Slashdot Mirror
OS X Malware Demands $300 FBI Fine For Viewing, Distributing Porn
An anonymous reader writes "A new piece of malware is targeting OS X to extort money from victims by accusing them of illegally accessing pornography. Ransomware typically uses claims of breaking the law and names law enforcement (such as the CIA or FBI) to scare victims, but it is usually aimed at Windows users, not Mac users. The security firm Malwarebytes first spotted this latest threat, noting that criminals have ported the ransomware scheme to OS X and are even exploiting a Safari-specific feature. The ransomware page in question gets pushed onto unsuspecting users browsing high-trafficked sites as well as when searching for popular keywords."
I thought we were past the "being surprised that apple products get malware" stage years ago. This seems like a pretty run-of-the-mill scam. I can't really see what's notable about it. Someone help?
Is this really malware? It's just a webpage with annoying javascript...
Clever use of a bug in Safari, who would have thought of that.. I'd say the US should be able to knock out this site in a few minutes, by using the provisions in the SOPA act. Right?
The CIA is and always has been an intelligence/espionage agency. Blurb is incorrect to call them law enforcement
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
...a good security measure for the guy suing Apple for not filtering the porn he was addicted to.
--Kylus
Idiot-proof something, and Life will build a better Idiot.
2003 called, they wanted their scaremongering back.
If you use OSX and practice safe computing (that means NO JAVA FOR YOU), then yea, you're tough as nails to crack. No OS is idiot-proof, though.
The same can't be said for many variants of Windows, especially those still using XP where inserting an infected thumb drive will wreck havoc on your system, hell no, on your entire enterprise network.
Dear aunt, let's set so double the killer delete select all
I've been seeing variations on this one for a year or two now, sometimes connected with the "Yahoo Porn Bug" I wrote about in my journal, sometimes not. The main thing when it comes to a lot of this crap is to explain and assure the public its bullshit, you'd be amazed how many can be put into panic mode by a letter that looks like it comes from authority and of course guys getting child porn charges for Simpsons cartoons and manga really doesn't fucking help matters in that regard.
Now I don't know how it is on OSX but on Windows these kinds of bugs aren't that hard to kill a good tool for the job I've been trying out in the shop is the Emisoft Emergency Kit which is free for personal use but so far looks to be worth the cost of a license if you work in a shop. The whole thing runs on a stick and so far it seems to be pretty damned good at detecting all kinds of bugs and its CLI scanner so far has been pretty good at getting around the run blocks some of the malware uses.
ACs don't waste your time replying, your posts are never seen by me.
This isn't malware. It's a javascript on a web page.
Calling this malware is like calling a firecracker a weapon of mass destruction.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
What good does anti-virus software even do. Every machine I have come across that is infected has an up to date av package on it. It doesn't even slow down an infection anymore.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
If your 2013 enterprise network is vulnerable to infection spread from a Windows XP machine... trust me, the cause isn't that an unpatched Windows XP installation caught a cough.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
No product is totally invulnerable. But it's a simple fact that an OSX user can go a long, long time before ever seeing a virus or malware.
That said - this is not an example of the OS being vulnerable, the whole "malware" is Javascript that takes over Safari a bit, basically a hacked website. I'm not even sure if it works if you have popup blocking on. The computer is never compromised.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Law enforcement is never that straightforward and efficient.
I thought we were past the "being surprised that websites get hacked" years ago.
This is not malware, it's a hacked site with annoying javascript. The only news here is how desperate some people are to show that OSX is vulnerable to malware - even when the malware never is installed on the system...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's just a site that uses javascript to try and keep you from leaving, which is hard to get out of on safari because if you forcequit safari, safari "recovers" the page when you open it again.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Antivirus - to do what? Your ignorance is astounding and you work in IT? Sigh...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
A proper anti-virus should work quietly behind the scenes. There's no such thing as a fool-proof AV any more than there's a 100% effective vaccine. For every infected machine we have, we have several dozen more that report blocking infections or at least crippling the malware.
Are you saying you don't use an AV on any of your machines?
obligitory http://xkcd.com/875/
But this is not Malware! Just a rouge website with some crafty Javascript! The Windows version actually locks the computer and you are forced to Re-install Windows! ! On the Mac version, all you have to do is reset safari from the menu-bar and all is well again! It is very annoying to the end user, but that's all!
