Results 1 to 10 of 10

Thread: First OS X ransomware detected in the wild, will maliciously encrypt hard drives

  1. #1
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,334

    Default First OS X ransomware detected in the wild, will maliciously encrypt hard drives

    FYI for Mac and Bittorrent users:

    http://9to5mac.com/2016/03/06/first-...infected-macs/

    OS X users have today been hit with the first known case of Mac ‘ransomware’ malware, found in the Transmission BitTorrent client released last week. Infected versions of the app include ‘KeyRanger’ malware that will maliciously encrypt the user’s hard drive after three days of being installed. The malware then asks for payment to allow the user to decrypt the disk and access their data — the ‘ransom’.
    Technical analysis:

    http://researchcenter.paloaltonetwor...ent-installer/
    Last edited by Paul Turnbull; 06-03-2016 at 11:01 PM.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  2. #2
    I'd rather C2E than work!
    Join Date
    May 2008
    Location
    Clareview
    Posts
    7,330

    Default

    I don't torrent so I'm not concerned.
    Mom said I should not talk to cretins!

  3. #3

    Default

    there's a lot more malware and viruses attacking Mac OSX and even iOS now than just this one bit of ransomware...

    I'm sure Jimbo will still be as naive as ever, if Jimbo even C2Es anymore. He used to tell me he hates Windows and switched to mac because they he wouldn't have to deal with this sh!tt because macs are airtight and impenetrable. (it was more so the case that 'hackers' just didn't give two dfucks about such a small portion of the marketplace that nobody ever bothered.)

  4. #4

    Default

    It's not that Macs don't have to deal with it, it's that the systems in place on the Apple side of the fence are far better equipped to handle these sorts of things & prevent from happening or running outta control.

    Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.
    It's impressive to me that Apple's already revoked the certificate used to sign the apps, preventing the malicious software from propagating or being reinstalled in error going forward.
    Giving less of a damn than everů Can't laugh at the ignorant if you ignore them!

  5. #5
    C2E Stole my Heart!!!!
    Join Date
    Dec 2009
    Location
    Downtown Edmonton
    Posts
    9,803

    Default

    The analogy I've always liked was that using Windows was the equivalent of having an alarm system in your house and bars on all your windows in a bad neighborhood, while using OSX was the equivalent of having no security system and leaving your front door unlocked in a really nice neighborhood.

    Problem is, a bunch of scum bags have moved in to the nice neighborhood.

  6. #6

    Default

    Except that's not the case.

    Lemme fix your analogy to match a modern Mac:

    The neighborhood is gated, by default. Everyone has to sign in at the front gate & show ID before they can get into your house (by default, Macs are set to run only signed apps). If you want, you can even ramp up the security so that only visitors that have come from one specific place are allowed in (you can turn it on so it'll only run Apple & Apple Store software). Sure, you can opt out of the security (and run anything you want) if you find it onerous, but given that the process is far more user-friendly than the UAC on Windows, most people leave it on.

    EDIT: Here, how the built in stuff on Macs works:
    http://www.howtogeek.com/217043/xpro...malware-works/
    Last edited by noodle; 07-03-2016 at 03:02 PM.
    Giving less of a damn than everů Can't laugh at the ignorant if you ignore them!

  7. #7
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,334

    Default

    In general there are far far fewer attacks against OS X and iOS. On the OS X side there is argument that it is a smaller target however it is also a very secure system that is difficult to attack. Even in this case the key aspect was getting a valid certificate and that limitation also means new installs of the attack were shut down almost immediately once the attack was discovered.

    On the iOS side I believe there is only one known attack that affects non-jailbroken phones and that also relies on having valid certificates, in this case enterprise ones.

    I would place all of these attacks into the same category with social engineering attacks where an installer convinces the user to allow installation. None of them rely on holes in the system but in acquiring keys to the system.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  8. #8
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,334

    Default

    Quote Originally Posted by Marcel Petrin View Post
    The analogy I've always liked was that using Windows was the equivalent of having an alarm system in your house and bars on all your windows in a bad neighborhood, while using OSX was the equivalent of having no security system and leaving your front door unlocked in a really nice neighborhood.

    Problem is, a bunch of scum bags have moved in to the nice neighborhood.
    That analogy may have been accurate 15 years ago but OS X and iOS are locked down and extremely difficult to get into. Just ask the FBI.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  9. #9

    Default

    Quote Originally Posted by Paul Turnbull View Post
    I would place all of these attacks into the same category with social engineering attacks where an installer convinces the user to allow installation. None of them rely on holes in the system but in acquiring keys to the system.
    Latest rule I've told everyone I act as defacto tech support for:

    Only install & run software from a website if you download it via a https:// (not http://) link.

    Looks like the bogus/infected Transmission downloads were served over http:// & not https://, leaving it far more open to a man in the middle style attack.
    Giving less of a damn than everů Can't laugh at the ignorant if you ignore them!

  10. #10
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,334

    Default

    There are some conflicting stories right now so it's unclear although Palo Alto Networks, who found the malware, said it was hosted on transmissionbt.com directly. One thing that seems clear now is that it only affected new installs and not updates.

    "For every complex problem there is an answer that is clear, simple, and wrong"

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •