Proof-of-Concept Ransomware Affects Macs

sarahnaomi writes: Ransomware, the devilish family of malware that locks down a victim's files until he or she coughs up a hefty bounty, may soon be coming to Mac. Last week, a Brazilian security researcher produced a proof-of-concept for what appears to be the first ransomware to target Mac operating systems (Mac OS X). On Monday, cybersecurity company Symantec verified the researcher's findings. "Mabouia is the first case of file-based crypto ransomware for OS X, albeit a proof-of-concept," Symantec wrote in a blog post. "It's simple code, I did it in two days," [said] the creator of the malware.

That's special...

[Aaden42]

Great! You can encrypt some files. You're amazing!

Show me a zero-click network infection vector, then I'll be a little worried. Yes, I've already removed Flash and never installed Adobe Reader. No, getting me to execute an email attachment (after disabling Gatekeeper) doesn't count.

Re:That's special...

[andydread]

zero-click? that is a very low bar to set given that most of the ransomware that plagues windows these days is zero-click.

Re:That's special...

[macs4all]

zero-click? that is a very low bar to set given that most of the ransomware that plagues windows these days is zero-click.

In case you haven't noticed, OS X appears to be somewhat (read: Insanely) more Robust in that regard than any version of Windows to date.

I offer as proof the fact that we are at SIXTEEN YEARS of OS X, without a single infection that did not exclusively rely on Social Engineering and active participation by the User.

Re:That's special...

These people are like some creepy guy walking around your house rattling windows and doors looking for a way in. Then, when they find it, they want a prize.

At what point can we just shoot them?

Re:That's special...

[macs4all]

Great! You can encrypt some files. You're amazing!

Show me a zero-click network infection vector, then I'll be a little worried. Yes, I've already removed Flash and never installed Adobe Reader. No, getting me to execute an email attachment (after disabling Gatekeeper) doesn't count.

I'm with you.

I've been Flash-Free on my MBP since I bought it in 2013, and same with Adobe Reader.

I've only missed Flash a couple of times, but not enough to make me want to install it; as as for Adobe Reader, I think that recent versions of Preview are actually getting better than Reader for most things.

What really pisses me off are the sites that won't play a video without Flash on OS X; but if I visit the same site with my iPad, it happily plays the video (without using Flash, of course)! WTF is up with THAT?!? Is there some secret Flash Cabal, or what?

Re:That's special...

[macs4all]

These people are like some creepy guy walking around your house rattling windows and doors looking for a way in. Then, when they find it, they want a prize.

At what point can we just shoot them?

Just ignore them. That's the surest way to get them to go away.

Re:That's special...

[Aaden42]

Setting your User-Agent to something that looks iThing-ish is sometimes enough to get sites to serve their mobile versions with MP4 based video instead of flash.

Re:That's special...

[macs4all]

Setting your User-Agent to something that looks iThing-ish is sometimes enough to get sites to serve their mobile versions with MP4 based video instead of flash.

Too much work to get around someone else's sloppy coding; but thanks for the tip!

Re:That's special...

[U2xhc2hkb3QgU3Vja3M]

At what point can we just shoot them?

Nuke them from orbit - it's the only way to be sure.

Fight for your bitcoins!

Re:That's special...

[U2xhc2hkb3QgU3Vja3M]

Safari > Preferences > Advanced > Show Develop menu in menu bar

You only need to do that once to enable the new menu. After that, if a website gives you "Flash is required to view the video", try the following:

Develop > User Agent > Safari iOS X.X - iPad

If the website does support iOS/iPad, it'll be sending your browser HTML5 code linked to a standard H.264 video file that will play without any problem.

Fight for your bitcoins!

Re:That's special...

[andydread]

what you are deliberately leaving out is that OS X has a fraction of the marketshare of windows and that is the main reason.

Re:That's special...

[macs4all]

Safari > Preferences > Advanced > Show Develop menu in menu bar

You only need to do that once to enable the new menu. After that, if a website gives you "Flash is required to view the video", try the following:

Develop > User Agent > Safari iOS X.X - iPad

If the website does support iOS/iPad, it'll be sending your browser HTML5 code linked to a standard H.264 video file that will play without any problem.

Fight for your bitcoins!

Cool, thanks! Maybe I'll give that a try. I have to admit, I do far more web-browsing on the iPad than my MBP anyway, though.

Re: That's special...

Millions of users over a decade and a half should have produced at least something. But you keep on enjoying your superior market share, dude...

McDonald's is prolific but that doesn't make it "the best food."

Re:That's special...

A fraction of the marketshare, but a user base that has a larger disposable income.

Re:That's special...

[squiggleslash]

I notice you have a few AC "Yeah but MacDonalds" responses, so to counter that, may I bolster your point by pointing out that viruses and other malware pretty much rely on network effects. If 95% of people who receive an attachment can't open it, then it's unlikely to get much traction, in much the same way that a biological virus never gets very far when 95% of people are immune and can't pass it on.

When I used to use a Mac, security updates came in via Software Update every week or two. There obviously were security holes galore in the operating system (and don't get me started on early versions of Safari automatically downloading and opening files without asking permission first...), it's just nobody bothered exploiting them.

Re:That's special...

Fight for your bitcoins!

Ugh, it looks like this is the future of spam. Pay knowledgeable people to write on-topic and helpful posts, but including their spam links. How long before it's automated? :(

Re:That's special...

recent versions of Preview are actually getting better than Reader for most things

I've never found Reader to be better than Preview. I don't use OS X anymore, and Preview for PDFs is one of my majorly missed applications.

Re:That's special...

[Gr8Apes]

And yet Linux just got it's first malware target also. And how big is that desktop market compared to OS X?

Re:That's special...

Market share be damned! One would think someone like you, a firm MSFT supporter, but more intelligent and more nefarious would repeatedly exploit OS X or Linux or BSD to prove that it is really as vulnerable as you purport it to be in the last 15 years, but that hasn't happened. There was Shellshock via CGI last year. There's the ongoing OpenSSL nightmare. There are poorly maintained PHP/Wordpress servers, too. What else you got?

Re:That's special...

[macs4all]

When I used to use a Mac, security updates came in via Software Update every week or two. There obviously were security holes galore in the operating system (and don't get me started on early versions of Safari automatically downloading and opening files without asking permission first...), it's just nobody bothered exploiting them.

I agree that that was a boneheaded Default, and it amazed me even more that it persisted even after the weakness was pointed-out. However, as you know, the fix was simple: Uncheck the checkbox.

However, I believe you would agree that we are LONG-past the "Security Through Obscurity" point with OS X (and really never were there with iOS); and now are FAR into the "Look at Me! I actually Infected a Mac!" bragging-rights territory (e.g. TFA). So, it is pretty clear that OS X really DOES have some serious Security chops, and really DOESN'T have any "Serious" Vulnerabilties.

Look at the CVE List. On OS X, NOTHING rises above a 2.x on their "Severity" Scale. Nothing.

Now compare that to Windows. Even Windows 10...

That's not "Obscurity". It's good Design.

Re:That's special...

[guruevi]

The funny thing is that marketshare keeps coming up but Linux has had a greater marketshare for the last decade as far Internet-connected devices go. Mac has been increasing but there is no proportional increase in attacks on either Linux kernel or OS X or BSD/Solaris/...

Re:That's special...

[macs4all]

recent versions of Preview are actually getting better than Reader for most things

I've never found Reader to be better than Preview. I don't use OS X anymore, and Preview for PDFs is one of my majorly missed applications.

You must've come along after say, Tiger. In Tiger and before, Preview was ok; but lacked stuff like Highlighting and Annotations. It started to get better in Leopard (10.5), and by Snow Leopard, was getting pretty good.

So, begging the question: Why don't you use OS X "anymore"?

Re:That's special...

Windows is low hanging fruit because a 12 year can hack into it with no social engineering required.

That kid couldn't do that with any other OS.

Windows is the most attacked because it is the easiest.

Re:That's special...

[fustakrakich]

Yeah, I never understood the need to install Reader on a Mac. Probably most people did it by accident when installing something else. Flash isn't a problem as long as it can't run without asking first.

Re:That's special...

[Arnold+Reinhold]

what you are deliberately leaving out is that OS X has a fraction of the marketshare of windows and that is the main reason.

If smaller marketshare is the main reason OS X has much less malware than Windows, isn't that still a compelling reason to buy a Mac? Let all the cheapskates who want to save a few hundred bucks on their computer deal with the mass insecurity.

Re:That's special...

You must have missed all of the Pwn2Own contests. Mac OS has fallen first in every one due to insecure software.

Re:That's special...

[macs4all]

And yet Linux just got it's first malware target also. And how big is that desktop market compared to OS X?

Actually, not to pick on poor ol' Linux (it means well, afterall!); but there are quite a few ACTUAL Viruses (rather than Trojans, which any OS is vulnerable to) listed for Linux, as opposed to, um ZERO (EVER!) for OS X. To be fair, most of these have been rendered ineffective by Updates; but...

