Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proof-of-Concept Ransomware Affects Macs (vice.com)

Posted by Soulskill on from the equal-opportunity-blackhats dept.

sarahnaomi writes: Ransomware, the devilish family of malware that locks down a victim's files until he or she coughs up a hefty bounty, may soon be coming to Mac. Last week, a Brazilian security researcher produced a proof-of-concept for what appears to be the first ransomware to target Mac operating systems (Mac OS X). On Monday, cybersecurity company Symantec verified the researcher's findings. "Mabouia is the first case of file-based crypto ransomware for OS X, albeit a proof-of-concept," Symantec wrote in a blog post. "It's simple code, I did it in two days," [said] the creator of the malware.

16 of 163 comments (clear)

  1. That's special... by Aaden42 · · Score: 4, Insightful

    Great! You can encrypt some files. You're amazing!

    Show me a zero-click network infection vector, then I'll be a little worried. Yes, I've already removed Flash and never installed Adobe Reader. No, getting me to execute an email attachment (after disabling Gatekeeper) doesn't count.

    1. Re:That's special... by macs4all · · Score: 2, Insightful

      zero-click? that is a very low bar to set given that most of the ransomware that plagues windows these days is zero-click.

      In case you haven't noticed, OS X appears to be somewhat (read: Insanely) more Robust in that regard than any version of Windows to date.

      I offer as proof the fact that we are at SIXTEEN YEARS of OS X, without a single infection that did not exclusively rely on Social Engineering and active participation by the User.

    2. Re:That's special... by squiggleslash · · Score: 2

      I notice you have a few AC "Yeah but MacDonalds" responses, so to counter that, may I bolster your point by pointing out that viruses and other malware pretty much rely on network effects. If 95% of people who receive an attachment can't open it, then it's unlikely to get much traction, in much the same way that a biological virus never gets very far when 95% of people are immune and can't pass it on.

      When I used to use a Mac, security updates came in via Software Update every week or two. There obviously were security holes galore in the operating system (and don't get me started on early versions of Safari automatically downloading and opening files without asking permission first...), it's just nobody bothered exploiting them.

      --
      You are not alone. This is not normal. None of this is normal.
    3. Re:That's special... by macs4all · · Score: 2

      When I used to use a Mac, security updates came in via Software Update every week or two. There obviously were security holes galore in the operating system (and don't get me started on early versions of Safari automatically downloading and opening files without asking permission first...), it's just nobody bothered exploiting them.

      I agree that that was a boneheaded Default, and it amazed me even more that it persisted even after the weakness was pointed-out. However, as you know, the fix was simple: Uncheck the checkbox.

      However, I believe you would agree that we are LONG-past the "Security Through Obscurity" point with OS X (and really never were there with iOS); and now are FAR into the "Look at Me! I actually Infected a Mac!" bragging-rights territory (e.g. TFA). So, it is pretty clear that OS X really DOES have some serious Security chops, and really DOESN'T have any "Serious" Vulnerabilties.

      Look at the CVE List. On OS X, NOTHING rises above a 2.x on their "Severity" Scale. Nothing.

      Now compare that to Windows. Even Windows 10...

      That's not "Obscurity". It's good Design.

    4. Re:That's special... by macs4all · · Score: 2

      And yet Linux just got it's first malware target also. And how big is that desktop market compared to OS X?

      Actually, not to pick on poor ol' Linux (it means well, afterall!); but there are quite a few ACTUAL Viruses (rather than Trojans, which any OS is vulnerable to) listed for Linux, as opposed to, um ZERO (EVER!) for OS X. To be fair, most of these have been rendered ineffective by Updates; but...

      And OS X has been out nearly as long as Linux, and has TEN TIMES the marketshare (especially on the Desktop).

    5. Re:That's special... by Gr8Apes · · Score: 2

      OSX has been out since 2001. I was running Slackware v2.1 back in 1994. So there's a significant difference there, but yes, Apple is leaps and bounds beyond all Linux versions combined on the desktop, and for good reason. Apple is also estimated to be near 10% in desktops, which is a huge number considering the size of the market and that they were less than 2% 10 years ago.

      --
      The cesspool just got a check and balance.
    6. Re:That's special... by tnk1 · · Score: 2

      CVE-2015-6988 - CVSS score 10.0
      https://web.nvd.nist.gov/view/...

      The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not initialize an unspecified data structure, which allows remote attackers to execute arbitrary code via vectors involving an unknown network-connectivity requirement.

      That's just the highest score. I'm not sure why you think OS X does not have any scores above 2. There are large numbers of CVEs above 2.

    7. Re:That's special... by macs4all · · Score: 2

      You must have missed all of the Pwn2Own contests. Mac OS has fallen first in every one due to insecure software.

      You must've missed at least the last two.

      Windows (IE) fell first in both years. OS X itself never did fall. Safari fell on the second day during both years, due to two exploits.

