Ransom Malware on OS X 10.11?

[OldCorpse]

I recently happened to watch the British documentary "Secrets Of The Scammers", wherein one of the scams highlighted was a ransom malware scam, and the woman who was thus attacked was shown with a mac laptop. I also read about the increased security through the SIP feature on El Capitan. So I was wondering if OS X 10.11 is vulnerable to ransom malware, and have there been any documented or anecdotal instances of such attacks on 10.11? Symantec seems to imply that OS X is highly vulnerable, and there is at the very least a verified proof of concept about how to create such malware taking advantage of OS X vulnerabilities, but they don't specify if it's 10.11 specifically or earlier ones like Yosemite - the article is dated 11/09/2015 implying it's very recent so maybe 10.11 is also vulnerable:

http://www.symantec.com/connect/blo...at-reminder-os-x-not-immune-crypto-ransomware

Any thoughts or news about this? TIA!

 

[beebarb]

SIP will offer no protection if ransomware were to be actually developed for OS X.
System Integrity Protection (SIP) only protects the integrity of system files, not user data.

By design ransomware encrypts the specified user data stored within its target directories (folders).
I say 'specified user data', because not all ransomware encrypts all files in the target directories.

Some ransomware is designed to target specific filetypes.

So any version of OS X including 10.11 is vulnerable to ransomware.

 

[leman]

Symantec seems to imply that OS X is highly vulnerable, and there is at the very least a verified proof of concept about how to create such malware taking advantage of OS X vulnerabilities

Of course they would do that, they want you to buy their malware scanners.

Any OS is vulnerable to this type of malware, as long as the malware can trick the user to starting it. Furthermore, I do not believe that there is any way to preventively detect malware like this. One could use some heuristics that analyse file access, but I am sceptical whether this problem is decidable. Anyway, make regular backups (TimeMachine FTW) and don't run suspicious programs, and you will be as safe as it gets.

 

[OldCorpse]

Thanks! So, SIP has no impact on ransomwear, since SIP does not affect user files. If it is really the case that user files in any operating system are vulnerable simply because user files are not protected from such software (and cannot be protected per leman), then why would there even be a discussion as to relative vulnerability differences to ransomwear specifically of different OSes? I mean, why would anyone say/think that f.ex. (random example) - Windows is more vulnerable to ransomwear than OS X or Linux or whatever?

I guess I imagined that there could be some kind of feature in a given OS that detects when a program wants to encrypt a user file (shouldn't that be possible?) and a dialogue box could pop up with a warning to the effect "This program wants to encrypt your file. Do you want to proceed? Yes/No". Because if this is simply not possible, then the situation is pretty dire - doing backups is not going to be 100% effective, because the ransomwear can easily infect backups on external drives - in that show I watched, all the woman's backups on all external drives and even dropbox were attacked and encrypted.

So having Time Machine is not exactly a solution - unless Time Machine has some kind of sandbox wherein once a file has been saved by Time Machine, the only operation that is allowed on that file is a copy/paste one where you can do restoration, but you cannot alter the file on TM in any other way.

Also, I think that merely "being cautious" is not going to save you. The woman in that show who got all her files everywhere, including external drives and dropbox encrypted by ransomware clicked on a link to a video allegedly sent by her friend (and according to the show, it could be any file type, like f.ex. pdf files etc.). Now, you could say, "don't click on any links even from friends" - but how practical is it, when the bad guys can stage a Man In The Middle attack wherein they hijack an email or whatever and substitute a good file with ransomware... so f.ex. your friend could be on the other end of the phone, saying "OK, I'm sending you a pdf file 'Birthday Party Preparations.pdf'" and because his/her system is compromised, some malware automatically substitutes the ransomware with the same ostensible name "Birthday Party Preparations.pdf". Now you click, and you're hosed.

If that happens, what with MITM attacks, you could never click on any link to anything even with a person at the other end of the phone, not to mention any website. How practical is that?

That's why I wonder if it is possible for the OS to analyze a program before launching to see if it's encrypting and issue a warning or some other solutions, like the sandboxed TM I mentioned above.