And OS X has been out nearly as long as Linux, and has TEN TIMES the marketshare (especially on the Desktop).

Re:That's special...

[cfalcon]

Windows apologists have been saying this for going on two decades, yet the fact remains that Windows still has drive by owning showing up a few times a year, and essentially no other platform does- even phones don't suffer from this often or ever, and there's sure as shit plenty of those.

This is a Windows problem. It's not because there aren't enough OS X, or enough Linux, or enough ios, or enough Android. It's because Windows.

It's always been because Windows.

Re:That's special...

[Gr8Apes]

OSX has been out since 2001. I was running Slackware v2.1 back in 1994. So there's a significant difference there, but yes, Apple is leaps and bounds beyond all Linux versions combined on the desktop, and for good reason. Apple is also estimated to be near 10% in desktops, which is a huge number considering the size of the market and that they were less than 2% 10 years ago.

Re:That's special...

[jedidiah]

This nonsense again.

Anyone who wasn't born yesterday is well aware that older platforms with smaller market share and a smaller number of total users were ripe environments for all manner of malware.

That "market share" argument simply doesn't agree with actual real world results.

Re: That's special...

[ganjadude]

how many are repeat buyers?

Re:That's special...

[tnk1]

CVE-2015-6988 - CVSS score 10.0
https://web.nvd.nist.gov/view/...

The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not initialize an unspecified data structure, which allows remote attackers to execute arbitrary code via vectors involving an unknown network-connectivity requirement.

That's just the highest score. I'm not sure why you think OS X does not have any scores above 2. There are large numbers of CVEs above 2.

Re:That's special...

All of them required user fuck up

Re:That's special...

[greenfruitsalad]

have you clicked and read the descriptions of ANY of those? osx has had just as many of these "viruses that require the user to be stupid AND do most of the virus' work".

btw, does "flashback" ring any bells? it forced apple to remove the "doesn't get pc viruses" from its "why you'll love a mac" page.

http://www.welivesecurity.com/...
http://securitywatch.pcmag.com...

Re:That's special...

[Gr8Apes]

Every single one of those is a trojan or malware that requires user interaction to install. No viruses per se. Nothing like the many Windows variants in the past. No situation where merely connecting your machine to the internet caused your machine to be infected with any number of worms, viruses, malware, etc via the standard OS installation.

Re:That's special...

[macs4all]

You must have missed all of the Pwn2Own contests. Mac OS has fallen first in every one due to insecure software.

You must've missed at least the last two.

Windows (IE) fell first in both years. OS X itself never did fall. Safari fell on the second day during both years, due to two exploits.

In the early Pwn2Own contests, OS X (or rather some apps running under OS X) fell first due to three factors:

1. Everyone wanted to OWN (that is "Win") the MacBook Pro being given away.

2. Flash

3. Adobe Reader

But you will note that Flash and Adobe Reader have not been included as part of an OS X standard build for several years now.

So, if Apple can simply tighten-up Safari a bit (and in 2014, only one team was even able to exploit anything on OS X (that being Safari)), they might even survive the next Pwn2Own.

Re:That's special...

[david_thornley]

How many viruses (as opposed to trojans and malware that requires user interaction) are there for recent versions of Windows, say 7 through 10? Windows used to leak like a sieve, but Microsoft has put a lot of work into security over the years.

Re:That's special...

[david_thornley]

The LInux kernel is extremely widespread, but mostly in Android phones and tablets, embedded devices, and servers. If you're looking to target desktops and laptops, it has very little marketshare. Android does seem to have its share of security problems, most crackers don't care about embedded devices, and servers tend to be administrated competently (whether Linux or Windows).

Re:That's special...

[doccus]

Actually I think OSX is LESS secure in part due to the fact that almost NOBODY has any malware protection. That makes the market share excuse entirely irrelevant as there are actually MORE susceptible macs than PCs.

Re:That's special...

[macs4all]

CVE-2015-6988 - CVSS score 10.0 https://web.nvd.nist.gov/view/...

The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not initialize an unspecified data structure, which allows remote attackers to execute arbitrary code via vectors involving an unknown network-connectivity requirement.

That's just the highest score. I'm not sure why you think OS X does not have any scores above 2. There are large numbers of CVEs above 2.

Wow! you are exactly right! I don't know what I was doing; but I was obviously not "filtering" the CVE Results correctly, sorry!

However, and again I might be looking at the list incorrectly; but when I went to check on the (frankly eye-popping) list of OS X Vulnerabilities for 2015, I couldn't find any that were UNRESOLVED. Is there a way to find a list of Vulnerabilities on the CVE List that you can Filter on whether there was a Solution? Because as it stands, it looks like Apple has cleared up everything as of OS X 10.11.1, iOS 9.0.1 (IIRC) and WatchOS 2.01, and that there are no "outstanding Vulnerabilities".

Is that true?

Re:That's special...

From my perspective, Windows users have a permanent (at this point, what else could it be?) inferiority complex not unlike any number of car companies that (even though there most assuredly has been a recent fall from grace -bonehead moves more than anything; things that would never have gotten past the napkin stage when Soichiro Honda was alive.) begin their ad by comparing their product to Honda. Either "Our product is better than Honda because Hondas _______" or "Our product is just as good as Honda because ___________" generally followed by some absurdity by J.D. Powers (must mean lie in some English dialect somewhere).

From the constant Windows is just as good as a Mac (Look, we have a GUI too! Look, we have a mouse too! Look, you can run Photoshop or inDesign on a Windows machine too!) to the "Apple doesn't do anything original" (because your beige box (and yes, I am aware that the original Mac WAS beige; it WAS also 1984!) is so full of the original work of whom?) to the "Apple locks everything down" (Don't know UNIX and don't want to learn, I can't help you.) and now, there seems to be a constant barrage of shouting at the misinformed masses looking for a refuge from the seemingly endless fear mongering stream concerning malware threats (I can't wait to hear someone tell someone that their friend's friend's car got hacked!) presented in incomprehensible gobbledygook by a tv talking head with the same or even less education and/or knowledge looking to sound as authoritative as Walter Cronkite that they read on the internet that Apple is no better than any beige box so please, please, don't buy one.

The fact is that what Steve Jobs and his team at NeXT added to the already excellent work of Ken Thompson and Denis Ritchie and their team (Thompson and Ritchie made something so extraordinary that one might find a huge embedded system controlling the spin of the earth and the moon and not be surprised!) made something extraordinary but incomprehensible to Joe and Jane SixPack into something that "Just Works" and Apple bought it and called it OS X. Moses, himself, did not attract as much attention as Steve Jobs returning to a moribund Apple with what might as well have been stone tablets. What has been added since has made it even better but if you have not used it, I can't help you. The worst of all the signs of the inferiority complex is this whole "throw everything and lets see if something sticks!!" that is currently in vogue. The arguments are fatuous: if you need more security, you do not run TO Windows, you run AWAY from Windows to OpenBSD (ironically, all about security) or to the NSA's Linux distro. They are not more secure because they have a smaller installed base, they are more secure because UNIX was built with security in mind from the first day. I am not against Windows; however, Windows DOES HAVE REAL PROBLEMS and they need to fix them and all the shouting about "OH! Look! OS X is not totally secure after all" will not change that.

Before someone brings it up, the argument that everything (and it does seem that Windows people believe that everything Apple ever made was created at P.A.R.C) Apple sells is the product of the work at P.A.R.C. it should be noted that the argument is more the product of misinformation than anything and lawyers and courts may make decisions concerning laws but they do not change history by fiat. Douglas Englebart did not work at P.A.R.C -he only delivered a lecture there-; he worked at the Stanford Research Institute where he did the work that is attributed to P.A.R.C. and AFAIK Jobs never met him or visited SRI. Thus, without going into further detail, LISA was not the a plagiarized ALTO. Indeed, if LISA was developed, made production ready, and sufficient units manufactured for sale to begin in January 1983 then Apple's R&D people were miracle workers indeed -the machine was not just the GUI and the work that (and I am sure the arguments he had to fight and win with Jobs) Woz put into it is annoyingly overshadowed by the use of the GUI c

Re:That's special...

[tnk1]

Unfortunately, I don't know that they provide this information in a specific field in the NVD. I mostly get remediation information from our scanner reports or by reading the actual responses/bulletins.

I know that the CVSS v3 specification has a Remediation Level field, but that hasn't been rolled out yet.

It is good that Apple seems to be cleaning up vulnerabilities, although it should be noted that fixing the problems only takes effect if the users are running a version of the software that is patched with the fixes. Apple, I am sure, does its best to ensure updates are installed, but providing a fix does not actually clean the system unless used.

If you want to see pretty graphs and a bit easier read, you can look at: http://www.cvedetails.com/prod...

It's a third party site, so you want to backcheck what information it provides, but it should give you data about any product you like. Apple has 102 products listed there, which includes iOS and OSX, but also things like Bonjour and applications its provides.

Re:That's special...