How does that foot in your mouth taste? It's not a virus, and not OSX specific - it's just a web page with some annoying Javascript.
Just a rouge website with some crafty Javascript!
What does the color of the web page have to do with anything?
#DeleteChrome
So the GP's point still stands then, any platform with a web browser isn't immune to malware or malware-like scams.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The cynic in me wonders how long before this stops being malware and starts being efficient delivery of government policy.
..don't panic
It takes advantage of Safari's "restore last window" feature, which is optional (though on by default in some versions) and also available in Firefox and Chrome (and possibly also on by default in some versions.)
And the OS X version is limited to a browser, as opposed to the Windows versions (which I've seen) which lock you out of the whole OS and can be VERY hard to get around.
The author's suggestion is to reset Safari (as in, clear cache, remove cookies, etc.) but wouldn't you also just be able to turn off the "restore session" option and then force-quit and relaunch? Also, you could relaunch, and press 'escape' or 'command-period' repeatedly to keep the page from loading.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Still bitter about that Mac user stealing your girlfriend, I see...
#DeleteChrome
Is it? A malware program like this has been attacking windows computer lately. It scans IPs for port 3389 (remote desktop) and then tries to brute force into the system. Once it's inside, it runs a script that RARs all your files with a huge random password. Then they demand a $2000 ransom to recover it.
It happened to a customer of mine who "refused to run a VPN because it slowed things down" and had port 3389 open to the public. There are also scans on port 5900 (VNC server).
To be fair: neither an antivirus, nor Mac "invulnerability" would protect you from a brute force attack on remote access ports and using your user account to encrypt data. This particular virus doesn't even need administrative privileges to work.
Disable JavaScript[1], close page, there's no step 3.
[1] Preferences -> Security Tab -> uncheck 'Enable JavaScript'
Oops! Should have read: rogue! Oh, but rouge rogue does have a nice ring to it!
Different viruses. The one for windows attacks through RDP port. I've seen scans on port 5900 too. Nothing would keep a similar virus from attacking Mac if you run any sort of remote access and a weak password.
The virus for windows encrypt your files and demands a ransom. Nothing would keep a similar virus from doing the same on a mac, since you don't need admin privileges or any sort of exploit to manipulate your own files.
Just a rouge website with some crafty Javascript!
What does the color of the web page have to do with anything?
It's from the red light district....
Where can I get a copy of this malware? Tell the FBI to just deposit the $300 in my savings account.
I'm slightly happy the news is making as much of a fuss over this as they are. As IT, I'm tired of people going "It can't be my problem, I have a Mac."
If we colonize Mars, it won't be the World Wide Web anymore. UWW?
"The Rouge Rogue" sounds like a supervillian from the 1950s!
#DeleteChrome
Well, I certainly don't. As far as I am concerned, it is the same attitude you hear when people say "But we have to do something!!!". It doesn't work. Don't bother. Use a more secure browser. Use an ad-blocker. Have a decent firewall installed. These will help. Perhaps you can enlighten us on which Antivirus program you use on the networks you manage. Then tell us which infections it stopped. I have customers who own solutions from Symantec, VIPRE, Kaspersky, McAfee, AVG, Avira, and Trend (among others I won't take the time to recall). Invariably, those who insist on using IE get infected the most. I have encountered some who get compromised or scammed while using Firefox or Chrome (99% of the time with no ad blocker installed). Not only do the AV packages not stop the infection, but looking in their "quarantine" I never find anything more than tracking cookies. The first rootkit, virus, or whatever that the package encountered was not only not stopped, but crippled the AV.
Often, the AV package is still intact enough to interfere with the proper progress of a legitimate mitigation tool like ComboFix, though.
The customers I have who never get infected? Yeah, they're using Macintoshes, running OS versions between 10.5 and 10.8. Occasionally I see a Mac user who has been tricked into installed MacKeeper (bogus maintenance software) when they don't have an ad-blocker installed. Simple to remove without extra software.
The brains of a chicken, coupled with the claws of two eagles, may well hatch the eggs of our destruction.
