Slashdot Mirror
Apple Has Shut Down the First Fully-Functional Mac OS X Ransomware (techcrunch.com)
An anonymous reader writes: Apple has shut down what appears to have been the first, fully-functional ransomware targeting Mac computers. This particular form of cyber threat involves malware that encrypts the data on your personal computer so you can no longer access it. Afterwards, the hackers request that you pay them in a hard-to-trace digital currency — in this case, bitcoin — in order for you to retrieve your files. This ransomware, called KeRanger, was first reported by researchers at Palo Alto Networks. They also noted that Apple has now revoked the abused certificate that was used in the attack and updated its built-in anti-malware system XProtect with a new signature to protect customers.
Apple?
I am Slashdot. Are you Slashdot as well?
I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?
Nothing. However, what's good to know is that I no longer have to worry about this one - and the turnaround was pretty quick. Assuming Apple can keep up with any threats like this (it's not like they don't have enough money to justify it), it's just like doing a regular bit of weeding in your garden.
Make sure everyone's vote counts: Verified Voting
You do realize that you can disable System Integrity Protection, the thing that stops you removing your kernel, C library and such?
Congratulations Mac, you final have a large enough installed base that malware developers are starting to support your platform. Maybe someday game developers will support it as well.
Gatekeeper is the real problem. It only checks the certificate on the first app in a package, then lets any other app, legit or malware, through without checking. Bundle in malware and it gets right through. Apple only blocks the certificate the developer of Transmission was using. So, all they are doing is blocking the first app's certificate, Transmission. That's just a bandaid patch on the real problem, Gatekeeper itself. All that has to be done is to repackage the same malware with the new app, or some other app, and it will happen again.
This is a follow up story that Apple actually shut it down.
I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?
Apple revoked the cert, and now the threat is gone. So the fact that the software was signed protected you.
You can't buy these certificates. You have to get one from Apple, who will hopefully check out the company. In this case the company that Apple checked was careless and I hope they'll pay the price for that.
Then you are a trusting idiot.
Certs don't protect you from malware, they just make it so the spread of malware can be more easily contained when detected. (as shown here the cert can be revoked and the app itself added to the big list o' malware), and give the user the best chance to avoid malware by showing you who wrote the thing you're downloading.
Apple could potentially protect against ransomware by writing the OS to refuse apps access to files outside their own little corner of the drive (I think iOS does this) then the app could only hold it's own data hostage. But in this case that's probably work somewhat well anyway as the ransomware was packaged with a file sharing program. But that'd come with some negative usability constraints for apps in general.
They were.
It's really Apple just playing catch up. I mean this was their first instance of ransom ware , and Windows has had it for how long ?
Apple copy catting again.
And they couldn't help themselves and got all control freaky , shutting it down with their mind control rays. None of this letting ransom ware to fester in the wild for years.
FFS, it was a viable commercial malware product, that had its ROI shut down inside 32 hours of its release into the wild. That's great cooperation between Palo Alto, Appke & the Transmission project.
Do you really think it paid off for the malware authors in that time , and they are simply laughing all the way to the bank ?
The difference is that all of the XProtect & related functionality can be disabled. It’s not easy to disable it (easy in the sense you’d stumble on it accidentally), and your average parent / grandparent user of Mac OS would never figure out how to disable it. Which is good, because they have no clue of the implications of doing so.
If as a trained and knowledgable IT professional, you want to run completely unprotected, you set some kernel flags in your EFI, and reboot. Execute whatever you like, overwrite anything on the drive as root, no questions asked. That’s probably not a great idea as the vast majority of the time those features protect even seasoned (or is that salty) professionals from shooting themselves in the foot. But if you really want to run something Apple has determined to be dangerous, you can still do it.
My opinion of Apple would fall sharply if they ever removed the disable options on their desktop OS. So long as that option is there, having it default to ON is the right option for the vast majority of users.