 

[KALLT]

@OldCorpse Data is volatile. If not through malware, you are much more likely to lose it as a result of hardware failure or data corruption. Data you don't back up twice is data you don't care about. Of course it makes sense that malware you granted the necessary privileges to will be able to gain access to connected external drives as well, just as the Dropbox folder (which is just a folder). I would use two external drives, one which you use for constant, daily backups, the other which you use less frequently (maybe monthly) and store somewhere else. Just be sure that you don't keep your disks connected all the time. I know people who keep a (monthly) backup at another physical location even.

Now, you could say, "don't click on any links even from friends" - but how practical is it, when the bad guys can stage a Man In The Middle attack wherein they hijack an email or whatever and substitute a good file with ransomware... so f.ex. your friend could be on the other end of the phone, saying "OK, I'm sending you a pdf file 'Birthday Party Preparations.pdf'" and because his/her system is compromised, some malware automatically substitutes the ransomware with the same ostensible name "Birthday Party Preparations.pdf". Now you click, and you're hosed.

That's not how this works. Your system is still protected by file permissions, so this scheme won't work, unless there is a vulnerability that can be exploited through this (e.g. in your PDF reader; however, the Preview application is sandboxed). If the PDF file is a program and contains executable code, OS X won't let you run it without your permission. Even if you do run it, it won't gain much access to your system unless you give it additional privileges. Again, assuming that there is no exploit. You can still open PDF files safely.

Aside from that, there isn't much you can do. Download programs from trusted sources only and never, ever, open a program that you didn't download yourself from the developer's servers or obtain from a disc. When a program or installer prompts you for your password, be extra careful and think twice. If you don't want to run with an administrator account for your day-to-day work then you should consider creating a second user account without administrative privileges. That way you have to enter your administrator credentials whenever a program requires it, giving you that additional 'warning'.

There is a strong paranoid undertone in your post. Relax, the situation isn't nearly as dire, even Symantec is not alarmist here.

 

[leman]

I guess I imagined that there could be some kind of feature in a given OS that detects when a program wants to encrypt a user file (shouldn't that be possible?) and a dialogue box could pop up with a warning to the effect "This program wants to encrypt your file. Do you want to proceed? Yes/No".

As far as I am concerned, it is not possible to determine whether a modification of a user file counts as encryption or something else. What is possible is detecting if an application modifies a large amount of files in rapid succession, but that also won't help you protecting your data.

Because if this is simply not possible, then the situation is pretty dire - doing backups is not going to be 100% effective, because the ransomwear can easily infect backups on external drives - in that show I watched, all the woman's backups on all external drives and even dropbox were attacked and encrypted. So having Time Machine is not exactly a solution - unless Time Machine has some kind of sandbox wherein once a file has been saved by Time Machine, the only operation that is allowed on that file is a copy/paste one where you can do restoration, but you cannot alter the file on TM in any other way.

While it is certainly possible to mess up the TM backup, it is extremely time-consuming (you'd need to encrypt every file version, which even on a fast external drive might take hours). Besides, you should use multiple rotating backup destination (I have 4), so there should be a working backup even if your current one gets contaminated. This issue is solvable with a proper snapshot-based file system though — as you already said that, where the previous versions cannot be tampered with by an unauthorised user anymore.

Also, I think that merely "being cautious" is not going to save you. The woman in that show who got all her files everywhere, including external drives and dropbox encrypted by ransomware clicked on a link to a video allegedly sent by her friend (and according to the show, it could be any file type, like f.ex. pdf files etc.).

Well, this is just nonsense. OS X will not launch an application disguised as a PDF or a video file. Besides, these kind of attacks are easily blocked with Gatekeeper — and that is why I have it turned on by default, even though good 80% of the apps I am using are not properly signed. I have read that Gatekeeper can be easily fooled, but so far, I could not find any substantial demonstration of this.

Now, you could say, "don't click on any links even from friends" - but how practical is it, when the bad guys can stage a Man In The Middle attack wherein they hijack an email or whatever and substitute a good file with ransomware... so f.ex. your friend could be on the other end of the phone, saying "OK, I'm sending you a pdf file 'Birthday Party Preparations.pdf'" and because his/her system is compromised, some malware automatically substitutes the ransomware with the same ostensible name "Birthday Party Preparations.pdf". Now you click, and you're hosed.

If that happens, what with MITM attacks, you could never click on any link to anything even with a person at the other end of the phone, not to mention any website. How practical is that?