Since when does "fake FBI warning page with some javascript to prevent you from closing it" qualify as "malware"?
It's like the submitter didn't even RTFA...
Even if the user knows it is a fake warning, and even if the user knows it is the site that has been hacked, if Safari will not let the user close the page and move on, it is broken. It should be fixed. Does Safari always restore the old sessions without allowing the user a chance to start fresh sessions? If not it is broken.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
This isn't that malware. This is just an annoying bit of javascript.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Calling this malware is a pretty desperate stretch.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Dudes, in Germany and Austria and Switzerland, these scams have been around for years. They usually tell you that your computer has been locked by the police, and that you need to pay a fine in order to get it unblocked. Nothing new here. News at eleven.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Wow. 1999 called. They want their meme back.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Yesterday there was a posting about Chris Sevier suing Apple for causing his porn addiction. Maybe Chris needs to be infected with this malware.
Research is what I doing when I don't know what I am doing - Werner von Braun
Perhaps you should become aware of XProtect.
The virus for windows encrypt your files and demands a ransom. Nothing would keep a similar virus from doing the same on a mac, since you don't need admin privileges or any sort of exploit to manipulate your own files.
Almost certainly would be a trojan rather than a virus in that case.
Mind you, it's a bit rich to equate "Macs don't get viruses" (true) with "Macs are immune to all forms of malware" (patently false).
Our corporate Macs which I maintain have an antivirus installed due to policy, but the only thing it ever finds is Windows viruses that arrive via email attachments that manage to get through the email gateway scanner.
The #1 thing that protects our Macs: The user does not have administrative credentials.
The #2 thing that protects our Macs: Applications are all deployed via a centrally managed repository, which allows for #1.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
I've dealt with the windows version on a few client PC's. It can be a bit of a PITA, but in the cases I've dealt with still seemed to be locked to a given user account (and not the OS).
Doesn't make it any less of a PITA to remove from a user account, especially since it buggers permissions, but the easiest way is usually to create a new user, then boot from safe media, and copy/scan the user's old files to the new account.
[...] and so far Windows Defender and MS Internet Essentials have blocked everything.
That you know about...
If "any old one would do" then you should realize that unless they are running ancient version of OS X that all macs have antivirus built in. Apple added it several years ago and updates it regularly.
> Nothing would keep a similar virus from attacking Mac if you run any sort of remote access and a weak password.
It's funny you should mention that because I run a daemon that checks /var/log for suspicious activity. When it finds something that looks like a brute force attack, it blocks the attacker with a firewall rule.
Now this thing is a nice ready made app available through my distro's standard repos. But in the old days, I cobbled the same thing together with a bash script.
If you aren't operating under the assumption that you are helpless and the situation itself is helpless, there's actually a lot of stuff that you can do do slow attackers down.
The idea that "it's all about popularity" is one of the most dangerous bits of self-delusion that the Lemming crowd perpetuate. They make it sound like there's no defense when there are a lot of clear an obvious defenses.
The first one is to not be a total idiot and/or tolerate a crap product.
You simply don't have to be trapped into using crapulence you will later feel the need to make excuses for.
A Pirate and a Puritan look the same on a balance sheet.
It's more of a liability issue, that's why we're not too concerned with which AV they use. They sign off on their computer being protected, and if it gets infected, it's on them. Most people bitch about having to sign off on having some form of malware protection because "it's a Mac"
Right, that's not because these users are not aware that there's a threat of getting some kind of malware on their machine. This is because the problems caused by the antivirus software are as bad as the problems caused by a virus, so basically, you're asking them to guarantee that they have something malicious on their system, rather than simply having a 1 in a million chance that they do.
There is no meaningful distinction between a "trojan" and a "virus". The old, simplistic application of the terms "trojan", "virus" and "worm" never really made that much sense, but it is pretty meaningless now. Each of those designations simply refers to a method of infection and nothing prevents multiple vectors from being employed. And plenty of malware does that. In fact, the majority I run across do none of those things.
The predominate vector in use today is malvertising. It generally exploits a vulnerability to side step needing user interaction (what trojans use). They are self contained (in general do not rely on injecting into an executable for the purpose of propagation the way a "virus" does). They also generally do not scan and attack (what worms do -- it is noisy making it easy to detect and identify the infected system).