This incident had nothing to do with what you describe. And was stopped because the offending certificate got yanked and blocked by Apple, so in this instance Gatekeeper worked exactly as it should.
What you're talking about is a problem, no question 'bout that, just not this time
Software developers invested this much effort in finding legitimate uses for Bitcoin? Crapware like this only helps to reinforce the notion that Bitcoin is only used by the criminal underground.
Take a look at System Integrity Protection in the newest version of OS X. it doesn't limit an app to its app corner, but it definitely limits it to userspace. A description from Ars (full page here:
System Integrity Protection does this by severing the automatic kernel-level blessing given to root’s commands. The end result is that in El Cap, root is no longer an account with effectively unlimited access to either the file system or to memory and running processes. SIP places kernel-level checks on root’s privilege that can (in theory, at least, until proven otherwise by an intrepid security researcher) only be bypassed by the kernel itself. SIP’s intention is to keep the operating system’s state—both on disk and in memory at runtime—as it was installed by Apple.
This is a pretty big change from how Unix-like operating systems are "supposed" to work, though it’s not without precedent (Ars IT Editor Sean Gallagher told us that SIP sounds a bit like Trusted Solaris, and this Quora thread has some details on the history of similar "rootless" privilege escalation schemes). Rather than adding yet another superuser account, SIP provides the concept of an additional file system and process flag, and file system objects and in-memory processes so flagged cannot be altered by processes not signed with Apple’s own code signing key.
There’s more, too—the file system protections are only the start. SIP consists of four major features:
Protected locations cannot be written to by root.
Protected system processes cannot be attached to with a debugger and cannot be subject to code injection.
All kernel extensions must now be signed (and old methods for disabling kernel extension signing are gone).
SIP cannot be disabled from within the operating system, only from the OS X Recovery partition.
So if you've already been infected and locked, this seems like it would shut down any avenue of unlocking your files. Maybe there aren't already people actively locked, but this seems like it would be a problem. Anyone know any more?
The cert used has been revoked. Without a working cert, no one can install the app so no new infections. Currently infected customers are another matter.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Apple does that now with programs that use the Mac App Store. It would be nice if it worked with apps outside of the store.
Apple is depriving these software writers of their rightful revenue, and hopefully they'll be sued for it, and better yet a law passed banning this kind of practice. This is no different than ad-blocking and script-blocking software, which prevents upstanding advertisers from running JavaScript software on peoples' computers and rightfully earning revenue from it.
"stolen" uh huh.
Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.
They've already started by making it so that even root is blocked from editing files in locations such as /etc, /usr, and /bin, and blocks root from removing "important system apps" like iTunes and Photos (both of which have third party competitors).
Do they also prevent you from installing those competitors and prevent the competitors from registering to handle the file types handled by default by iTunes and Photos?
Apple would decompile the code for the malware and file a patent on it. Then dispatch the FBI to stake out the courthouse in Tyler, TX until the malware writers file a troll suit.
Well, that was fast. One day.
Sure, it's not a system patch but a certificate revocation, but still a responsibly swift resolution.
BTW, it was a malware Trojan, likely a double-Trojan, injected between the unwitting developer and the unwitting downloader, using the compromised certificate. Whether in transit if http downloaded, or by some other exploit, I dunno. Those more expert than me can answer that one.
It was not a virus. It was a Trojan inserted by a third party. I understand that it (probably) affected Linux and Windows as well. Please, everyone, just use proper terminology. It aids discussion.
Microsoft should adopt the same model.but it would require a herculean effort to get their products up to the same standard of quality.
What, you mean authenticating applications based on a central certification authority? Kind of like what this does: https://msdn.microsoft.com/en-... . Or maybe you mean not allowing the installation of any applications that don't posses a preapproved certificate, in THAT case what you want is this feature over here: https://msdn.microsoft.com/en-... . God forbid you would have to learn how to manage your own certificate chains, afterall the documentation is so difficult to find: https://msdn.microsoft.com/en-... . The only thing missing is the paywall, which isn't really missing since you can pay for a third party authority to verify your certificate. But as we can see by the premise of this article that isn't actually a deterrent is it?