Regarding MITM: that is why we have secure channels everywhere

That's why I wonder if it is possible for the OS to analyze a program before launching to see if it's encrypting and issue a warning or some other solutions, like the sandboxed TM I mentioned above.

As I said before, my hunch is that this problem is not decidable. Now, I'd love to write a nice proof of this similar to this one: http://www.lel.ed.ac.uk/~gpullum/loopsnoop.html, but I am already past deadline on too many papers as it is

 

[KALLT]

I have read that Gatekeeper can be easily fooled, but so far, I could not find any substantial demonstration of this.

I don't think it can even be fooled, presently. When the application bundle is signed and intact only then will Gatekeeper let it pass with your permission. However, there was a recent report about a 'weakness' where Gatekeeper could be avoided when an application has additional files outside of its bundle that have been swapped with malicious code. An authorised application could then be hijacked as soon as it actually launches. It isn't currently exploited as far as I know.

In any case, hijacking is of course always possible which is why sandboxing and file permissions exist. All Gatekeeper does is verify that the application bundle itself has not been tampered with since it was signed (and that the signature itself is still valid), but it will never look into whether an application is in itself malicious or can be hijacked. But you know that, of course.

 

[OldCorpse]

Thanks, folks. I'm on Mavericks. I was thinking of upgrading to get better security which I mistakenly thoguht SIP would provide, but now I see it's pointless, so I'm staying on Mavericks until El Cap gets its bugs ironed out somewhere around the .3 iteration. Overall, very disappointing that all OSes are so insecure.

 

[leman]

Overall, very disappointing that all OSes are so insecure.

The only definite 'solution' is locking down the entire OS (like iOS), and you know how we all feel about that. Anyway, the chance that you are going to be hit by ransomware are so slim that it isn't even worth talking about. Again, redundant backups as well as sane computing practices, and no malware will touch you.

 

[KALLT]

Thanks, folks. I'm on Mavericks. I was thinking of upgrading to get better security which I mistakenly thoguht SIP would provide, but now I see it's pointless, so I'm staying on Mavericks until El Cap gets its bugs ironed out somewhere around the .3 iteration. Overall, very disappointing that all OSes are so insecure.

I wouldn't say that SIP is pointless in this case, that's not a logical conclusion. Malware that is just after your personal files and nothing else will likely attempt to fool you into giving it write access. That is something SIP indeed doesn't protect you against. However, SIP will ensure that the base system remains intact. If a malware is able to find a vulnerability elsewhere, SIP may help preventing that problem. Moreover, El Capitan is more modern code. Apple can't keep the same level of security across the systems. It will still provide some fixes for Mavericks, but not all.

If you want better security, you should probably consider switching operating systems. OpenBSD is a recommendation.

 

[OldCorpse]

Thanks, Kallt, but OpenBSD is regarded as garbage security-wise:

https://aboutthebsds.wordpress.com/2013/01/25/20/

OK, that's a joke

I know that OpenBSD has a good reputation, but I need an OS that can run the software I need.

 

[grandM]

The only definite 'solution' is locking down the entire OS (like iOS), and you know how we all feel about that. Anyway, the chance that you are going to be hit by ransomware are so slim that it isn't even worth talking about. Again, redundant backups as well as sane computing practices, and no malware will touch you.

Actually I was on my old win7 machine. No laughing matter.

 

[simonsi]

So having Time Machine is not exactly a solution - unless Time Machine has some kind of sandbox wherein once a file has been saved by Time Machine, the only operation that is allowed on that file is a copy/paste one where you can do restoration, but you cannot alter the file on TM in any other way.

Time Machine keeps versions as a file changes, not "a file". So if you know when you allowed the Malware to run or (hypothetically), were "infected", then you could restore back prior to that point in time.

If you view "Ransom Malware" as effectively a kind of "Total drive failure", and approach it that way you should be good. Solution is wipe the drive and go back to a known good backup point.

 

[Partron22]

I ran into something on MacUpdate a few weeks ago that certainly started to ask impertinent questions and seemed as if it wanted to install something weird real bad; and not the App I was trying to DL.
Force quit browser, and rebooted Mac. I'll not be back to that site.