Not to say that the trojan technique of fooling users into running the malware is gone (one of the first big OS X targeted campaigns was for a "cracked office suite" -- oldie but goodie.
Or that file (and process) injection is not used, but it is generally to hide or perform operational function, not to propagate.
Or that the network is not used -- but despite some lingering scanning the much more common use of the network is for command and control with steganography (use of forums), p2p protocols, custom protocols or even good old fashioned IRC. Increasingly, encryption is used. Bogus traffic may be generated to try and hide the C&C in a haystack.
By the old and simplistic definitions this modern, modular malware is not virus, trojan or worm. Malware is a reasonable enough umbrella term to describe it.
When convenient, simple IEDs get declared WMD, ironically by the same people that say (rightfully) that GWB lied about Iraq having WMDs.
...
It is convenient for some to call this OSX malware, it's called hyperbole and it's disgusting whoever uses it to fearmonger.
Now that I've insulted everyone but Mac users, hopefully they'll keep me from being modded into oblivion
"If you have nothing to hide, you have nothing to fear." - Every fascist, ever
That's pretty much my point - Macs may not get viruses in the traditional sense of the word, but the computer virus in its traditional sense is more-or-less extinct. They're sure as hell vulnerable to malware, which is a far better term for modern use.
Good for you. I use port knocking.
But for the non-tech folk out there who just thought it was going to be cool to be able to check his home computer from work, you can't blame him for trying. Maybe he thought clicking "enable remote access" didn't have such heavy security implications.
We learn from our own mistakes. Given your 4 digit UID, I seriously doubt your record is spotless. I'm sure you had a system or two compromised until you learned to become almost paranoid about security.
I love how the Windows users get *so* irritated when Mac users point out to them how their machines generally "just work" without all the virus and malware hassles, need for (often costly) anti-virus software and subscriptions, etc.
The only people I see really trying to "pound some sense" into OS X users to use anti-virus software are the companies hawking the stuff.
I use both Windows machines and Macs practically every day. I work in a corporate environment where we're pretty much a 50/50 mix of both platforms, and provide I.T. support for both.
Everyone in our dept. will readily tell you that the Macs are FAR less of a support issue, overall, than the Windows PCs. Nothing in this world is absolute, and it's silly for anyone to make claims involving words like "never". So yes, clearly a handful of viruses HAVE been developed over the years just for Macs and running OS X doesn't make you immune to ever getting a piece of malware. But given a typical use-case of employees using their machines on our corporate network for 8 hours every weekday, doing lots of email, editing of documents, printing of documents, online purchasing, research, etc. etc. -- the Macs have so far NEVER been infected with a virus since we've owned them. The Windows machines have caused multiple serious virus outbreaks, requiring days of effort restoring files on the servers.
We actually bought eSET anti-virus for some of our Macs to try it out, but it just didn't make much financial sense in the end. (The OS X version of their product is far behind the Windows edition in ability to do central administration and updates, and it seemed to just be one more thing to use up system resources.)
>Also, last time I inserted any USB into my XP box, it popped up a dialog asking what I should do with it.
Then I have two bad news for you: one, you're not up to date on your security patches, namely disabling autorun from removable drives, and two, you are one social engineering step away from being infected. That's how it starts, you click on an icon that looks like a folder but you're actually running malware.
Dear aunt, let's set so double the killer delete select all
echo 'Mac user here.'
echo 'Hello!'
sudo killall -u slashmydots
echo 'Goodbye!'
Absolutely no contest there, man, although that doesn't mean it does not happen.
Our hospital network just changed from a major XP install to a Seven one, and most clients are running WITH admin priviledges. Hey, that's not a bad thing on my side: I'm just a practicing MD, but I bet my workstation is far safer than everyone else's because I can fix the dumb stuff they did via GPOs.
Dear aunt, let's set so double the killer delete select all
A pre-installed antivirus is worse than useless.
Note, for example, that MSSE was a perfectly good antivirus until Microsoft baked it into Windows 8. Then, surprise surprise, it started failing every AV comparatives, because a every virus was compiled specifically to evade detection.
