KeRanger Mac Ransomware Based On Linux Forebear, Not Windows

An anonymous reader writes: It appears that the KeRanger ransomware that's been tormenting Mac users for the past days is actually based on a ransomware variant that targets Linux servers, and not on a ransomware family coming from Windows. That particular Linux ransomware is also based on an open-source ransomware called Hidden Tear that was uploaded to GitHub by a Turkish security researcher. So obviously, the conclusion is that GitHub is to blame for the KeRanger Mac ransomware. (Note to readers: That last bit is tongue in anonymous cheek.)

Is that surprising?

[Harlequin80]

I would have assumed that it would have come from a Linux or BSD based one rather than a windows one.... The systems are much closer than windows to mac.

Or am I being overly simplistic?

Re:Is that surprising?

[vux984]

Or am I being overly simplistic?

I'm not 'surprised' by it, but I'd have expected it to be derived from a windows variant, simply because there are so many more of them out there, that I'd have thought someone targeting OSX would be coming from Windows and have familiarity with a windows version, and would make that their starting point.

Yes the relative similarity of OSX to *nix makes it perhaps slightly less effort to port; but the relative lack of *nix ones means that I'd still have put better odds on a windows port.

Re:Is that surprising?

but the relative lack of *nix ones means that I'd still have put better odds on a windows port.

lack of *nix based ones??? might want to try a web search once in a while their are multiple variants and they are easy to find. I would have been more shocked if it was a windows variant, criminals usually like to take the path that requires the least effort.

Re:Is that surprising?

I would have assumed that it would have come from a Linux or BSD based one rather than a windows one.... The systems are much closer than windows to mac.

Or am I being overly simplistic?

I would agree. I have just never really imagined someone who wrote a virus or malware would be using windows to do it.

Re:Is that surprising?

[Big+Hairy+Ian]

Isn't OSX based on a side port of Linux anyway?

Re:Is that surprising?

[evolutionary]

Makes sense. MacOS was created from BSD.

Re:Is that surprising?

[MikeMo]

No. It has kind of a complex heritage, but, essentially, OSX is based on FreeBSD with a Mach-derived kernel. It does come with a load of Linux-originated utilities and code. This is particularly the case of the server variant.

Re:Is that surprising?

[AdelieMan]

My exact thought. They are both NIX right?

Re:Is that surprising?

[vux984]

criminals usually like to take the path that requires the least effort.

Which, if they were already, familiar with windows variants, having worked directly on windows variants already, would make starting with a codebase they already knew that path.

The path of least effort also accounts for the authors own knowledge and experience. For example, if I wanted to create ABC for OSX, and I'd ALREADY created ABC for Windows. I'd probably start by trying to port my ABC to OSX rather than start with someone elses DEF codebase for something similar on Linux. It may be objectively less total effort to change DEF to work on OSX, but I already know ABC, and the effort to become familiar with DEF may exceed the extra effort to just port ABC.

Well Duh Max OS is Based on Linux

and from the dirt rises the ashes on fourbears.

Re: Well Duh Max OS is Based on Linux

It's not. It's based on NeXTSTEP and FreeBSD

Re:Well Duh Max OS is Based on Linux

[nawcom]

Mac OS X was based on NeXTSTEP which predates Linux, and NeXTSTEP was based on 4.3FreeBSD and CMU Mach.

Re:Well Duh Max OS is Based on Linux

[nawcom]

Bah I can't edit. *4.3BSD

Re: Well Duh Max OS is Based on Linux

Wrong

Re:Well Duh Max OS is Based on Linux

Mac OS X was based on NeXTSTEP which predates Linux, and NeXTSTEP was based on 4.3FreeBSD and CMU Mach.

The company was called NeXT (lowercase "e"), but the operating system was NEXTSTEP (all caps).

Re:Well Duh Max OS is Based on Linux

[geekmux]

Mac OS X was based on NeXTSTEP which predates Linux, and NeXTSTEP was based on 4.3FreeBSD and CMU Mach.

Well, this certainly shows that trying to label an OS as a purebred these days is as pointless as mapping Frankenstein's DNA.

Re:Well Duh Max OS is Based on Linux

[WinstonWolfIT]

Frankenstein was simply the creator. Did you mean The Monster?