[oldmac31310]

Problem with the constant updates and the way Apple is now almost forcing the updates on users is that as in my case just when I have fixed the problems that previous updates to Yosemite caused to some of the software I use (i.e. made the applications completely stop working), they are now more or less forcing El Capitan on me. If and when I do upgrade, it will be a few versions in as earlier versions have caused numerous problem for many people in Mavericks and Yosemite). There must be a way to turn off software update (I am willing to take my chances) as there used to be, but Apple have made it hard to find that option. There are constant update nags that appear in a distracting way at the top right of the monitor. Very annoying...

Re:That's special...

[macs4all]

have you clicked and read the descriptions of ANY of those? osx has had just as many of these "viruses that require the user to be stupid AND do most of the virus' work".

btw, does "flashback" ring any bells? it forced apple to remove the "doesn't get pc viruses" from its "why you'll love a mac" page.

http://www.welivesecurity.com/... http://securitywatch.pcmag.com...

Are you stoned or just stupid?

Both of your lists show NO Malware that did not rely EXCLUSIVELY on Social Engineering AND DIRECT USER INTERACTION to Infect the host computer (Mac). That is a Trojan, not a Virus.

That is in stark contrast to the Wikipedia list, which nicely categorized the Linux Malware into Trojans, Worms, etc.

NEXT!

Re:That's special...

[macs4all]

How many viruses (as opposed to trojans and malware that requires user interaction) are there for recent versions of Windows, say 7 through 10? Windows used to leak like a sieve, but Microsoft has put a lot of work into security over the years.

My work W7 laptop (fully patched, running both MSE and Avast!) got drive-by Toolbars and adware-crap in Every single Browser (IE 9, Chrome and FF) except Safari for Windows. And I am VERY careful about not clicking/installing stuff. NONE of these things raised the interest of any of my AV suiteS (plural). And that doesn't even count the weekly AV popups I would get simply out of the blue, JUST because I visited some innocent-looking site, or sometimes seemingly for no reason whatsoever.

Then, a couple of months ago, there was a coworker (again, fully-patched, W7, running MSE and AVG) who SOMEHOW dragged-in a Ransomware virus (again, with NO user intervention required) that walked through our network, encrypting the files on about three of our (again fully patched, MSE and AVG-protected) Windows Servers (these were 2008 R2 and an older 2003 server). If I hadn't had a good backup, we would have been out around 63,000 files.

So yeah, drive-by viruses still exist for "modern" Windows variants. And a I dare you to prove otherwise.

Re:That's special...

[macs4all]

Problem with the constant updates and the way Apple is now almost forcing the updates on users is that as in my case just when I have fixed the problems that previous updates to Yosemite caused to some of the software I use (i.e. made the applications completely stop working), they are now more or less forcing El Capitan on me. If and when I do upgrade, it will be a few versions in as earlier versions have caused numerous problem for many people in Mavericks and Yosemite). There must be a way to turn off software update (I am willing to take my chances) as there used to be, but Apple have made it hard to find that option. There are constant update nags that appear in a distracting way at the top right of the monitor. Very annoying...

That was hard. I almost broke a sweat searching for a whole minute through two search results to find the better explanation. ;-)

Yes the nags are annoying; but at your own risk, it is good to see that Apple provides a nice, GUI way to stop the madness...

Re:That's special...

[oldmac31310]

Ha, ha. Yes, I'm a dumb ass sometimes, my only excuse being that having only very recently upgraded to Yosemite at home and at work, there have been so many other issues to deal with (i.e. just making things bloody well work) that this was one detail that I have put off figuring out. Thanks for saving me the time!

Re:That's special...

[macs4all]

Ha, ha. Yes, I'm a dumb ass sometimes, my only excuse being that having only very recently upgraded to Yosemite at home and at work, there have been so many other issues to deal with (i.e. just making things bloody well work) that this was one detail that I have put off figuring out. Thanks for saving me the time!

We all can be obtuse beneath our IQs sometimes! Sorry for the semi-snarky response!

To tell you how much I drag my feet with upgrades, I'm still running Mavericks, because I have a BIG Project in Apple Logic that I am afraid to mess up...

FYI, I ALWAYS tell my Apple Friends to WAIT at least a few "point releases" whenever a new version of OS X (or iOS) comes out. It just seems to work out better that way. Back in the MacOS (Classic) days, it seemed like Apple would "test out" their new Frameworks in the LAST "point release" of the PREVIOUS OS Version (so that, e.g., MacOS 6.8 was essentially equivalent to 7.0); so by the time the new "Major" Release came out, things were a lot closer to "just working" (with notable exceptions, to be sure!). But it seems like that has gone by the wayside in OS X.

Re:That's special...

[Gr8Apes]

If I've said it once, I've said it a thousand times: Windows is unsafe by design, and cannot be fixed. It requires reworking the entire security model in the core, because it was implemented backwards (it is permissive unless restricted, rather than restricted unless explicitly permitted) and is based on a max permission model for the process with filters, rather than a minimum permission model with elevations. I'm sure there's another OS out there somewhere with this backwards security concept, but I'm not aware of it.

What that means is as soon as you get out of your immediate process's space via an overflow, dynamic DLL injection, or whatever, you can pretty much do what you want. There are fixes, of course: no DLLs will fix one of the biggest issues. Sandboxed processes that run in their own VM is another. If you're getting the idea that the problems are major and real fixes will make it unworkable, then you've just realized the utter security disaster that is Windows.

Re:That's special...

Linux runs on more machines than all versions of Windows combined.

Re:That's special...

LOL

That is so wrong.

It doesn't matter what AV you have installed on any version of Windows, you are susceptible to drive-bys.

There has never been a successful, in the wild, OSX or Linux drive by.

Re:That's special...

Not anymore. Phone+Tablet+Workstations is not a small marked share now.

Just to note...

[Ecuador]

This is NOT a proof of concept of stealth ransomware using some 0-day exploit etc. You have to actually download it, choose to run it, close the warning box that is popping up to warn you exactly of this sort of software. That's where I stopped reading, I mean, most competent programmers can write a program that ransom your documents in two days. Heck, I bet there are some who in two days of coding could even manage to bundle in a multi-level FPS game. The hard part is to get ransomware to run without the user explicitly installing it.
Unless I am missing something, in which case you can enlighten me..

Re:Just to note...

[macs4all]

You have to actually download it, choose to run it, close the warning box that is popping up to warn you exactly of this sort of software.

So, IOW, nothing to see here, move along.

Nice Try, Dice/Slashdot. I'm sure you'll get a lot of clicks from mouth-foaming Apple-Haters, though; so good job!

Re:Just to note...

[tepples]

The idea is that anyone could take this program, disable the warnings, and combine it with some exploit package to create ransomware.

Re:Just to note...

[mark-t]

How would you propose that the the program disable those warnings, exactly?

Here's a tip for you that you evidently were not aware of, those warnings that pop up aren't being issued by the software.

Re:Just to note...

[93+Escort+Wagon]

The idea is that anyone could take this program, disable the warnings, and combine it with some exploit package to create ransomware.

But, point is, that's the hard part. Doing what this guy did isn't particularly difficult. It's not a "proof of concept" if most programmers could easily figure it out on their own.

Re:Just to note...

[phantomfive]

I mean, most competent programmers can write a program that ransom your documents in two days.

The big question I'm having right now is why it took him two days. Did he get distracted by Foosball?

Re:Just to note...

[macs4all]

Based on your username, I suspect you're just a Mac cult fanboy, so I expect that these "apple-haters" are just reality-based people. Try being less obvious.

Try being less of an ANONYMOUS COWARD, COWARD.

Re:Just to note...

[Anubis+IV]

That's been true all along. As the OP said, many of us here are confident in our ability to write ransomware in somewhere between a couple of hours and a couple of days, simply because the actual software is rather trivial to write. After all, it's just a matter of encrypting pretty much everything on the drive and then sending the key off to a destination you control. The hard part is in delivering the ransomware to your victims, and nothing about this proof-of-concept changes any of that. The people writing exploit packages could already have included ransomware if they were so inclined, but they didn't, because they know there's more profit in flying under the radar and selling to others who will get their hands dirty.

Yes, proofs of concept are flashy, and hopefully this one will help more Mac users to be aware of the dangers they face, but beyond that this whole thing does little more than serve as a publicity stunt.

Re:Just to note...

[macs4all]

You have to actually download it, choose to run it, close the warning box that is popping up to warn you exactly of this sort of software.

So, IOW, nothing to see here, move along. Nice Try, Dice/Slashdot. I'm sure you'll get a lot of clicks from mouth-foaming Apple-Haters, though; so good job!

See? Watch as the Apple-Haters Downmod my Post into oblivion, even though I speak the absolute truth: There IS nothing to see here. This is NOT a reasonable "Proof of Concept"; it is merely CLICKBAIT.

Sorry to burst your hate-bubble; but OS X has not had a non-Social-Engineered piece of Malware, EVER. And this is since OS X 10.0.0 debuted in 2000.

Prove me wrong. I double-dog dare you. The last person who tried proudly trotted out a list of MacOS (Classic) Viruses (all SEVEN of them!), all from BEFORE OS X even existed...

Re:Just to note...