The difference between Microsoft and Apple is the same as it has always been. Apple forces you to follow their policies, Microsoft forces you to live with the consequences of the policies you wrote yourself.
Bit coin is neither anonymous nor hard to trace. How long must we put up with this shitty reporting of disinformative nonsense?
I live in fear that some ransomware is going to encrypt my collection of ASCII porn, so I've been printing it out little by little on my Okidata 320. The good news is that I'm protected from ransomware, but the bad news is my house is now a serious fire hazard. Stacks of paper everywhere.
You are welcome on my lawn.
XProtect isn't the same as rootless.
You're right, to disable rootless (which protects a bunch of system files from being modified/deleted, even as root) you can do this.
XProtect is a signature-based anti-malware system - Apple pushes out silent updates to the signature definitions on a regular basis, but XProtect doesn't save you from shooting yourself in the foot when running as root.
Specialist Mac support for creative pros, Melbourne
You're too late.
A bounty has already been posted, and ironically,
will be paid in bitcoin once evidence is accepted.
Too bad it didn't go through KickStarter.
I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.
The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.
All very nice, I'm sure, but completely irrelevant. Ransomware is such a danger because it doesn't need to break any security or get elevated permissions, just attack the files to which the user has legitimate access.
XProtect does one other thing that is very welcome in most circumstances as well - expiring old versions of browser plug-ins like Java and Flash, which are known to have massive gaping security holes in them.
And, again, if this gets in the way of a proper administrator who is saddled with some ancient piece of shit that requires some ancient plug-in, it can be disabled on a per-plug-in level
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Microsoft bows to Hollywood and the Feds while dragging its heels while users suffer from malware.
Apple tells the Feds to take a hike and focuses its resource to kill a nasty ransomware within a day.
Go Apple!
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Apple doesn't check out the company. They shouldn't - after all, Apple should not be censoring programs on OS X as a general purpose PC. What buying a certificate does is validate the payment chain - in order to bill a credit card, you now have the billing address and name of the owner. Presumably the credit card issuer has been able to verify it as a legitimate mailing address (since the card was sent there), etc.
Basically, paying the money means that Apple now has a legitimate address and a way of identifying the developer. In addition, while $99 is not a lot of money, it's still money you hope not to pay again, so when a certificate is cancelled, the developer now has to pony up ANOTHER $99 to pay for a new one. Which is incentive to protect it.
What you have just said is tantamount to saying this:
"I'm not smart enough to figure it out and if I was then the first thing I'd do is shoot myself in the foot because I want to be the boss of me. You're not the boss of me!"
You *can* (fairly easily) do each and everything you're complaining that you can't do. It's not even difficult. That you don't know how to is a good indicator that you're unqualified to do so. However, if you want to do so then you can - it just means that you're an idiot. It is not complicated - I know how to do it (at least I know the process) and I'm not even an OS X user.
Sure, it is a fine sentiment to want to be in control. And you can be. You're just not qualified to be. We can tell you're not qualified to be. If you were, you'd know how to do this.
"So long and thanks for all the fish."
There is no way to permanently change this behavior, to the point where the recommended method of using a third party photo suite was to "sudo rm -rf /Applications/Photos.app" - which you can't do any more.
...unless you turn off System Integrity Protection.
Well, the $99 is a small barrier to entry. Considering Cryptowall has garnered nearly a third of a billion dollars, there is probably some good money to be had if an enterprising blackhat can get a working ransomware trojan running on OSX long enough to do the trick. More than enough to justfy several $99 developer registrations.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Original Slashdot story linked to CNBC article, that said:
An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.
What new information do we have?
This capability is not one Apple came up with. It has long been a capability of FreeBSD and probably other BSD systems. It can be overridden if you know what you are doing, but it is an added safety belt to save you from yourself.
Kevin Oberman, Network Engineer, Retired