Re:Well Duh Max OS is Based on Linux

No, he meant the doctor. Have you tried to look through his family tree? It's impossible, you can't find anything, it's almost as if he's a fictional character.

Re:Well Duh Max OS is Based on Linux

[imboboage0]

https://xkcd.com/1589/

Problem solved.

Re:Well Duh Max OS is Based on Linux

Hah, well you're lame, but more so! Have at you sir! Answer that if you can.

Re:Well Duh Max OS is Based on Linux

[Bing+Tsher+E]

It's not that hard to snip away the historical dross.

NetBSD was first, or rather second, as a fork of 386BSD. Everything else came from splitters. And it's not 4.3FreeBSD. Omit the 'Free' part and you're closer.

FreeBSD is a modern fork of BSD where they decided to not emphasize portability. It's historically an ugly x86-only kludge like Linux where they abandoned an open architecture, and only later bolted on 'cross platform' support.

Re:Well Duh Max OS is Based on Linux

Well to be fair, Xkcd is a comic drawn by a little kid (the author wasn't born until 1984). That's why other little kids like it so much.

Re:Nope

Not only did the obvious satire go right over your head, but you also ignored the part directly after that telling you it was satire on the off chance that you were too dumb to figure it out.

So, congrats on that, I guess.

Re: Nope

Lord Rutherford

Re:Nope

>So obviously, the conclusion is that GitHub is to blame for the KeRanger Mac ransomware.
By that reasoning Einstein* is to blame for Hiroshima, Nagasaki and hell even Chernobyl and Fukushima...

*Or relevant physicist, I don't know the whole story...

I almost thought you were being sarcastic.

Re:Nope

By that reasoning Einstein* is to blame for Hiroshima, Nagasaki and hell even Chernobyl and Fukushima...

You're trolling, right?

Rules

The first rule of getting infected by ransomware is you do not fund the criminals.
The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

Re:Rules

Actually, the current recommendation from law enforcement in serious cases is to pay up. It's impossible to discover the source of the ransomware, but it might be possible to track the money.

Re:Rules

[phishybongwaters]

And considering most ransomware is asking for payment via bitcoin or any number of other cryptocurrencies.... the fact that law enforcement says "pay up so we can track the money" should be a wake up call. Not for us, we read slashdot and already know bitcoin is anything but anonymous, but for the average joes who have heard the terms but don't grasp the concept.

Re:Rules

[geekmux]

The first rule of getting infected by ransomware is you do not fund the criminals. The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

The FIRST rule of ransomware is understanding that you own a computing device capable of connecting to the internet. Therefore, you should fucking know what the word backup means.

Failure of that basic rule will ensure that you will be forced to make hard decisions about funding criminals when no one should be forced to even question that in the first place.

Re:Rules

[Applehu+Akbar]

"It's impossible to discover the source of the ransomware, but it might be possible to track the money"

So why has there been no case in which this has actually worked?

Re:Rules

[penguinoid]

The first rule of getting infected by ransomware is you do not fund the criminals.
The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

The first rule of ransomware is restore from backups.
The second rule of ransomware is don't worry, that's why we have backups.

Re:Rules

[Harlequin80]

Because it is a low priority case with a high resource investment needed to solve. It is why hitting that hospital was such a bad idea. Someone's how PC is irrelevant, potentially killing someone in a hospital - hugely important.

tagging sarcasm

[sittingnut]

"That last bit is tongue in anonymous cheek."
inability to get sarcasm and irony, or even just humor, (without tags, cues cards, laugh tracks, etc etc) seem to be widespread and growing here in slashdot and in usa in particular, and west in general.

one faces all sort of nastiness if attempted; moded down, branded for "hate speech",etc etc. no wonder several comedians are boycotting universities.

this seem to be linked to regrowth of political correctness and sheepish acceptance of so called 'liberal', elitist, ideology by the western young .
bankrupt irrational ideas can't tolerate humor that show their absurdity.

Re:tagging sarcasm

'cept it's not "liberal", at all.
It originated in the Conservative revival of the Reaganite era.

Swear in front of a Bible thumping Republican and see how far you get.

From experience, I can say they suddenly start following the 10 Commandments quite precisely.