[MachineShedFred]

Hey look! I have a "proof of concept" too!

#!/bin/bash
openssl aes-256-cbc -in ~/Documents/* -out ~/ransom.aes -d -pass $up3r$ecretPassw0rd!

Pay me or you'll never see your documents again!

Re:Just to note...

[U2xhc2hkb3QgU3Vja3M]

Well, there is the new problem of programmers compiling their software with an infected, not-downloaded-from-Apple version of XCode. I'm not quite sure if Apple can catch 100% of those that get sent to the App Store, but that's one major security risk IMHO. And I say that as an OS X user.

Fight for your bitcoins!

Re:Just to note...

[TheCarp]

Begrudged Apple hater here (][ Forever motherfucker.... jobs didn't get cancer, he WAS cancer! and don't even start me on lightning connectors and walled gardens....grrrrr fuck apple)

Anyway, totally agree. Any general purpose computing device can perform these basic functions if programmed to. That encryption and original file deletion and network access were all available on the Mac is quite uninteresting.

If these are the standards, then i claim prior art as one of the earliest people to have "proven" this when I compiled the RSA libraries on my Apple ][GS in 1996. Either I was 20 years ahead of myself, or this is bullshit....thinking bullshit.

and I still hate apple and wont buy any of their products.

Re:Just to note...

[MachineShedFred]

Most grade school kids could figure this out:

man openssl

Combine OpenSSL with a little AppleScript, and voila, you have the same "proof of concept" that TFA is basically showing. What a fucking joke.

Re:Just to note...

[macs4all]

Well, there is the new problem of programmers compiling their software with an infected, not-downloaded-from-Apple version of XCode. I'm not quite sure if Apple can catch 100% of those that get sent to the App Store, but that's one major security risk IMHO. And I say that as an OS X user.

Fight for your bitcoins!

That version of XCode was downloaded from a Chinese non-Apple source. I would imagine that Apple is going to modify XCode fairly soon so that it makes sure it is not modified before allowing a Build Application to happen, or maybe even a Launch of XCode.

Re:Just to note...

[macs4all]

and I still hate apple and wont buy any of their products.

But you already did.

Re:Just to note...

That is actually how most ransomware works. You don't need to spend time and money on 0-day exploits when a large percentage of the population will open and run it for you with a carefully worded email and an attachment or adding it to a commonly downloaded piece of software.

Re:Just to note...

[TheCarp]

> But you already did.

I said "will not" not "never have". However, I could have said never have with the caveat of being a customer and rather than consumer. The GS was a gift from my parents and while I did personally buy one, it was at a flea market years later (and it was an original "Woz Edition" GS).

If you want me to clarify, I have not purchased an apple product, except possibly an Ipod as a gift for someone else who wanted one, since the Apple ][ was on the market, and Apple has, quite consistently, made decisions which have reinforced that decision since then.

Re:Just to note...

You are incorrect: https://en.wikipedia.org/wiki/...

Re:Just to note...

Also, at work we support like 3K PCs and 300 Macs (with a few hundred Windows, *nix servers, etc.). Our Mac group is freaking crazy and just does not want to install any sort of security software on the Macs. I'm not even talking about AV, but web filtering, etc. Also, we have a high incidence of having to reboot Macs when they are left on for more than a day or two. Granted, it might be the software we're using. Most of our Mac people are developers and are doing some more specialized things.

Re:Just to note...

LMFAO, you're so deluded right now. Most malware does what is allowed for any other app -- they just do it maliciously. E.G. If you prohibit the malware, you prohibit file managers or compression programs.

You realize these "hacked" developers installed a different version of the tools... so it really doesn't matter what any company does since it's been modified? They could easily just replace the tools with their own look-a-likes (though, most likely ...

Most antivirus companies; nay most software developers can't find all the hacks to bypass DRM or find malicious code... You actually think just one company can secure All the Software?

You're hilarious.

Re:Just to note...

Pretty easily.

You throw "free movies*! install this codec by following these simple instructions". This is how the vast majority of users are infected.

*replace movies with software / games / guaranteed one-click, do nothing weight loss tips.

Most people ignore the "OMG THIS IS BAD" prompts on other platforms... there's no reason the people who don't know will suddenly pay attention and learn.

Re:Just to note...

[Applehu+Akbar]

Based on your username, you won't sign even a screen name to your trollish opinion.

Re:Just to note...

[Applehu+Akbar]

A walled garden prevents you from trying out so many of those flaky little items of godknowswhatware that you can download into Windows. It also prevents you from getting all those fascinating viruses.

Re:Just to note...

Successful list of exploits, including Mac OS X Mavericks last year here: https://en.wikipedia.org/wiki/... Look up Charlie Miller for some good reading. Most Macs don't have AV on them anyway so there may be some misreporting going on.

Re:Just to note...

[mark-t]

Perhaps.... but that's entirely beside the point that I was addressing.

And the reason such a warning may get ignored on certain other platforms is because that warning comes up for practically everything that a person might want to install... That is not the case with OSX, if ones primary source of applications is from the app store.

Re:Just to note...

[TechyImmigrant]

Most grade school kids could figure this out:

man openssl

Combine OpenSSL with a little AppleScript, and voila, you have the same "proof of concept" that TFA is basically showing. What a fucking joke.

The fix is simple. Just find another vulnerability in openssl and use it to recover the key used to encrypt the data.

Re:Just to note...

[macs4all]

You realize these "hacked" developers installed a different version of the tools... so it really doesn't matter what any company does since it's been modified? They could easily just replace the tools with their own look-a-likes (though, most likely ...

Actually, you're right.

As long as Apple allows the Devs. to do the final "for-Publication" Build, this is a potential problem.

However, when the Article on the tainted XCode came out, I proposed an elegant and simple solution:

Upon Submission, Devs send Apple their XCode Projects, and APPLE does the "For Publication" Build with THEIR (likely non-tainted) copy of XCode. Done!

Even better, since this means that Apple has the Source, they can take a MUCH closer look with both manual and automated methods, and so are that much more likely to ferret-out obsfucated malware.

Apple just has to add a paragraph to their Dev. Agreement, stating they won't divulge, etc., and change their Submission Procedures to require the XCode Projects.

Since anyone developing for Apple Products uses XCode, this is a true no-brainer.

Re:Just to note...

[Gr8Apes]

You have to go back a bit further, with PGP in 91, or even further back with InfoZip's encryption, IIRC. I'm sure I haven't gone to the beginning.

Just curious about the apple hate: lightning connectors finally addressed one of the biggest annoyances - keyed connectors. USB-C's connector is a direct reflection of that, as I understand that it was not directionless in its early phases. Walled gardens? Yeah, but you don't have to play there if you don't want to. Let's also not forget that Apple was instrumental in getting DRM removed from music. I'd hoped they'd do the same for video, but it doesn't look likely. It's not like they put rootlets on their CDs after all.

Re:Just to note...

[macs4all]

I said "will not" not "never have". However, I could have said never have with the caveat of being a customer and rather than consumer. The GS was a gift from my parents and while I did personally buy one, it was at a flea market years later (and it was an original "Woz Edition" GS).

While I agree wholeheartedly with your "Apple ][ Forever!" sentiment (and BTW, it was JOBS that urged Woz to include EIGHT peripheral Slots in the original Apple ][ Design; not that I'm a big "Jobs" fan, mind you), I take exception to your characterization of the Lightning Connector and Apple's Curated App Store.

The Lightning Connector solved a lot of design and packaging problems for Apple, and is one pretty cool piece of engineering. I do wish the Male end was a little more robust; but it is still much better for the User than the abomination that is Micro (or is it Mini?) USB...

As for the Curated App Store, you need look no farther than the Android mess to show that, on balance, what Apple is doing is FAR better for the VAST MAJORITY of Users than the "Wild West" approach that Android employs. And now that iOS 9 and XCode have teamed-up to allow those who are savvy-enough to do "sideload" Apps, (which are, coincidentally, also the group of Users that are savvy-enough to be a little more careful (one would hope!)), there really isn't a "Walled Garden" issue, anyway. But people like you will continue to live in the past, and pine for the good ol' days of the Apple ][.

Don't get me wrong: I LOVED my Apple ][, too, and have VERY fond memories of working with same (the first Apple ][ I worked on was Serial Number 0013, back in 1977. It didn't even have the "cooling slots" along the sides. I wrote tens of thousands of lines of code, and built several peripheral cards for same (including a multifunction I/O card that was big enough to require a FOOT to hold up the back of the card!); but I haven't fired up either of my Apple ][s (nor my ][gs), nor my Pinecom ][ Clone, since about 1995. it was just a different time...

Re:Just to note...

[macs4all]

Based on your username, you won't sign even a screen name to your trollish opinion.

WTF are you even talking about?

Re:Just to note...

[TheCarp]

> You have to go back a bit further, with PGP in 91, or even further back with InfoZip's encryption, IIRC. I'm sure I haven't gone to the beginning.

Very true, and I probably wasn't even the first person to compile decent encryption routines on an apple 2 either, hell, by that time someone had already developed a TCP/IP stack and gno existed.