      In the early Pwn2Own contests, OS X (or rather some apps running under OS X) fell first due to three factors:

      1. Everyone wanted to OWN (that is "Win") the MacBook Pro being given away.

      2. Flash

      3. Adobe Reader

      But you will note that Flash and Adobe Reader have not been included as part of an OS X standard build for several years now.

      So, if Apple can simply tighten-up Safari a bit (and in 2014, only one team was even able to exploit anything on OS X (that being Safari)), they might even survive the next Pwn2Own.

  2. Just to note... by Ecuador · · Score: 5, Informative

    This is NOT a proof of concept of stealth ransomware using some 0-day exploit etc. You have to actually download it, choose to run it, close the warning box that is popping up to warn you exactly of this sort of software. That's where I stopped reading, I mean, most competent programmers can write a program that ransom your documents in two days. Heck, I bet there are some who in two days of coding could even manage to bundle in a multi-level FPS game. The hard part is to get ransomware to run without the user explicitly installing it.
    Unless I am missing something, in which case you can enlighten me..

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    1. Re:Just to note... by 93+Escort+Wagon · · Score: 2

      The idea is that anyone could take this program, disable the warnings, and combine it with some exploit package to create ransomware.

      But, point is, that's the hard part. Doing what this guy did isn't particularly difficult. It's not a "proof of concept" if most programmers could easily figure it out on their own.

      --
      #DeleteChrome
    2. Re:Just to note... by phantomfive · · Score: 4, Funny

      I mean, most competent programmers can write a program that ransom your documents in two days.

      The big question I'm having right now is why it took him two days. Did he get distracted by Foosball?

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Just to note... by Anubis+IV · · Score: 2

      That's been true all along. As the OP said, many of us here are confident in our ability to write ransomware in somewhere between a couple of hours and a couple of days, simply because the actual software is rather trivial to write. After all, it's just a matter of encrypting pretty much everything on the drive and then sending the key off to a destination you control. The hard part is in delivering the ransomware to your victims, and nothing about this proof-of-concept changes any of that. The people writing exploit packages could already have included ransomware if they were so inclined, but they didn't, because they know there's more profit in flying under the radar and selling to others who will get their hands dirty.

      Yes, proofs of concept are flashy, and hopefully this one will help more Mac users to be aware of the dangers they face, but beyond that this whole thing does little more than serve as a publicity stunt.

    4. Re:Just to note... by MachineShedFred · · Score: 4, Insightful

      Hey look! I have a "proof of concept" too!


      #!/bin/bash
      openssl aes-256-cbc -in ~/Documents/* -out ~/ransom.aes -d -pass $up3r$ecretPassw0rd!

      Pay me or you'll never see your documents again!

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    5. Re:Just to note... by macs4all · · Score: 2

      I said "will not" not "never have". However, I could have said never have with the caveat of being a customer and rather than consumer. The GS was a gift from my parents and while I did personally buy one, it was at a flea market years later (and it was an original "Woz Edition" GS).

      While I agree wholeheartedly with your "Apple ][ Forever!" sentiment (and BTW, it was JOBS that urged Woz to include EIGHT peripheral Slots in the original Apple ][ Design; not that I'm a big "Jobs" fan, mind you), I take exception to your characterization of the Lightning Connector and Apple's Curated App Store.

      The Lightning Connector solved a lot of design and packaging problems for Apple, and is one pretty cool piece of engineering. I do wish the Male end was a little more robust; but it is still much better for the User than the abomination that is Micro (or is it Mini?) USB...

      As for the Curated App Store, you need look no farther than the Android mess to show that, on balance, what Apple is doing is FAR better for the VAST MAJORITY of Users than the "Wild West" approach that Android employs. And now that iOS 9 and XCode have teamed-up to allow those who are savvy-enough to do "sideload" Apps, (which are, coincidentally, also the group of Users that are savvy-enough to be a little more careful (one would hope!)), there really isn't a "Walled Garden" issue, anyway. But people like you will continue to live in the past, and pine for the good ol' days of the Apple ][.

      Don't get me wrong: I LOVED my Apple ][, too, and have VERY fond memories of working with same (the first Apple ][ I worked on was Serial Number 0013, back in 1977. It didn't even have the "cooling slots" along the sides. I wrote tens of thousands of lines of code, and built several peripheral cards for same (including a multifunction I/O card that was big enough to require a FOOT to hold up the back of the card!); but I haven't fired up either of my Apple ][s (nor my ][gs), nor my Pinecom ][ Clone, since about 1995. it was just a different time...

    6. Re:Just to note... by Anonymous Coward · · Score: 2, Funny

      can some one help me, I couldn't get this installed...

    7. Re:Just to note... by Ecuador · · Score: 2

      Pay you? How? My bitcoin wallet was in ~/Documents!!!

      --
      Violence is the last refuge of the incompetent. Polar Scope Align for iOS