Re:tagging sarcasm

[Black+LED]

Sarcasm can only be expressed if you know the thoughts of an individual (such as a character in a book), through verbal intonation or body language. There are people who would say something like in seriousness so you can't just assume that someone was being sarcastic when they say something that sounds silly to you, especially when it's a stranger.

Re:tagging sarcasm

[Zibodiz]

This. Just try cracking a joke when you're pulled over by a cop, or when you're going through a security checkpoint at a government building. From first hand experience, I can tell ya that it doesn't end well.

Thing is, for a lot of us, humor is how we deal with stress, and there is no such thing as a non-stressful government interaction. It's all a recipe for disaster.

Uhh?

[easyTree]

This appears to be a doubly-impossible scenario as both Linux and Mac are secure by default.

Re:Uhh?

Well, because it wouldn't work on Linux is why it was ported to Mac.

Re:Uhh?

[dargaud]

How widespread is this ransomware on Linux ? Any reports in the wild, or is it just a proof of concept ?

Re:Uhh?

> secure by default.

Butthurt Windows user, I suppose? Or just ignorant?

Re:Uhh?

[fermion]

To take this bit seriously, not secure by default, but the mac use case is not the same for as many MS Window users.

For example, most of my work is continuously backed up to iCloud and Dropbox. iCloud for Apple Apps, and Dropbox for LaTex, Python and other stuff. My computers are backed up by Time Machine, especially my photography machine.

It would seem for most stuff, a simple wipe and restore would fix the problem. I suppose for some enterprise customers it would be a problem, but it people are not making incremental backup of machines, this really is a bigger issue than malware. These people are one disk failure away from oblivion even without malware.

Re:Uhh?

[_merlin]

People have been using vulnerabilities in CMS and forum software (and their plugins) to attack web and mail servers with this ransomware. I know it's hit some schools and small companies.

Re:Uhh?

or someone that's been lorded over by a Mac master race user?

2016 is the year of the Linux desktop

Because someone has finally figured out how to make money using Linux!

Security researcher

Why would a so-called "security researcher" manufacture and publish ransomware?
Publish a known security flaw and a proof-of-concept exploit kit, sure, but a complete software package with the sole purpose of extorting money from innocent victims?!
That's like demonstrating the dangers of heroin by handing out free samples in a schoolyard.

Re:Security researcher

[tetraverse]

'Why would a so-called "security researcher" manufacture and publish ransomware?

The Anti Virus industry are making a good living out of malware. It's similar to a drug pusher distributing free samples to get people hooked before coming after them for revenue.

Re:Security researcher

The Anti Virus industry are making a good living out of malware. It's similar to a drug pusher distributing free samples to get people hooked before coming after them for revenue.

That's a myth... No drug dealer has ever given me free samples.

Re:Security researcher

The only coke I have ever done was some I got for free from a roommate who was selling.

Note to readers: That last bit is tongue in cheek

No it isn't, it's editorialising. And it's inappropriate.

You know, coming here makes me angry. There really was a time, and it wan't that long ago, that this was News for (technology) Nerds. Now, it's just yellow journalism, if that.

It's sad, and it's a big loss to the community. I hope for better, and keep on coming back, only to be disappointed. So here's a question for the new owners of this site: what to you think will generate more traffic? being a part of the technology community, or garbage that makes people angry? And if the answer is the latter, please let us know and may of us will leave you in peace.

Re: Nope

Democritus. Until him, all that we had was Earth, Wind, Fire, Water, and Leeloo.
Bastard. I liked Leeloo. Hubba-hubba!

Linux ransomware torments Mac users?

[tetraverse]

How does this 'Linux ransomware' get onto the computer without the end user visiting a malicious site and explicidly downloading and installing the program?

Re:Linux ransomware torments Mac users?

[phishybongwaters]

Magic? Malware delivering pixie fairies? I'd suspect it's the same way this junk ends up on other systems. HINT: it's not always the user doing stupid things directly. How you say? Ah well, lets say your linux admin is a lazy fuck and fails to disable root ssh on a server. And since he's a lazy fuck, he does manual patching instead of using a deployment system. Since he does it the "right way" he misses a box, and leaves a compromised version of openssh or some other shit there. And then someone leverages a zeroday, or social engineers themselves onto your vpn, busts through a half secure web server, whatever. Their fancy little scantool will tell them everything they need to know to deploy whatever payload they want to that compromised box. OR... someone plugs in a flashkey they brought from home to watch pirated copies of game of thrones (true story)

Re:Linux ransomware torments Mac users?