> lightning connectors finally addressed one of the biggest annoyances - keyed connectors.

I guess that was never one of my biggest annoyances. In fact, connector wise, the real huge pain was always DIN style connectors with thin wires that had to push into individual holes in a female socket. Original USB and SATA, as basically edge card connectors that slide together, already solved 95% of the real pain.

What really gets me is the complexity. Its a connectior. Being keyed is a SMALL price to pay for lacking the complexity of specialized hardware in the cable for no other purpose than switching the pins around so you can plug it in either way. To me, it seems such a level of complexity for such a miniscule problem points far more at a desire to enforce user lock-in and freeze out aftermarket parts.....both of which I put in the category of "Screwing your own customers".

Re:Just to note...

How do we know it won't happen again? There are a lot of third party libraries in use, and it wouldn't take much to stick in an additional function or two for malicious content.

Don't expect Apple to be able to catch it with a signature scanner. There are billions of virus variants out there, and polymorphing code is a solved problem by malware writers, so a logic scanner, even with heuristics, isn't going to catch it. If it does, the bad guys will see it get pulled and write something else.

In the past, the cost of getting into Apple's ecosystem was expensive... too expensive for active malware groups, compared to Google's store. Since this type of malware relies on legit app makers, it completely bypasses the "don't shit where you sleep" protection that Apple's ecosystem has enjoyed for a long time, where app makers wouldn't "taint" the platform with malware out of concern for losing ground to Android. That is gone now.

Right now, Apple is winning... but if Apple's gatekeeper gets smacked around again, they will wind up on same level fight against Android... except with the legal responsibility to keep stuff clean because they are (for almost all cases) the only way to get software on iOS.

Re:Just to note...

[macs4all]

Don't expect Apple to be able to catch it with a signature scanner. There are billions of virus variants out there, and polymorphing code is a solved problem by malware writers, so a logic scanner, even with heuristics, isn't going to catch it. If it does, the bad guys will see it get pulled and write something else.

It's one thing to catch malware in an Object file; it is QUITE another when you have the Source. I think that most Open Source advocates would agree, code obsfucation notwithstanding.

As soon as Apple listens to me (ha!) and has App Store submitters send Apple their XCode Project Files, so that APPLE can inspect the SOURCE, AND so APPLE can do the final Build with a "blessed" version of XCode, then it will be HIGHLY unlikely that code large and complex enough to do anything nefarious will be able to get by the Approval process, even with some sophisticated obsfucation (which tends to make code even larger and more complex).

And one good thing about the App Store: If/when something like that DOES slip through, Apple can instantly revoke the Developer's key, and they will have to start all over again under a new name, Apple ID, Credit Card, etc.

That gets old real fast for the malware developers, when all you accomplished was to infect a few dozen (or even a few hundred) Macs each time, before you were caught.

Re:Just to note...

What about third party, binary-only libraries, which some devs use?

To be honest, I like this idea, perhaps add functionality where a dev can dump their code in, get their build going, and get a "blessed" executable for testing, as well as the one that gets sucked up into iTunes Connect would be useful. This way, they have something for smoke/soak/regression testing that is built by the golden master.

I wish Google had similar... or at least go with two tiers of their Play Store: One tier which actively curates apps with an iron fist (similar to Amazon), and the second tier which has the same functionality as the store has now.

Re:Just to note...

[macs4all]

What about third party, binary-only libraries, which some devs use?

That is admittedly a detail that would have to be worked-out; although, considering the "price" of getting caught peddling malware in the Apple App Store(s), and how trivial it is for Apple to cut off distribution (and future contributions) by those Applicants, I think that the attack surface would end up being just not worth the development effort, cost and hassle.

Re:Just to note...

[Gr8Apes]

To me, it seems such a level of complexity for such a miniscule problem points far more at a desire to enforce user lock-in and freeze out aftermarket parts.....both of which I put in the category of "Screwing your own customers".

I guess that's why USB-C exists and Apple supports it?

Re:Just to note...

[jedidiah]

I am a long time well known Linux Zealot with no love for Apple.

I will even concur with how bogus this is.

Malware needs an infection vector. Without that, you don't have Internet crippling mass malware infections.

Re:Just to note...

[jedidiah]

...except that walled garden is hardly comprehensive.

Even Bodega is a better and more complete implementation.

Plus you can still just download stuff from random places.

Re:Just to note...

[jedidiah]

> That is actually how most ransomware works.

Except most people don't run it. Their OS does that for them because it hides the details that would make it obvious that it's a program. Their OS has the added convenience of running that untrusted program for them.

It's easy to avoid a problem like that when your OS vendor doesn't create it for you.

Re:Just to note...

can some one help me, I couldn't get this installed...

Re:Just to note...

[KGIII]

Well, the AC isn't *entirely* wrong. At least you're open about your fanhood. (No, spell check, that is a word because I say it is a word.) I say, so long as it works for you and you don't mind the price then, by all means, go for it. The number of desktops that use my chosen OS probably increases an order of magnitude when I turn my machines on so, yeah, I don't really have the whole popularity thing down pat.

Hell, I'm even in the official Ubuntu flavor family. There just don't seem to be a lot of us using the Lubuntu version. It's too bad, really. It's blazingly fast on new hardware and even runs "fine" on some old hardware. As a lark, early this summer, I installed it on an old AMD 3400+ w/4 GB of RAM. It was stupidly fast, considering. It wasn't PuppyLinux fast or DSL fast but the mouse and keyboard worked out of the box.

Anyhow, as I'm sure you know, I don't dislike Apple or anything. I dare say that I've probably bought more Apple devices than anyone here - if we want to be technical and only count spending our own money and not that of an employee or government. I've used the OS and it seems fine to me. I'd probably use it more if I could try it on varied hardware. I've never taken the time to actually learn the ins-and-outs but it's stable and reasonably secure. Nothing is, truly, secure but OS X seems to have greater security baked in, for now.

Meh... To the point, well, you are a bit passionate about the Mac. They're not entirely wrong. That's pretty good, for an AC.

Re:Just to note...

[ganjadude]

the problem is even if you are right (and i agree with you) the first response shouldnt be defense against non apple people. it should simply be explained and if it is a problem shared and corrected

you arent getting voted down for being wrong (you are not wrong IMO) you are being down voted for being smug and offputting

Re:Just to note...

[KGIII]

I understand one can side-load apps on iOS now. I expect this to make for a 'warez' scene. With this, I expect an increased attack vector. Will it be a significant problem? Probably not. Security begins with the user, as it is. However, it will (potentially) be a new and novel way to get malware onto an iDevice. I think that idea may be what this PoC is aimed at demonstrating. I could be mistaken, it's not like I read the article.

Re:Just to note...

[KGIII]

While I did author a variety of programs for my own use a long time ago (think 1990s in C) and have done some other programming over the years - including some horrific stuff in Perl, even *I* could write this in a couple of days if properly motivated to do so. Err... Can I write a wrapper for PHP and have it display a web page and then use that code internally? I might be able to do it a little quicker. I do hope that such is not allowed, by the way.

Wow... That would be all too easy. The reason being, the last language, albeit scripting language, that I used on a regular basis (enough to help an open source project) was PHP. It'd be easier for me to recollect than, say, C. However, gimme Google and a few hours and maybe a SE question or two and I can probably mock something up in a couple of days that works while being a bit rough around the edges.

I don't suppose they've got GPG installed or similar? I mean, you know, if the tools are already there... That'd probably make it easier. I believe they've got some encryption chip? Is there an API for that and a way to skip adding entries to the key chain? We can do this...

Re:Just to note...

[KGIII]

Damn you! That works in Linux! How much do I owe you for the password???

Re:Just to note...

[Ecuador]

Pay you? How? My bitcoin wallet was in ~/Documents!!!

Re:Just to note...

Granted, it might be the software we're using.

Probably. I got this Macbook in June and the only time I've rebooted was for the point release.

Re:Just to note...

[Applehu+Akbar]

The parent AC.

Re:Just to note...

[Jeremi]

Upon Submission, Devs send Apple their XCode Projects, and APPLE does the "For Publication" Build with THEIR (likely non-tainted) copy of XCode. Done!

I'm pretty sure the lawyers at my company (and most closed-source software companies) would say that sending the entire source code to a third party is a non-starter. This could work for open-source software, though.

Re:Just to note...

I mean, most competent programmers can write a program that ransom your documents in two days.

The big question I'm having right now is why it took him two days. Did he get distracted by Foosball?

One hour to program and test the ransomware, 47 hours to encrypt the porn cleverly hidden in the "documents" folder.

Re:Just to note...

[amalcolm]

Nice to meet a fellow Lubuntu user :) I have full Ubuntu on my desktop, a Dell XPS, but I run Lubuntu on a Dell Latutude I picked up off ebay for £30. Great for all the needs I have, including electronic CAD (KiKad) and Android Studio. Works a treat.

Re:Just to note...

