Become a fan of Slashdot on Facebook


Forgot your password?
Crime OS X Open Source Security IT Linux

KeRanger Mac Ransomware Based On Linux Forebear, Not Windows 77

An anonymous reader writes: It appears that the KeRanger ransomware that's been tormenting Mac users for the past days is actually based on a ransomware variant that targets Linux servers, and not on a ransomware family coming from Windows. That particular Linux ransomware is also based on an open-source ransomware called Hidden Tear that was uploaded to GitHub by a Turkish security researcher. So obviously, the conclusion is that GitHub is to blame for the KeRanger Mac ransomware. (Note to readers: That last bit is tongue in anonymous cheek.)
This discussion has been archived. No new comments can be posted.

KeRanger Mac Ransomware Based On Linux Forebear, Not Windows

Comments Filter:
  • by Harlequin80 ( 1671040 ) on Wednesday March 09, 2016 @02:36AM (#51664301)

    I would have assumed that it would have come from a Linux or BSD based one rather than a windows one.... The systems are much closer than windows to mac.

    Or am I being overly simplistic?

    • by vux984 ( 928602 )

      Or am I being overly simplistic?

      I'm not 'surprised' by it, but I'd have expected it to be derived from a windows variant, simply because there are so many more of them out there, that I'd have thought someone targeting OSX would be coming from Windows and have familiarity with a windows version, and would make that their starting point.

      Yes the relative similarity of OSX to *nix makes it perhaps slightly less effort to port; but the relative lack of *nix ones means that I'd still have put better odds on a windows port.

    • Isn't OSX based on a side port of Linux anyway?
      • by MikeMo ( 521697 )
        No. It has kind of a complex heritage [], but, essentially, OSX is based on FreeBSD with a Mach-derived kernel. It does come with a load of Linux-originated utilities and code. This is particularly the case of the server variant.
    • Makes sense. MacOS was created from BSD.
    • My exact thought. They are both NIX right?
  • by Anonymous Coward

    The first rule of getting infected by ransomware is you do not fund the criminals.
    The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

    • The first rule of getting infected by ransomware is you do not fund the criminals. The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

      The FIRST rule of ransomware is understanding that you own a computing device capable of connecting to the internet. Therefore, you should fucking know what the word backup means.

      Failure of that basic rule will ensure that you will be forced to make hard decisions about funding criminals when no one should be forced to even question that in the first place.

    • The first rule of getting infected by ransomware is you do not fund the criminals.
      The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

      The first rule of ransomware is restore from backups.
      The second rule of ransomware is don't worry, that's why we have backups.

  • "That last bit is tongue in anonymous cheek."
    inability to get sarcasm and irony, or even just humor, (without tags, cues cards, laugh tracks, etc etc) seem to be widespread and growing here in slashdot and in usa in particular, and west in general.

    one faces all sort of nastiness if attempted; moded down, branded for "hate speech",etc etc. no wonder several comedians are boycotting universities.

    this seem to be linked to regrowth of political correctness and sheepish acceptance of so called 'liberal', elitist

    • Sarcasm can only be expressed if you know the thoughts of an individual (such as a character in a book), through verbal intonation or body language. There are people who would say something like in seriousness so you can't just assume that someone was being sarcastic when they say something that sounds silly to you, especially when it's a stranger.

    • this seem to be linked to regrowth of political correctness and sheepish acceptance of so called 'liberal', elitist, ideology by the western young . bankrupt irrational ideas can't tolerate humor that show their absurdity.

      And the lickspittles of the conservative elite bleat whatever cliches their paymasters order up.

      Blow me, reactionary mouthpiece.

      • Way to show how tolerant and open-minded you are. I love the anti-gay slur at the end, too. I suppose all that talk about gay rights was just a bunch of bullshit to piss off badthinkers. Do as I say, not as I do.
    • This. Just try cracking a joke when you're pulled over by a cop, or when you're going through a security checkpoint at a government building. From first hand experience, I can tell ya that it doesn't end well.

      Thing is, for a lot of us, humor is how we deal with stress, and there is no such thing as a non-stressful government interaction. It's all a recipe for disaster.
  • Uhh? (Score:3, Funny)

    by easyTree ( 1042254 ) on Wednesday March 09, 2016 @04:17AM (#51664505)

    This appears to be a doubly-impossible scenario as both Linux and Mac are secure by default.

    • by Anonymous Coward

      Well, because it wouldn't work on Linux is why it was ported to Mac.