[silentcoder]

It's disguised as a video of Natalie Portman, naked and petrified.

Damn... showing my age there... for the young'uns - the reference is to an issue of the long defunct comic strip Userfriendly in which the "evil genius" Petr spreads a version of Microsoft's Clippy (a satanic paperclip which tried to take over the world and bring about the apocalypse -not in the comic in real life) as a plugin for the VI editor by disguising it as such a video.

Re: Linux ransomware torments Mac users?

[samkass]

In this case, by someone hacking the installer to a BitTorrent client, hacking the server that distributes it, and signing it with a valid Apple developer cert and swapping their version in. Then hoping no one notices until the few days pass before it does its job and triggers. That last part didn't happen. Apple patched the built-in anti-malware, the company released a new version that removes the malware, and it was only downloaded about 6,500 times before disappearing. Unless any of those machines stayed completely off the internet in that time, it probably didn't strike anyone in the wild. That's what bein "tormented" by a Trojan Horse looks like on the Mac.

Re: Linux ransomware torments Mac users?

[rworne]

Hacking the installer?

I thought the binary itself was infected (well the app bundle) that required just the app dropped from the dmg file onto the system and executed.

Programs like transmission do not need installers. Anyone looking to put a simple utility on their system should look at .pkg installer files with a great deal of suspicion.

Re:Linux ransomware torments Mac users?

An SSH daemon that doesn't allow root logins still runs as the root user so it can setuid to other users when they log in.

That and you don't really need to be root on a server, you just need to break into any administrator's user account and trick them into logging in, or wait. You'd do that anyway to be able to log into other systems. Set their PATH to "~/.hax0red:$PATH". Fill up a disk, run the cpu up or consume memory with something appearing to be vi, or eat lots of IO, that'll drive them nuts. One they give up their password, your kit could easily vanish. Log it to tmp, logger, make a DNS query containing it, whatever.

Linux is cake :)

Re: Linux ransomware torments Mac users?

[fizzup]

As I understand it, the installer was "hacked" with a compromised version. If you already had the client installed and it automatically updated itself, you were not at risk.

Re:Linux ransomware torments Mac users?

[Bing+Tsher+E]

Mae Ling Mak was 'naked and petrified' in the meme.

Newbies latched on to Portman for some reason. Possibly did Mae Ling sue somebody??

Re: Linux ransomware torments Mac users?

[rworne]

That's the thing. There was no installer. Just an application on a disk image. Drag and drop it into your App folder.

An "Application" on OS X is really a directory with ".app" as an extension with the MacOS binary and supporting files in it. The Transmission binary was altered to launch the payload which was disguised as an rtf file in the directory. This is worse than what I've seen in the past - MPlayerX is a well-known video player that comes packaged with an installer. The author of that decided he wanted more than the donations he was getting and installed malware/adware by packaging the app and "other stuff" in a pkg installer file.

Re:Note to readers: That last bit is tongue in che

Actually, I'm giving Timmy a break on this for once. Yes, it _is_ editorializing; Timothy is an _Editor_, and he is actually doing his job for once.
Hiding Libertarian opinion in carefully culled snippets written by others is his usual method.

"...garbage that makes people angry? ..."
Really, pointing out a bit of awkward humor makes you angry? Would you rather have Timmy going back to pointing out yet another time when a 3D Gun Nut blows his nose? What would really drive you right into Loony Land, pointing out grammatical and spelling errors? (It's "editorializing" and "Being". The dropping of the implied second adverb "being" here is marginal, but acceptable, if one allows following linked sentence fragments as a matter of style. What is totally unacceptable is the substitution of that dropped second adverb for "publishing" or "disseminating". That's just ignorant.)
To paraphrase Joan Collins- I, for one, welcome our new Editorializing Overlords.

Re:Note to readers: That last bit is tongue in che

[TheRealHocusLocus]

No it isn't, it's editorialising. And it's inappropriate.

No it isn't, it's a clarification. Wording a bit

"(Note to readers: That last bit is tongue in anonymous cheek.)"
The phrase 'tongue in cheek' is an idiom meaning in (sarcastic or ironic) jest that risks being misunderstood if it is broken up. Could also have been worded,
"(Note to readers: That last bit is anonymous' tongue-in-cheek.)"

