Apple has shut down the first fully-functional Mac OS X ransomware (opens in new tab)

(techcrunch.com)

84 pointsjefreybulla10y ago27 comments

27 comments

18 comments · 5 top-level

nickpsecurity10y ago· 5 in thread

"...has shut down the first fully-functional Mac OS X ransomeware"

Here I was hoping it was the second malware coded with functional programming. Scheme last time [1]. I was hoping to see some systems Haskell or ATS in there. Oh well. Always another opportunity when it comes to malware.

[1] http://philosecurity.org/2009/01/12/interview-with-an-adware...

redthrowaway10y ago

>Windows has this thing called Create Remote Thread. Basically, the semantics of Create Remote Thread are: You’re a process, I’m a different process. I call you and say “Hey! I have this bit of code. I’d really like it if you’d run this.” You’d say, “Sure,” because you’re a Windows process– you’re all hippie-like and free love. Windows processes, by the way, are insanely promiscuous. So! We would call a bunch of processes, hand them all a gob of code, and they would all run it.

I...wait, what? Did Windows actually used to be that bad?

2110y ago

This still exists, and it's used by lots of extensions.

But you can only inject DLLs (this is how it's called) if your process already has some admin rights and if the other process is not of a higher integrity.

chadzawistowski10y ago

I still use this, and authored a tool to inject the .Net runtime and run arbitrary C# code! https://github.com/ChadSki/SharpNeedle

jahewson10y ago

Well, the remote process has to have been launched with the appropriate permissions to allow remote threads. Also the remote thread can only run code which already exists in the remote process, though one common trick is to call LoadLibrary to inject a custom DLL.

nickpsecurity10y ago

Look up the Shatter Attack.

v6410y ago· 3 in thread

Has the Transmission team offered any explanation of how the tainted binary ended up being served by them? My concern is that the attackers were also able to maliciously modify the Transmission source code.

josefdlange10y ago

Someone compromised their main web server where the binaries are hosted and put up a malicious binary.

v6410y ago

Do you have a citation for this? The extent of what was illicitly accessed remains unclear. Without knowing how their infrastructure is set up, it's not possible to say that the intrusion was limited to just the web server.

2 more replies

arthurfm10y ago

Apparently [1] the binaries are hosted on the same server as their forums.

[1] https://twitter.com/leifnixon/status/706786995029340160

jcoffland10y ago· 3 in thread

> The fact that OS X has now been targeted speaks to the popularity of Apple’s operating system

It's not a security breach it's a problem of rising popularity. That's one way to spin it.

melling10y ago

It's not spin, it's someone saying "I told you so."

The claim was always that the Mac was as prone to viruses as Windows but so few people owned Macs that no one bothered writing Mac viruses.

It's all endlessly debatable, of course, but that's what the author is referring to.

weaksauce10y ago

It is a security breach but in the past most malware has been targeting windows because of the larger financial upside due to popularity. As OS X gets more popular expect more attempts like this.

jcoffland10y ago

You don't think it has anything to do with the fact that OSX is more secure than Windows due to the underlying OS being based on FreeBSD? The economics have been in favor of attacking OSX for along time now. Especially when you consider that OSX users likely have more money on average since OSX adoption has been much higher among the affluent.

3 more replies

zymhan10y ago· 2 in thread

So this confirms that Apple revoking the app-signing certificate that pissed off a bunch of people was related to KeRanger?

kogir10y ago

No. They revoked that single developer's certificate. I think you're referring to an Apple certificate that simply expired and invalidated many App Store signatures.

kolinko10y ago

They revoked the developer's certificate, or they blocked opening up of an image with a given checksum?

1 more reply

wodenokoto10y ago

That is a poor error message. I would assume apple was trying to block me from using torrents rather than protect me from malware if I saw that error and hadn't kept up with the news.

j / k navigate · click thread line to collapse