 

[KALLT]

I ran into something on MacUpdate a few weeks ago that certainly started to ask impertinent questions and seemed as if it wanted to install something weird real bad; and not the App I was trying to DL.

https://blog.malwarebytes.org/news/2015/11/has-macupdate-fallen-to-the-adware-plague/

Avoid sites like MacUpdate and Softonic. Only get your software from the official source. A quick web search is often more than enough, it's really not hard. Be careful with installers; everything that comes with a package installer (as opposed to an .app file that you need to drag and drop into your Applications folder) should be met with suspicion unless the developer is trustworthy (e.g. recommendations, reviews and so forth).

 

[leman]

Thanks, Kallt, but OpenBSD is regarded as garbage security-wise:

https://aboutthebsds.wordpress.com/2013/01/25/20/

Hahaha, that site is comedy gold. Thank you for the link

 

[Riwam]

https://blog.malwarebytes.org/news/2015/11/has-macupdate-fallen-to-the-adware-plague/

Avoid sites like MacUpdate and Softonic. Only get your software from the official source. A quick web search is often more than enough, it's really not hard. Be careful with installers; everything that comes with a package installer (as opposed to an .app file that you need to drag and drop into your Applications folder) should be met with suspicion unless the developer is trustworthy (e.g. recommendations, reviews and so forth).

*******
It is sad that such well known places were once safe, and now, just to make money, use some kind of combined "downloader" which if you run it, you end up with "browser bars" and all kind of adware... while all you needed was a certain application they offered to fool users.
Ed

 

[BrianBaughn]

What OS was the "woman" who was "attacked" in the "documentary" running on the Mac that was "shown"?

 

[OldCorpse]

I don't know - all you could see was an apple laptop.

 

[KALLT]

I don't know - all you could see was an apple laptop.

Maybe she ran Windows. ;-)

 

[Partron22]

Avoid sites like MacUpdate and Softonic. Only get your software from the official source.

This sucks.
Used to be reliable sites. Then the Apple store came along and ruined their business model.
Been using MacUpdate happily since the 90's
They try to burn me once, and the proper strategy switches to never again.

 

[KALLT]

This sucks.
Used to be reliable sites. Then the Apple store came along and ruined their business model.
Been using MacUpdate happily since the 90's
They try to burn me once, and the proper strategy switches to never again.

If you want an easy and quick way to install programs, you should check out Homebrew Cask (http://brew.sh and http://caskroom.io). I suppose for discovery MacUpdate is still good enough, as long as you don't download anything.

 

[felt.]

Thanks, folks. I'm on Mavericks. I was thinking of upgrading to get better security which I mistakenly thoguht SIP would provide, but now I see it's pointless, so I'm staying on Mavericks until El Cap gets its bugs ironed out somewhere around the .3 iteration. Overall, very disappointing that all OSes are so insecure.

What's disappointing is that people expect hackers to stop existing rather than have a contingency plan like say backups.

 

[OldCorpse]

"Hackers exist", yes of course, but it's not as if one can't create more secure or less secure OSes. After all, with the proper level of encryption, no hacker on earth can crack it... which is what fuels the ransomwear plague in the first place - once your files are encrypted, no amount of hacking is going to decrypt them. Which shows conclusively, that secure systems do exist - f.ex. you cannot break a properly encrypted file. Now take that concept - of security and invulnerability to hacking - and extend it to the concept of how OSes work - why not come up with a similarly secure system that protects your user files that's not really open to "hacking".

Yes, hackers will always exist. But that's not a reason to throw up your hands. Because secure systems also exist. After all, super clever robbers will always exist, but somehow Fort Knox has not been robbed yet.

You can always harden an OS. Yes, it's tempting to offload any responsibility for security on the user, and say "whelp, that's how the world works, hackers exist, you're on your own as to how you secure it... consider backups, they may work in many cases, unless the hackers manage to encrypt those too, in any case you're on your own, best of luck!". The other way is to assume responsibility for the design of the system you're selling, and actually try to harden the OS - you know, take some of that energy that's spent making pretty fonts and yet slimmer phones, and put it toward security - you might be surprised at how creative and ambitious software engineers can get... then you can release a version called "Fort Knox".

There are two basic attitudes people have: strive to always deliver the best and meet every challenge, or throw up your hands and blame the user. Only one of those attitudes delivers progress in this world. I leave that as an exercise to the reader to figure out which one it is.