The real problem is that anonymous wrote a summary as a series of factual sentences --- but then added a sarcastic comment at the end in the same style, so there is no clear cue that it is a sarcastic comment. I figured it out by what was said and empathizing with the writer, but editors strive for clarity, even if they feel the need to interrupt your flow by adding a comment of their own. Try to make the editor's job easier. Try this, anonymous,

"[...] uploaded to GitHub by a Turkish security researcher. So... obviously, the conclusion is that GitHub is to blame [...]"

You have two tone-changers that set the sarcasm aside, even bring attention to it. "So..." is a pause-for-irony that cues readers that they are now listening to the author's voice, and italics underscore the tone change. You can also add ", right?" to make sarcasm crystal clear. So... now that fucktard blowhard Hocus is giving style advice, right?

what to you think will generate more traffic? being a part of the technology community, or garbage that makes people angry?

What if we're talking about discussion, not website traffic? Isn't that a community? And what if technology itself contains a lot of garbage that makes people angry?

Like dumbfuck LED indicators on modern tech devices that are supposed to indicate network and disc access, but blink late, on simple blink-on-blink-off timers, extended by capacitors until tiny blips disappear, on by default to add useless 'glow' to your room and dim (slowly) to indicate activity (fuck that shit). Or completely software driven so the indication is late or bogus. Like my AT&T Uverse modem which is the stupidest modem in the world with indicators as useless as CSS 'Loading...' animation on web pages, noise and fury signifying nothing. The modem can completely lock up while the front panel still shows the useless thumb-sucking blinky-state the software left it in. Like no one wants to lay down a single PCB trace from controller chip to LED anymore, it's too... fucking... difficult.

That's garbage. And Slashdot is the place to discuss it.

Re:This can't be right!

Urr durr

Re:Note to readers: That last bit is tongue in che

[phishybongwaters]

I feel sad you needed to take the time to craft that post. But I do hope a lot of people read it.

Re: Nope

Well I'd be more inclined to blame Oppenheimer. Einstein was not the only physicist on the planet.

tormenting Mac users

Isn't that what we do here on /.
In any case, citation needed for this: "KeRanger ransomware that's been tormenting Mac users".
Can you cite numbers or did you just pull this tormenting comment out of thin air?

Man truly does bite dog, sometimes

Who would have thought that any type of malware could have originated anywhere except Windows? Certainly not me.

Ah, The Reactionary GOTOs

[cmholm]

this seem to be linked to regrowth of political correctness and sheepish acceptance of so called 'liberal', elitist, ideology by the western young . bankrupt irrational ideas can't tolerate humor that show their absurdity.

And the lickspittles of the conservative elite bleat whatever cliches their paymasters order up.

Blow me, reactionary mouthpiece.

Re:Ah, The Reactionary GOTOs

[DNS-and-BIND]

Way to show how tolerant and open-minded you are. I love the anti-gay slur at the end, too. I suppose all that talk about gay rights was just a bunch of bullshit to piss off badthinkers. Do as I say, not as I do.

oh no - how the candidates will weigh-in...

trump will want to buy github outright before his election,
cruz will say he'll eliminate github when he's the prez,
rubio will want to give github a lifetime greencard; but will tell it differently in English and spanish,
kasich can't spell g-i-t-h-u-b,
sanders will want to nationalize github,
and clinton will have chelsea leer at github until it gives the 'clinton crime family foundation' a donation.

You are a huge idiot

The fact you assume that comment contains an anti-gay slur says more about you than him.

I've heard women say "blow me"---the phrase has pretty generic usage at this point.

The anti-gay comment makes no sense at all unless you were perhaps misled by the term "mouthpiece".

So, all in all, either you're socially undeveloped or you're a semi-literate twat. Either way, it's easy to judge the value of your social commentary.

Re:Note to readers: That last bit is tongue in che

[cas2000]

> but then added a sarcastic comment at the end in the same style,
> so there is no clear cue that it is a sarcastic comment.

Only americans need a clear cue. To the rest of the English-speaking world, it's fucking obvious.

Presumably, that's why you invented the devastatingly ingenious sarcasm style of saying something stupid or obviously false, pausing for a few seconds and then yelling "NOT!!!!"