    • by dargaud ( 518470 )
      How widespread is this ransomware on Linux ? Any reports in the wild, or is it just a proof of concept ?
      • by _merlin ( 160982 )

        People have been using vulnerabilities in CMS and forum software (and their plugins) to attack web and mail servers with this ransomware. I know it's hit some schools and small companies.

    • by fermion ( 181285 )
      To take this bit seriously, not secure by default, but the mac use case is not the same for as many MS Window users.

      For example, most of my work is continuously backed up to iCloud and Dropbox. iCloud for Apple Apps, and Dropbox for LaTex, Python and other stuff. My computers are backed up by Time Machine, especially my photography machine.

      It would seem for most stuff, a simple wipe and restore would fix the problem. I suppose for some enterprise customers it would be a problem, but it people are not

  • by Anonymous Coward

    Because someone has finally figured out how to make money using Linux!

  • How does this 'Linux ransomware' get onto the computer without the end user visiting a malicious site and explicidly downloading and installing the program?
    • Magic? Malware delivering pixie fairies? I'd suspect it's the same way this junk ends up on other systems. HINT: it's not always the user doing stupid things directly. How you say? Ah well, lets say your linux admin is a lazy fuck and fails to disable root ssh on a server. And since he's a lazy fuck, he does manual patching instead of using a deployment system. Since he does it the "right way" he misses a box, and leaves a compromised version of openssh or some other shit there. And then someone lev
      • by Anonymous Coward

        An SSH daemon that doesn't allow root logins still runs as the root user so it can setuid to other users when they log in.

        That and you don't really need to be root on a server, you just need to break into any administrator's user account and trick them into logging in, or wait. You'd do that anyway to be able to log into other systems. Set their PATH to "~/.hax0red:$PATH". Fill up a disk, run the cpu up or consume memory with something appearing to be vi, or eat lots of IO, that'll drive them nuts. One t

    • It's disguised as a video of Natalie Portman, naked and petrified.

      Damn... showing my age there... for the young'uns - the reference is to an issue of the long defunct comic strip Userfriendly in which the "evil genius" Petr spreads a version of Microsoft's Clippy (a satanic paperclip which tried to take over the world and bring about the apocalypse -not in the comic in real life) as a plugin for the VI editor by disguising it as such a video.

      • Mae Ling Mak was 'naked and petrified' in the meme.

        Newbies latched on to Portman for some reason. Possibly did Mae Ling sue somebody??

    • by samkass ( 174571 ) on Wednesday March 09, 2016 @09:17AM (#51665101) Homepage Journal

      In this case, by someone hacking the installer to a BitTorrent client, hacking the server that distributes it, and signing it with a valid Apple developer cert and swapping their version in. Then hoping no one notices until the few days pass before it does its job and triggers. That last part didn't happen. Apple patched the built-in anti-malware, the company released a new version that removes the malware, and it was only downloaded about 6,500 times before disappearing. Unless any of those machines stayed completely off the internet in that time, it probably didn't strike anyone in the wild. That's what bein "tormented" by a Trojan Horse looks like on the Mac.

      • by rworne ( 538610 )

        Hacking the installer?

        I thought the binary itself was infected (well the app bundle) that required just the app dropped from the dmg file onto the system and executed.

        Programs like transmission do not need installers. Anyone looking to put a simple utility on their system should look at .pkg installer files with a great deal of suspicion.

        • by fizzup ( 788545 )

          As I understand it, the installer was "hacked" with a compromised version. If you already had the client installed and it automatically updated itself, you were not at risk.

          • by rworne ( 538610 )

            That's the thing. There was no installer. Just an application on a disk image. Drag and drop it into your App folder.

            An "Application" on OS X is really a directory with ".app" as an extension with the MacOS binary and supporting files in it. The Transmission binary was altered to launch the payload which was disguised as an rtf file in the directory. This is worse than what I've seen in the past - MPlayerX is a well-known video player that comes packaged with an installer. The author of that decided he

  • trump will want to buy github outright before his election,
    cruz will say he'll eliminate github when he's the prez,
    rubio will want to give github a lifetime greencard; but will tell it differently in English and spanish,
    kasich can't spell g-i-t-h-u-b,
    sanders will want to nationalize github,
    and clinton will have chelsea leer at github until it gives the 'clinton crime family foundation' a donation.

I use technology in order to hate it more properly. -- Nam June Paik