Lets put it another way. If every OSX box has the same anti-virus updated on the same schedule, why would anyone release a virus for OSX that didnt 1) evade current detections and 2) break the updating mechanism so that it cant be removed in the future?
XP is more than a decade old. Lets compare XP to a similar vintage of OSX-- what would that be, 10.3? 10.2?
The user does not have administrative credentials.
Ditto on all versions of windows released in the last 7 years.
Oh it happens, of course. Did happen in the company I work for. However, only the workstations themselves got infected, nothing did spread over the network
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Has it occurred to you that PC users get nailed all the time while Mac users mostly don't. They are pretentious because it is justified by experience.
And no a misbehaving website is not going to "pound sense into them" because they are being quite sensible.
I've been running OSX since 10.1 no anti-virus no problems. And since then: wife, daughter, parents, inlaws, friends.
OSX people mostly don't get virus. They aren't immune but they are rare and Apple often handles them on their end.
You can't break the updating mechanism. That runs in a protected mode applications don't have access to it. That's one of the differences between capabilities and permissions, which NT supports too but Microsoft can't use as aggressively because of worries about backwards compatibility.
XP is still on about 40% of Windows machines. The Windows user culture is a big part of why they have a much worse malware problem.
So, essentially, you're tickboxing the installation of antivirus software. I'd install ClamXav and tick that box, if it was me. Macs aren't necessarily totally invulnerable, but I've never had active antivirus on my Mac, and I've taken it all over the world and used all sorts of dodgy free WiFi, and never had an issue. The only thing I do is a scan of removable media using Clam if I think it's come from someone who's unlikely to have protection on their Windows box. I put my 3G dongle on my parents' XP laptop (never previously connected to the Internet) and it was infected before I'd had time to download a free antivirus (I forgot that there's a huge difference between being behind a NAT router and plugging in a broadband dongle). Admittedly that was XP, Windows 7 is a lot better, but it is orders of magnitude more likely for unprotected Windows boxes to get infected compared to OSX - and far more likely for infections to spread across corporate networks from Windows boxes.
I've been using computers of various kinds since the mid-80s, including Windows from 2.0 up to 8, Atari, Amiga, various Linux distros and most recently Mac OSX. I wouldn't dream of putting a Windows box into production without antivirus software. I've seen serious virus outbreaks on all of the platforms I've used, apart from Linux and OSX. I've never had active (continuous scanning / file protection) antivirus on Linux or OSX and I've never seen a virus infection. In all my years of supporting friends and family and various corporate systems, I've never had to clean off an infected OSX or Linux box. It's just never happened. So maybe I'm deluded or pretentious, but I'll install active antivirus on my Mac once I've seen a single example of a serious infection in the wild. Until then, I'll keep Clam on standby.
You know, true story - this problem can totally be avoided by using a shell account and text-based browser. Doing it right now. Bam. No malware. No GRAPHICS, but no malware. Thank you, goodnight. Glad to be of help.
You can't break the updating mechanism.
Hosts file / DNS tampering. Oh look, it cant find the update server any more.
Once a virus gets root access, it can do pretty much what it wants unless the entire OS is a walled garden, which OSX isnt (quite yet).
First off you should look at capabilities, it isn't just root for a userspace application. There was a virus in February that did something similar it pushed the DNS to a Russian server. But it couldn't get to the user access parts. The Apple community responded by putting the fix all over the internet. The people who had it got notified and got the fix. The Russian hackers couldn't stop thousands of sites.
Troll? Seriously? I don't know if it is more ironic that a) I'm using my iPad in responding to an Apple fanboy's overreaction or b) the next comment jokes about essentially the same thing and got up-moded.
Stay sentient. Don't drink bad milk.
In the UK, for instance, for a period of many years door-to-door cold callers would attempt to persuade people to change their energy suppliers. Even if a resident was NOT interested, these callers would claim to need a signature so they could prove they had visited, and get paid.
Just had one of those here in the San Francisco Bay Area, like within the last couple weeks. Claimed to be "checking" that we were "getting the government required 20% discount". Tried to get us to sign a form that would switch our gas supplier from PG&E to some pseudo-ecological-responsibility gas supplier (using the common gas distribution system).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'd extend that to say that home users are a click away from installing something stupid using UAC. Corporate PCs/Macs are generally more locked down.