
Apple has shut down the first fully-functional Mac OS X ransomware - jefreybulla
http://techcrunch.com/2016/03/07/apple-has-shut-down-the-first-fully-functional-mac-os-x-ransomware/
======
nickpsecurity
"...has shut down the first _fully-functional_ Mac OS X ransomeware"

Here I was hoping it was the second malware coded with functional programming.
Scheme last time [1]. I was hoping to see some systems Haskell or ATS in
there. Oh well. Always another opportunity when it comes to malware.

[1] [http://philosecurity.org/2009/01/12/interview-with-an-
adware...](http://philosecurity.org/2009/01/12/interview-with-an-adware-
author)

~~~
redthrowaway
>Windows has this thing called Create Remote Thread. Basically, the semantics
of Create Remote Thread are: You’re a process, I’m a different process. I call
you and say “Hey! I have this bit of code. I’d really like it if you’d run
this.” You’d say, “Sure,” because you’re a Windows process– you’re all hippie-
like and free love. Windows processes, by the way, are insanely promiscuous.
So! We would call a bunch of processes, hand them all a gob of code, and they
would all run it.

I...wait, what? Did Windows actually used to be that bad?

~~~
21
This still exists, and it's used by lots of extensions.

But you can only inject DLLs (this is how it's called) if your process already
has some admin rights and if the other process is not of a higher integrity.

------
v64
Has the Transmission team offered any explanation of how the tainted binary
ended up being served by them? My concern is that the attackers were also able
to maliciously modify the Transmission source code.

~~~
josefdlange
Someone compromised their main web server where the binaries are hosted and
put up a malicious binary.

~~~
v64
Do you have a citation for this? The extent of what was illicitly accessed
remains unclear. Without knowing how their infrastructure is set up, it's not
possible to say that the intrusion was limited to just the web server.

~~~
cshenoy
Here's the Reuters article where they state that:

[http://www.reuters.com/article/apple-ransomware-
idINL1N16F17...](http://www.reuters.com/article/apple-ransomware-
idINL1N16F17Q)

~~~
v64
Thanks for that, at least it's something. John Clay is listed here[1] as a
contributor to "Website maintenance and troubleshooting, Mac OS X help
documentation". I wish they would post a similar update on their website and
explicitly confirm that the current source and binaries have been audited and
are safe.

[1]
[https://github.com/jparyani/Transmission/blob/master/AUTHORS](https://github.com/jparyani/Transmission/blob/master/AUTHORS)

------
wodenokoto
That is a poor error message. I would assume apple was trying to block me from
using torrents rather than protect me from malware if I saw that error and
hadn't kept up with the news.

------
zymhan
So this confirms that Apple revoking the app-signing certificate that pissed
off a bunch of people was related to KeRanger?

~~~
kogir
No. They revoked that single developer's certificate. I think you're referring
to an Apple certificate that simply expired and invalidated many App Store
signatures.

~~~
kolinko
They revoked the developer's certificate, or they blocked opening up of an
image with a given checksum?

~~~
duskwuff
Both.

Apple has updated XProtect to detect the malicious Transmission disk image and
prevent it from being opened, and has additionally revoked the developer
certificate which was used to sign the application on that disk image to
prevent any other applications they sign from being treated as trusted.

------
jcoffland
> The fact that OS X has now been targeted speaks to the popularity of Apple’s
> operating system

It's not a security breach it's a problem of rising popularity. That's one way
to spin it.

~~~
weaksauce
It is a security breach but in the past most malware has been targeting
windows because of the larger financial upside due to popularity. As OS X gets
more popular expect more attempts like this.

~~~
jcoffland
You don't think it has anything to do with the fact that OSX is more secure
than Windows due to the underlying OS being based on FreeBSD? The economics
have been in favor of attacking OSX for along time now. Especially when you
consider that OSX users likely have more money on average since OSX adoption
has been much higher among the affluent.

~~~
astrodust
The BSD angle is one component of the security. The other is strictly
cultural. OS X users aren't in the habit of clicking "Yeah, whatever, just
install" on every dialog that pops up in their face. They're used to just
dropping the application into your Applications folder and running it, or
downloading it from the App Store.

Windows is a wasteland of garbage, of unsigned applications from shady looking
sites, where telling the real thing from a malicious fake is often very
difficult, even for experienced users.

If you're not familiar with the application in question and just Google for it
and download the first match you can get burned very badly. This is generally
not the case for OS X since the applications tend to be more tightly curated.

Consider Panic Software, makers of Transmit, which comes signed by the
developer, and Filezilla, which generally comes from Sourceforge. The official
site for Transmit is well maintained and offers a no-nonsense download link.

For contrast, the _official_ download for Filezilla, an equally popular FTP
client for Windows, came with malware bundled in due to SourceForge's bad
business decisions. If that isn't a sign of a completely dysfunctional
software ecosystem i don't know what is.

In the Windows world people are constantly battling this sort of garbage. In
the OS X world malware like this is a shocking anomaly.

~~~
matt4077
Nobody ever summed up my dislike of Windows as well as this. Though, to be
fair, it appears as if Microsoft has seriously improved in the last few years.

It's still insane to see what consumers put up with, seemingly without even
noticing. MS of ca. 1995-2010 has created an ecosystem of tastelessness, where
a new computer can come preinstalled with competing "Printer managers" or
whatever and, without even doing anything stupid yourself, you can't use it
for more than 10minutes without being interrupted by some update, "virus
warning", "expiry warning", "system optimization" etc. It's truly baffling.

~~~
astrodust
> It appears as if Microsoft has seriously improved in the last few years.

I've seen almost zero evidence of this. The state of affairs is worse than
ever. There's non-Microsoft efforts like Ninite
([https://ninite.com/](https://ninite.com/)) that work to fix this, but that's
fighting an impossible battle.

Microsoft's core security has gotten better, the days of them casually
trusting _anything_ that ends up on your computer is over, but this has lead
to a culture of flagrant abuse of these features. You constantly have to run
things in Administrator mode, click dialogs that present scary warnings, and
you end up numb to it.

The real detriment to the experience on the Windows side is how loaded down
with absolute junk your average OEM system is. They're pre-loaded with
malware, with deliberately broken software, with trial versions that nag you
constantly, and drivers for inconsequential things that always seem to need
your attention regarding an update or a settings problem.

Microsoft is in a tough spot when it comes to cleaning that situation up. Most
PC vendors depend on the money those "services" provide, their margins are
sometimes negative without them. This is part of the PC industry's suicidal
race to the bottom that keeping prices low at the expense of user experience.

On the OS X side, by comparison, alerts like that warrant a bit of attention
since they're so infrequent. The Software Update thing can be a bit of a
nuisance but telling it to shut up isn't hard. Linux and BSD are likewise
pretty quiet, and alerts stand out as a total anomaly.