[KGIII]

We have a whole distro, to ourselves... Well, and the rest of the rounding error that uses it. I don't know why it doesn't get more attention. It looks fine and it's blazingly fast on modern hardware - and still amazingly fast on older hardware. I'm sure it's eminently usable on your older system - even upgrading to 15.10 will still be okay. I don't want (or need) the features that come with Ubuntu but I do want the giant ecosystem and the myriad choices for support. I get that with Lubuntu without having to tweak much of anything. I even agree with most of the default software.

Re:Just to note...

[Dog-Cow]

The number of 3rd-parties who would agree to give Apple a copy of their source is small enough to completely kill the App Store if your policy were implemented.

Re:Just to note...

[Dog-Cow]

You can only side-load by building in Xcode. Possible adhoc and enterprise builds can be side-loaded, but those have been available forever.

Re:Just to note...

[amalcolm]

Actually I deployed it as the operating system for a miniturised mass spectrometer: http://www.microsaic.com/4000-..., so there a couple of hundred instances running in labs around the world :)

Re:Just to note...

[david_thornley]

Sounds much like the honor system virus. You send an email to someone that politely asks them to randomly delete half the files on their hard disk and forward it to ten friends. (I believe it's the only virus I have ever propagated, but obviously I can't be sure.)

Re:Just to note...

[macs4all]

Well, the AC isn't *entirely* wrong. At least you're open about your fanhood. (No, spell check, that is a word because I say it is a word.) I say, so long as it works for you and you don't mind the price then, by all means, go for it. The number of desktops that use my chosen OS probably increases an order of magnitude when I turn my machines on so, yeah, I don't really have the whole popularity thing down pat.

LOL! I TRULY like that statement!!!

Anyhow, as I'm sure you know, I don't dislike Apple or anything. I dare say that I've probably bought more Apple devices than anyone here - if we want to be technical and only count spending our own money and not that of an employee or government.

From what you have told me privately, I would say you have pretty much everyone on Slashdot beat on that point!

I've used the OS and it seems fine to me. I'd probably use it more if I could try it on varied hardware. I've never taken the time to actually learn the ins-and-outs but it's stable and reasonably secure. Nothing is, truly, secure but OS X seems to have greater security baked in, for now.

Meh... To the point, well, you are a bit passionate about the Mac. They're not entirely wrong. That's pretty good, for an AC.

In my defense, I think you would agree that I am no more (and likely quite a bit less) "passionate" about my Platform of Choice than a lot of the F/OSS zealots, er, fanhoods ( ;-) ) that post on these Pages...

Two wrongs don't make a right, but they do tend to obscure each other.

Re:Just to note...

[macs4all]

the problem is even if you are right (and i agree with you) the first response shouldnt be defense against non apple people. it should simply be explained and if it is a problem shared and corrected you arent getting voted down for being wrong (you are not wrong IMO) you are being down voted for being smug and offputting

I agree with you (especially the part about my not being wrong!); but after being repeatedly bludgeoned and downmodded by certain factions on Slashdot, and noticing a continuing and continuous pattern of almost exclusively ACs that bend over backwards to cast every single thing that Apple is or does (or doesn't do) as "Teh Evilz", I'm sorry; but I have just become a litlle "hair triggered" when it comes to Apple-Bashing ACs.

Re:Just to note...

[macs4all]

The parent AC.

Oh, sorry!

Thanks!

Re:Just to note...

[macs4all]

Upon Submission, Devs send Apple their XCode Projects, and APPLE does the "For Publication" Build with THEIR (likely non-tainted) copy of XCode. Done!

I'm pretty sure the lawyers at my company (and most closed-source software companies) would say that sending the entire source code to a third party is a non-starter. This could work for open-source software, though.

And I'm pretty sure that your Company's Management would ignore/pressure those Lawyers to find a way to work it out, rather than simply give up the potential Revenues from the hands-down most lucrative Mobile App Platform.

Re:Just to note...

My Mac Pro has been on without a reboot (until recently, no reboots were necessary for update installs) for three years without a glitch and it is in constant use. There are ways to protect from memory management problems that result from programing and debugging and your developers should know them. In any case, any UNIX has better memory management than Windows. As to their lack of concern, all I can tell you is that when I use Windows, I have every possible security utility installed and ready and I keep a USB with portable DOS and Windows apps to rescue the system and there is still danger lurking. OS X? One of the most annoying "feature" of Windows is the demand that the user keep the equivalent of /usr (or /USER on a Mac though there is also /usr) colocated with the OS. Ransomware is nowhere near the problem for me that it is for you because the OS is physically separate from all my data and I can use super restrictive permissions on my data without compromising the use of the OS. I think any ransomware implementation would have a very hard time getting to my data and the OS can be reinstalled from the network without any need for activation, verification, etc...

Relax, get them to either heavily sandbox their IDE or use a virtual machine if they can't and you will see that it was always the experiment and not the lab.

Re:Just to note...

[KGIII]

I would say you're less 'passionate' than the F/OSS zealots who are less passionate than the gamer platform (console, which console, and PC - Macs aren't even on this list, really) goobers. So, there's that. I mean, you do go out of your way to minimize every security issue and seem inclined to think Mac users are as technical as you (they're not - trust me on this one). You, at least, admit it's not infallible and don't seem to worship Steve Jobs (maybe Woz).

So, yeah. You're definitely not quite that passionate. It might take some work to get you to admit that such existed if a true virus came around and impacted the OS. I'd expect a lot of straight up denial, trying to figure out a defense on their behalf, and maybe some overlooking or minimizing. I mean, yeah, we're all humans. I'll straight up stab a bit over blueberries. Heaven forbid, don't leave me alone with a big red button that says do not push.

As an aside, someone pointed out that I can get the kids Scholastic gift cards now. I am having a teacher find out the information for me. The book stores all closed and I'm not going to subject the children to Amazon no matter how much I want them to read. Hopefully, this can be done by Christmas break. *sighs* It doesn't look like I'll be going home this winter, at all. For better or worse, I've got a female to attend to. I'm not sure how one ends up with a cute female that's nearly forty years their junior but I can't complain - she's not even all that high maintenance. She just has a gift of gab (I'm used to being alone as of late) and a million and three questions. Constantly.

Re:Just to note...

[KGIII]

I didn't see a price for it. I'd seriously consider buying something like that just for shits and giggles. I'm not home to take delivery but I may look into this later when I am going back in that direction (maybe not until the end of winter). You should let the Lubuntu folks know that you're running it. I hang out with a few of them in chat and on AskUbuntu (or the official Ubuntu site) so I can probably dig up a contact address if you need it. That is most awesome!

Re:Just to note...

[Saint+Fnordius]

Agreed. It would be worse if it was able to circumvent some of the sudo protections, or if it was able to also lock Time Machine backups, or exposed some social engineering flaw in the install procedure that lulls users into a false sense of security, and so on. It just reinforces the principle of never installing software from dodgy sources, and even trusted sources require a bit of wariness.

Re:Just to note...

[oldmac31310]

It's the shite software you're using. And user error.

This article has been brought to you by

Microsft.

Re:This article has been brought to you by

[U2xhc2hkb3QgU3Vja3M]

Wow, that new company should get some lawyers ASAP because I'm quite sure Microsoft will sue them for using a company name similar to their own.

Fight for your bitcoins!

It STILL is not an automatic install.

[Lumpy]

to get his ransomware I have to download the file. launch it, give it administrator rights, type in my admin password.

ZOMG we are all gonna die!!!!!!

Come on, there has to be an exploit that get's completely around all security and can install silently on OSX. are these guys not trying?

Re:It STILL is not an automatic install.

[cfalcon]

Don't forget that you have to use a Microsoft product. No exploit, even one with all these hoops, is complete without a Microsoft product in the loop.

Re:It STILL is not an automatic install.

wow, that sounds unusually friendly and easy compared to the usual getting software for an Apple device methods

Seems like a much better business model

[wardrich86]

We already know that the typical Mac users is naive "there are no viruses for Mac!" and we also know there's a whole niche market of Apple users with more money than brains. I expect these people to haul in more money than the Windows ransomeware guys.

Re:Seems like a much better business model

[macs4all]

We already know that the typical Mac users is naive "there are no viruses for Mac!" and we also know there's a whole niche market of Apple users with more money than brains. I expect these people to haul in more money than the Windows ransomeware guys.

It is not "naive" to be aware that there are currently no "No user intervention required" viruses for OS X or iOS. It is the truth.

It IS "naive" to NOT be aware that there ARE a few (very few!) pieces of Malware that require a Social Engineering component and User Intervention to install. HOWEVER, Mac users are (justifiably) secure in the knowledge that, before these can infect more than a few dozen Macs, Apple will push out a detector-blocker into XProtect (which runs on every OS X machine running Snow Leopard or above, and gets updated automatically every 24 hours), and that will be that. And the interesting thing is that, the malware-writers know that, too; which makes Macs a FAR less tempting target than they would otherwise be.

Re:Seems like a much better business model

Wow that is some bad trolling. Right out of the old Apple/TRS/Commodore days. Get some talent, then you can mouth off.

