Slashdot Mirror
Apple Has Shut Down the First Fully-Functional Mac OS X Ransomware (techcrunch.com)
An anonymous reader writes: Apple has shut down what appears to have been the first, fully-functional ransomware targeting Mac computers. This particular form of cyber threat involves malware that encrypts the data on your personal computer so you can no longer access it. Afterwards, the hackers request that you pay them in a hard-to-trace digital currency — in this case, bitcoin — in order for you to retrieve your files. This ransomware, called KeRanger, was first reported by researchers at Palo Alto Networks. They also noted that Apple has now revoked the abused certificate that was used in the attack and updated its built-in anti-malware system XProtect with a new signature to protect customers.
Apple?
I am Slashdot. Are you Slashdot as well?
I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?
Nothing. However, what's good to know is that I no longer have to worry about this one - and the turnaround was pretty quick. Assuming Apple can keep up with any threats like this (it's not like they don't have enough money to justify it), it's just like doing a regular bit of weeding in your garden.
Make sure everyone's vote counts: Verified Voting
You do realize that you can disable System Integrity Protection, the thing that stops you removing your kernel, C library and such?
This is a follow up story that Apple actually shut it down.
I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?
Apple revoked the cert, and now the threat is gone. So the fact that the software was signed protected you.
You can't buy these certificates. You have to get one from Apple, who will hopefully check out the company. In this case the company that Apple checked was careless and I hope they'll pay the price for that.
Then you are a trusting idiot.
Certs don't protect you from malware, they just make it so the spread of malware can be more easily contained when detected. (as shown here the cert can be revoked and the app itself added to the big list o' malware), and give the user the best chance to avoid malware by showing you who wrote the thing you're downloading.
Apple could potentially protect against ransomware by writing the OS to refuse apps access to files outside their own little corner of the drive (I think iOS does this) then the app could only hold it's own data hostage. But in this case that's probably work somewhat well anyway as the ransomware was packaged with a file sharing program. But that'd come with some negative usability constraints for apps in general.
The difference is that all of the XProtect & related functionality can be disabled. It’s not easy to disable it (easy in the sense you’d stumble on it accidentally), and your average parent / grandparent user of Mac OS would never figure out how to disable it. Which is good, because they have no clue of the implications of doing so.
If as a trained and knowledgable IT professional, you want to run completely unprotected, you set some kernel flags in your EFI, and reboot. Execute whatever you like, overwrite anything on the drive as root, no questions asked. That’s probably not a great idea as the vast majority of the time those features protect even seasoned (or is that salty) professionals from shooting themselves in the foot. But if you really want to run something Apple has determined to be dangerous, you can still do it.
My opinion of Apple would fall sharply if they ever removed the disable options on their desktop OS. So long as that option is there, having it default to ON is the right option for the vast majority of users.
This incident had nothing to do with what you describe. And was stopped because the offending certificate got yanked and blocked by Apple, so in this instance Gatekeeper worked exactly as it should.
What you're talking about is a problem, no question 'bout that, just not this time
Take a look at System Integrity Protection in the newest version of OS X. it doesn't limit an app to its app corner, but it definitely limits it to userspace. A description from Ars (full page here:
System Integrity Protection does this by severing the automatic kernel-level blessing given to root’s commands. The end result is that in El Cap, root is no longer an account with effectively unlimited access to either the file system or to memory and running processes. SIP places kernel-level checks on root’s privilege that can (in theory, at least, until proven otherwise by an intrepid security researcher) only be bypassed by the kernel itself. SIP’s intention is to keep the operating system’s state—both on disk and in memory at runtime—as it was installed by Apple.
This is a pretty big change from how Unix-like operating systems are "supposed" to work, though it’s not without precedent (Ars IT Editor Sean Gallagher told us that SIP sounds a bit like Trusted Solaris, and this Quora thread has some details on the history of similar "rootless" privilege escalation schemes). Rather than adding yet another superuser account, SIP provides the concept of an additional file system and process flag, and file system objects and in-memory processes so flagged cannot be altered by processes not signed with Apple’s own code signing key.
There’s more, too—the file system protections are only the start. SIP consists of four major features:
Protected locations cannot be written to by root.
Protected system processes cannot be attached to with a debugger and cannot be subject to code injection.
All kernel extensions must now be signed (and old methods for disabling kernel extension signing are gone).
