary computer).

        Another option would be to have two external TimeMachine drives, and only keep one of them connected at any time, and swap them every so often.

    • Actually, it's a reason to periodically use Carbon Copy Cloner to make a bootable exact copy of your HD to an external drive which you mount only for the occasion, rather than leaving it running all the time. It's also a reason to use a VERSIONING online backup service that amounts to a "cloud Time Machine."

  • Am I missing something, or is there not a single hole or bug being exploited here?

    Are we...are we confirming that if a user downloads a program and actively grants it access, it can do things that programs are allowed to do?

    For serious?

    • by cfalcon ( 779563 )

      No, there's a bug in Microsoft Office that is allowing a locally created (not downloaded off the net- the video shows a local exploit) file to run some crap. It's just a standard Microsoft Office virus, except the damage is limited because it's on a Mac.

      Even then, he had to rig the game to look real by running a locally created file- if he had actually downloaded it, there would have been a pop up to that extent. That's why he runs it off the desktop instead of pulling it or clicking it.

      I just think it's

    • I once left SSH enabled with a reasonably guessable account name and password for one account not being used. (I'm at least a little smarter now.) Somebody, apparently from Romania, signed in and ran user-level stuff to bombard someplace in Sweden.

      Clearly, then Ubuntu is hopelessly insecure, since the exact same exploit would work today under the same conditions.

  • If you ever wanted proof that the world is completely chaotic and that there is no God, the fact that ransomware exists is proof enough in my book.

  • Not a lot of details, but seems to be yet another example of a malicious Microsoft Office macro virus. Requires the end user to open a malicious Office document, don't say how this leads to running the actual payload.
  • One important detail is left out- by running this locally, he skips the part where it warns you about running stuff off of the net. And of course, it's not so much an OS X problem as it is a Microsoft Office problem, because that's the vector.

    So OS X can be owned, if you skip OS warnings AND use a Mircosoft product to actually do the owning, which even then can't act at root. Good grief man.

  • "to target Mac operating systems (Mac OS X)"

    no shit, I thought they would target Mac OS 7.01, thanks for the clarification numbnuts

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...