Re:Seems like a much better business model

[Theaetetus]

We already know that the typical Mac users is naive "there are no viruses for Mac!" and we also know there's a whole niche market of Apple users with more money than brains. I expect these people to haul in more money than the Windows ransomeware guys.

One potential problem - those Apple users with more money than brains also probably bought a Time Capsule backup device (because it's shiny and Apple says you need one and here's my credit card!), which means they've got constant incremental backups of all their files. Ransomware pops up, just roll back to pre-encryption.

Re: Seems like a much better business model

Speaking as a 15-year Mac shareware publisher, most users dumb enough to install malware are too dumb to figure out how to disable Gatekeeper (on by default) to allow an unsigned (with Apple-issued certs) app to launch for the first time. I have an old app that predates code signing that most delete before they run it the first time because the Gatekeeper warning scares them away (some even berate me by support request for trying to "infect" them because they assume the warning to be a conviction).

Re:Seems like a much better business model

Where's your proof there are no "no-user-intervention" required? ithings have had drive-by jb flaws (see PDF or Font bugs)?

I can say preposterous things, but it doesn't mean they're true.

Re:Seems like a much better business model

[guruevi]

They have had potential PDF/Font bugs resulting in buffer overflows etc. The core of OS X is Open Source so that's why you see all those bugs passing by. The problem is that besides theoretical attacks, no self-replicating virus that doesn't interact with the user has been created yet. Even Flash exploits have operated in browser jails since the Windows Vista era or been unable to go beyond "this program needs Administrator rights tor run".

Re:Seems like a much better business model

And I have oceanfront property in Arizona I can sell you.

The college I went to all the mac were like 2 dollar hookers that never used protection. As soon as you took out your usb device you would run to the 4 Windows cleaning stations to hopefully kill what the mac just gave to them. You didn't have to do anything just plug in the usb device and then eject it.

I know according to the Apple fans this is not true and never happen. They say it was the Windows systems doing this and then cleaning. But you can take the usb to another system and still find the same as the cleaning systems.

Re:Seems like a much better business model

[macs4all]

And I have oceanfront property in Arizona I can sell you.

The college I went to all the mac were like 2 dollar hookers that never used protection. As soon as you took out your usb device you would run to the 4 Windows cleaning stations to hopefully kill what the mac just gave to them. You didn't have to do anything just plug in the usb device and then eject it.

I know according to the Apple fans this is not true and never happen. They say it was the Windows systems doing this and then cleaning. But you can take the usb to another system and still find the same as the cleaning systems.

Where did I say that Macs could not be CARRIERS for WINDOWS viruses?!?

In fact, in the instance of Macs being used in an application like a "Computer Lab", I would most heartily recommend running something like ClamAV, SPECIFICALLY to avoid being a "vector" for Windows malware.

But you are just changing the subject if you think that means that the MACS were being affected by the WINDOWS viruses.

So, the blame goes to the IT Staff that was running the Lab; not the Macs, sorry...

Re:Seems like a much better business model

The Time Capsule is just a NAS. Ransomware just has to see it, then go under its drives under /Volumes, and nuke everything present. Ransomware 2, OS X user 0.

Now, if the TC was actively backing up the Mac via pulls, similar to NetBackup, Windows Server Fundamentals, or even a ssh script that would dump the Mac's home directory offsite, things will be different, but Macs still are pretty vulnerable. Security through obscurity has kept malware to a dull roar, but it wouldn't take much to modify the Mac's kernel signing keys, toss in a .kext rootkit, and go to town. Windows has UEFI Secure Boot enabled by default on all machines certified for W8 and newer which will catch this and put the kibosh on these attacks. Macs are still vulnerable to this, and BIOS flash attacks, which can render malware all but unkillable.

Re:Seems like a much better business model

[cfalcon]

So now the ransomware got ROOT? Why does it have root? Just because Windows UAC can be bypassed doesn't mean *nix machines like Mac have this problem.

Macs have a ton of open source in their guts, and you accuse them of security through obscurity? You'd better fucking be posting from Fedora or Debian, dude. Don't take that tone from a Windoze box.

Re: Seems like a much better business model

[KGIII]

Speaking as a 15-year Mac shareware publisher, most users dumb enough to install malware are too dumb to figure out how to disable Gatekeeper (on by default) to allow an unsigned (with Apple-issued certs) app to launch for the first time.

You have never met my niece. She calls me, on a fairly regular basis, to ask me to help her fix her Mac. I do not know why. Of all the times she's needed it repaired, I've only managed to solve the issue once. While I do, technically, own a modern Mac - I don't actually use it and I am pretty sure my daughter absconded with it when she last visited. So, I might not even technically own it any longer.

Anyhow, within a day of her first getting her Mac she had managed to install something called Mackeeper (I think?). It took some digging to find out that it was not some sort of malware protection but actually was the malware. How or why it got installed is a question I am not going to ask. It goes steadily downhill from there.

Re:Seems like a much better business model

[fermion]

Apple users with too much money also have real time incremental backup in terms of time machine, have money to buy space on Dropbox, and have music backed up on Apple and Amazon. It might be worth $100 to some to buy the password and save the few hours it might take to restore a computer, but for many of us we simply will switch to our second or third Mac for use while the ransomed machine is restoring. I mean if you have a huge project that has to be completed that day and you are going to lose $1000 for every hour it is late, sure pay the ransom. But for most us, wipe the machine, restore, go about out lives, and laugh one again at the PC users that are too dumb to have an integrated backup solution.

Re:Seems like a much better business model

Why would ransomware need root? The juicy things like documents are sitting with a user context in /Users.

Re: Seems like a much better business model

[Jeremi]

Anyhow, within a day of her first getting her Mac she had managed to install something called Mackeeper (I think?). It took some digging to find out that it was not some sort of malware protection but actually was the malware.

It probably got installed due to the fact that the MacKeeper people plaster ads for MacKeeper all over the place (presumably only if your web browser's user-agent indicates you're on a Mac, though). These ads strongly suggest that installing MacKeeper will make your Mac more better in every possible way and that you should do download and install it right now because reasons.

Complete bunk, of course, but it can work on the right type of impressionable mind (i.e. "the computer said I should do this, so I'd better do it" -- not making the distinction between what the OS is recommending and what a third-party ad is recommending). I get a phone call from my mom every 6 months or so asking me if she should install MacKeeper or not -- I'm grateful that she knows to ask about it and not just blindly install it.

Re: Seems like a much better business model

[KGIII]

I'll just make sure she's got a subscription to Apple Care. She can call them. Thanks for the insight. I've never seen it advertised - probably due to my header information/user-agent which clearly identifies me as a Linux user. I kind of figured it was something along those lines - akin to the "you need codec to watch this movie" and appearing to be an official system application. It looked like a legitimate application as I was searching for it.

The call (I got several that day) involved her telling me that she wanted to install an AV. I asked why she'd want to do a silly thing like that. She told me that she did. I didn't argue. I recommended AVG as they have a free Mac version (I think it was AVG). She called back in a couple of hours telling me that MacKeeper wouldn't let her install it. So, I spent hours trying to figure out how to get MacKeeper to let her install it. It was no good. I then hit on some new search terms and followed those and figured out that MacKeeper was not, in fact, the GateKeeper thing that I'd heard about. (Why would I know?)

So, I called her back (again) and told her to uninstall it. She told me that that would be a bad idea. I hung up. She called back in about an hour and asked if she should really uninstall it. I told her that, at this point, I didn't really care if she did or not but that it probably wouldn't hurt anything to do so. I told her about a few of the links I'd read and she finally uninstalled it. Then, promptly, she installed an anti-virus application. No, I'm still not sure that she had good reasons for doing so. Note, good reasons. I'm sure she had *some* reasons for doing so.

I've had calls since and I generally am willing to Google for her, a little, but telling her to remove MacKeeper was eventful enough. The questions have gotten more bizarre as time has passed. I mean, yeah, I can sort of function in BSD-land? Technically, I own a MBP (somewhere, back home, and only if my daughter hasn't absconded with it). I did use an iPod for a while. I do own an iPad, somewhere - I think the daughter may have lugged that off too. I'm not actually sure where the iPod is but I don't think that one has been absconded with, it's like a 4th generation and only has something like 128 GB or something small - not prime "borrowing" material so the girl-child probably hasn't decided that she'd like it more than I would (I'm adjusted to this sort of behavior, it helps with my clutter, I guess).

I think the last time she called, the niece - not the daughter, she was hell bent on defragging. I suppose, technically, you get file fragmentation. While this is unlikely to be a problem (and the drive is an SSD, I do believe), I'm not entirely sure that any benefit gained from defragmenting a drive would be worth the read-write cycles. I told her this and that I knew of no way to defrag a drive in a Mac. She was hell bent on doing so, last I knew, and may well have accomplished her goal by now, for better or worse.

I don't know where she gets this lack of ability from. The rest of the family is fairly technical. She hung out with my kids and, well, those kids had me as a father - they've had a computer since they were born. She's always had a computer as well. I think she twatters her tublerinabookspace stuff and goes through about three email addresses a week. She's never, to the best of my knowledge, ever checked her email for anything other than account signups (I'm assuming she must) and has never actually configured an email client - to the best of my knowledge. If she were my child, I'd abort her. *stomps*

My kids are fluent, can program a little - including some scripting language work, and my daughter does use a Mac (and other Apple products) but she does actual work on it. She's finished med school and is now doing whatever it is they do when they meander off to slave in an ER for four years. The boy child, bless him, is actually quite a geek and gamer but he's smoking pot and sexing a beautiful native in Peru. He went there on a summer project and has ye

Re:Seems like a much better business model

[NoZart]

I manage 1200 windows systems at my work. The only infection i ever had to fight in the last 3 years was a "User-intervention-required" virus. Your point being?

Re:Seems like a much better business model

[cfalcon]

The post in question talks about how the ransomware will blow away the backup (yet another thing that has been going on in Windows for years, and in Linux/Apple/BSD never, right along with the ransomware itself- he's presupposing ways to add features to the Apple ransomware product that doesn't exist and can't work). Pretty sure that requires root.

Pretty sure that anyone talking this line of cocaine from a Windows box is high as fuck anyway tho. "So, pretend that this worked, instead of not working. And pretend that it didn't involve downloading a thing, and using a microsoft product, and pressing ok to all the prompts. And then pretend that, like in the Windows universe, it also wiped out your backup, because I guess you elevated it too. Just like Windows man. Just like."

Re:Seems like a much better business model

Microsoft has done a lot to make those very easy, though.

Auto-running removable media, pretending that executable files are harmless pictures (showing picture.jpg.exe as picture.jpg), non-sensical popups training users to click ok (and later allow) to everything...

And a permission model that made running as Administrator the only way for people who aren't at least MCSE.

Re:Seems like a much better business model

Nice straw man you have there. The OP was describing the number of naive Mac users who have heard - and believe/repeat - the message that Macs aren't affected by malware. (Even if OP used the word "virus.") Which you seem to also acknowledge is BS. Those of us who aren't fanbois have heard this story time and again from uneducated Mac users, and Apple itself intentionally clouded with the "Macs don't get PC viruses" marketing bullshit.

Re:Seems like a much better business model

[macs4all]

Nice straw man you have there. The OP was describing the number of naive Mac users who have heard - and believe/repeat - the message that Macs aren't affected by malware. (Even if OP used the word "virus.") Which you seem to also acknowledge is BS. Those of us who aren't fanbois have heard this story time and again from uneducated Mac users, and Apple itself intentionally clouded with the "Macs don't get PC viruses" marketing bullshit.

I think that at this point, most users, even "naive" Mac users, are aware that Trojans exist, and that no amount of AV can protect you from being click-happy.

However, OS X's FIFTEEN-YEAR unblemished record stands: No Malware that did not require User Intervention to perform the initial infection, period. That isn't fanboiism. That isn't naivety. That's a fact.

And it is not "marketing bullshit" to state that Macs don't get Windows viruses. It is an important marketing distinction, especially when used under the auspices of their "Mac vs. PC" campaign.

And what you disingenuously don't point out is that Apple was careful to add the disclaimer (small, and at the bottom, like all disclaimers) that no computer was completely immune from attack. I can't find a copy of the original webpages; but the disclaimer was much like this one from the "OS X Security" Page, that states:

"While no system can be 100 percent immune from every threat, OS X lets you do even more to keep your information as safe as possible."

OSX ransonware would have been more destructive...

[JoeyRox]

If not for the ongoing application compatibility issues with El Capitan :)

Interview

[campuscodi]

Interview with the malware's creator: http://news.softpedia.com/news...

Yeah. Still, a reminder to backup off-site

[raymorris]

Yeah this story is a bit silly. What concept was proved, exactly, that Macs can run encryption software?

Still, it is a reminder that bad things can happen on any computer, so have regular backups, test those backups, and don't store the backups right next to your main system.

Lately I've seen a lot of people with "back ups" to read/write network storage, where the machine pushes it's backup to a network drive it can write to. No bueno. Ransomware will encrypt any accessible network drives too, so your "back ups" will be gone. Lightning, theft, flood, etc would also destroy these back ups at the same time that they destroy the primary machine. backups really need to be offsite and be pull, not push - if your machine SENDS backups, to storage it can write to, the bad guy is going to delete or those backups or take them hostage too.

All the more reason to actually USE...

[geekmux]

Time Machine, instead of letting it sit in your I'll-get-to-it-someday pile of shit-to-do.

If Windows users are any indication, they might learn the value of backups by the third formatted hard drive.

Re:All the more reason to actually USE...

[Culture20]

TimeMachine is a push backup on the same computer. Thus vulnerable to being encrypted too. You want a pull backup from a second system ( maybe with TimeMachine on that secondary computer).

Re:All the more reason to actually USE...

[Applehu+Akbar]

Actually, it's a reason to periodically use Carbon Copy Cloner to make a bootable exact copy of your HD to an external drive which you mount only for the occasion, rather than leaving it running all the time. It's also a reason to use a VERSIONING online backup service that amounts to a "cloud Time Machine."

Re:All the more reason to actually USE...

[Jeremi]

TimeMachine is a push backup on the same computer. Thus vulnerable to being encrypted too.

Only if the malware gains root access -- not that that couldn't happen, of course.

You want a pull backup from a second system ( maybe with TimeMachine on that secondary computer).

Another option would be to have two external TimeMachine drives, and only keep one of them connected at any time, and swap them every so often.

Panic And Despair

[American+AC+in+Paris]

Am I missing something, or is there not a single hole or bug being exploited here?

Are we...are we confirming that if a user downloads a program and actively grants it access, it can do things that programs are allowed to do?

For serious?

Re:Panic And Despair

[cfalcon]

No, there's a bug in Microsoft Office that is allowing a locally created (not downloaded off the net- the video shows a local exploit) file to run some crap. It's just a standard Microsoft Office virus, except the damage is limited because it's on a Mac.

Even then, he had to rig the game to look real by running a locally created file- if he had actually downloaded it, there would have been a pop up to that extent. That's why he runs it off the desktop instead of pulling it or clicking it.

I just think it's hilarious that yet another Microsoft bug is being shown, but somehow it is spun to be Apple's fault. Like, what can Apple do? Just block Office?

Anyway, it's important to note that all the guy has to do is restore from backup, even local backup- there's no privilege escalation (what, you thought this was Windows?), so locally backed up data managed by any of the Apple things (or even your own scripts) will be safe by Unix DAC. Only if everything you have is literally owned by your logged in user, and you are using microsoft office, and you literally write the macro virus yourself (or download it and jam yes to every fucking "please don't trust this" button), is this a concern.

Re:Panic And Despair

[david_thornley]

I once left SSH enabled with a reasonably guessable account name and password for one account not being used. (I'm at least a little smarter now.) Somebody, apparently from Romania, signed in and ran user-level stuff to bombard someplace in Sweden.

Clearly, then Ubuntu is hopelessly insecure, since the exact same exploit would work today under the same conditions.

Really?

Another BS summary.
"Ransomware, the devilish family of malware that locks down a victim's files until he or she coughs up a hefty bounty, may soon be coming to Mac. "

Then proceeds to say someone wrote code that encrypts files and asks for money. I could applescript something in a couple hours that would confuse the average user of any OS. This is not news.

sigh...

[nensondubois]

If you ever wanted proof that the world is completely chaotic and that there is no God, the fact that ransomware exists is proof enough in my book.

Re:sigh...

If you ever wanted proof that the world is completely chaotic and that there is no God, the fact that ransomware exists is proof enough in my book.

Use Linux or BSD and maybe you will be less mad at God?

Everything you love, God made. Ransomware is a Windows thing because the OS is weak by design.

distrowatch.com

Re:sigh...

I dunno, seems pretty obvious that there's a god of thieves, right? I mean, you'd have to believe in one monolithic god who is somehow benevolent yet created wasps and other parasites- eh. Doesn't line up with observation. God of Thieves and Maths fo shizzle.

Re:sigh...

[nensondubois]

I have been using a Linux-based OS for a very long time. My point still stands that God is either benevolent and or powerless, or doesn't exist.

Re:sigh...

Based on your extensive search? I suggest you find out.

Jesus is Lord

Ransomware Affects Microsoft Office

[nickweller]

Not a lot of details, but seems to be yet another example of a malicious Microsoft Office macro virus. Requires the end user to open a malicious Office document, don't say how this leads to running the actual payload.

Leaves out something IMPORTANT

[cfalcon]

One important detail is left out- by running this locally, he skips the part where it warns you about running stuff off of the net. And of course, it's not so much an OS X problem as it is a Microsoft Office problem, because that's the vector.

So OS X can be owned, if you skip OS warnings AND use a Mircosoft product to actually do the owning, which even then can't act at root. Good grief man.

(Mac OS X)

[Osgeld]

"to target Mac operating systems (Mac OS X)"

no shit, I thought they would target Mac OS 7.01, thanks for the clarification numbnuts