SIP cannot be disabled from within the operating system, only from the OS X Recovery partition.
So if you've already been infected and locked, this seems like it would shut down any avenue of unlocking your files. Maybe there aren't already people actively locked, but this seems like it would be a problem. Anyone know any more?
The cert used has been revoked. Without a working cert, no one can install the app so no new infections. Currently infected customers are another matter.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Apple is depriving these software writers of their rightful revenue, and hopefully they'll be sued for it, and better yet a law passed banning this kind of practice. This is no different than ad-blocking and script-blocking software, which prevents upstanding advertisers from running JavaScript software on peoples' computers and rightfully earning revenue from it.
Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.
Software developers invested this much effort in finding legitimate uses for Bitcoin? Crapware like this only helps to reinforce the notion that Bitcoin is only used by the criminal underground.
Well, actually it reinforces the purpose of anonymous transactions.
Let's not sit here and pretend that cash transactions (a.k.a. the other side of the coin) are somehow not heavily relied upon within the criminal community, and for the exact same reasons that bitcoin is.
Criminal activity will be a side effect of anonymous transactions no matter the medium. What should concern us more is when anonymous transactions are made 100% illegal, even for legitimate privacy reasons.
Well, that was fast. One day.
Sure, it's not a system patch but a certificate revocation, but still a responsibly swift resolution.
BTW, it was a malware Trojan, likely a double-Trojan, injected between the unwitting developer and the unwitting downloader, using the compromised certificate. Whether in transit if http downloaded, or by some other exploit, I dunno. Those more expert than me can answer that one.
It was not a virus. It was a Trojan inserted by a third party. I understand that it (probably) affected Linux and Windows as well. Please, everyone, just use proper terminology. It aids discussion.
Microsoft should adopt the same model.but it would require a herculean effort to get their products up to the same standard of quality.
What, you mean authenticating applications based on a central certification authority? Kind of like what this does: https://msdn.microsoft.com/en-... . Or maybe you mean not allowing the installation of any applications that don't posses a preapproved certificate, in THAT case what you want is this feature over here: https://msdn.microsoft.com/en-... . God forbid you would have to learn how to manage your own certificate chains, afterall the documentation is so difficult to find: https://msdn.microsoft.com/en-... . The only thing missing is the paywall, which isn't really missing since you can pay for a third party authority to verify your certificate. But as we can see by the premise of this article that isn't actually a deterrent is it?
The difference between Microsoft and Apple is the same as it has always been. Apple forces you to follow their policies, Microsoft forces you to live with the consequences of the policies you wrote yourself.
I live in fear that some ransomware is going to encrypt my collection of ASCII porn, so I've been printing it out little by little on my Okidata 320. The good news is that I'm protected from ransomware, but the bad news is my house is now a serious fire hazard. Stacks of paper everywhere.
You are welcome on my lawn.
I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.
The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.
All very nice, I'm sure, but completely irrelevant. Ransomware is such a danger because it doesn't need to break any security or get elevated permissions, just attack the files to which the user has legitimate access.
XProtect does one other thing that is very welcome in most circumstances as well - expiring old versions of browser plug-ins like Java and Flash, which are known to have massive gaping security holes in them.
And, again, if this gets in the way of a proper administrator who is saddled with some ancient piece of shit that requires some ancient plug-in, it can be disabled on a per-plug-in level
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Microsoft bows to Hollywood and the Feds while dragging its heels while users suffer from malware.
Apple tells the Feds to take a hike and focuses its resource to kill a nasty ransomware within a day.
Go Apple!
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Well, the $99 is a small barrier to entry. Considering Cryptowall has garnered nearly a third of a billion dollars, there is probably some good money to be had if an enterprising blackhat can get a working ransomware trojan running on OSX long enough to do the trick. More than enough to justfy several $99 developer registrations.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Congratulations Mac, you final have a large enough installed base that malware developers are starting to support your platform. Maybe someday game developers will support it as well.
Seriously. If code is well-written, with portability in mind, then there is absolutely no reason for games to not come on Mac at release.
And yes they are written to be portable –PlayStation, Windows 7 or 8 or 10, Linux, X-Box. FFS, if a game is ported to Linux, then it should be trivial to slap together an interface for Mac OS X—It's based on the BSD of UNIX.