Mac OS X Ransomware Threat: Nothing to Worry About Yet

Two blogs are talking about a potential Mac ransomware threat: ZDNet’s Zero Day blog, and Threat Researcher. It turns out that there is a proof-of-concept ransomware floating around in cyberspace, which, while not yet a danger to Macs, raises a number of questions.

First, if you’re not familiar with the term ransomware, it’s a type of malware that has proven very lucrative on Windows PCs. Delivered by a Trojan horse, the ransomware “locks” files, usually by encrypting them with password protection, then informs the infected user that if they want access to their files, they must pay up; hence the term “ransom”. Ransomware has been around for the past five years or so (though proof-of-concept forms of this type of malware are much older), and has turned into a serious problem for Windows users.

So the question here is whether this Mac threat is serious or not. So far, it is simply a proof-of-concept of the actual encryption part of the malware; it still needs to be bundled with a well-disguised Trojan horse that will effectively deliver the payload. We know that many Mac users have been taken in by Trojan horses in the past couple of years, so the threat is certainly real, but there is no reason to fear this new malware as of yet.

Here’s an example of a dialog from this proof-of-concept, asking a users to enter a code to unlock their Mac:

When Intego’s Virus Monitoring Center took a close look at this code, its researchers discovered something interesting. The actual code used for this proof-of-concept is something that Apple provides as part of its developer software. Apple has an API that developers can use to create kiosks. A kiosk is a software tool that allows one:

to lock the user into a certain application or disable certain functionality normally available in the operating system.

Apple describes this system in a technical note. What the proof-of-concept is showing is nothing more than a front-end to this kiosk feature. No files are being encrypted, nothing is done to the actual operating system other than launching an application that implements this kiosk system. This does not exclude, of course, that a future version of this ransomware may exist using this kiosk tool in conjunction with other code that could, say, encrypt files. But for now, this proof-of-concept is simply a clever tool by a developer who’s read Apple’s developer documentation.

Nevertheless, fact that this issue is being discussed is a serious reminder that Macs will eventually be targeted by such threats. As we have seen in recent years, malware writers port some of their threats from Windows to Mac. Ransomware is something that we have not seen in the wild yet, but with the current discussions on certain forums it is highly likely that we see some in the near future.

Ransomware is a particularly dangerous form of malware. It is not something that infects for fun, or that hides in the background, but rather pure extortion. Intego’s Virus Monitoring Center is following this closely to make sure that, should any Mac ransomware be found in the wild, VirusBarrier X6 will be updated immediately to protect from this type of threat.

Note: Intego has known about this proof-of-concept for a while. We didn’t talk about it when we discovered it because there was no real threat. However, the blog posts linked above have brought this out into the public eye, so we felt it was best to explain exactly what is happening.

Apple Issues Safari Security Update

Apple has issued a security update for the Safari web browser, incrementing the program to version 4.0.5. This update covers a total of 16 vulnerabilities in ColorSync, ImageIO and WebKit (the framework used to render web pages), but only ten of these affect Mac OS X (the others affect the Windows version of the program).

A number of these issues could have the following consequences:

Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

These issues involve the way WebKit handles “CSS format() arguments”, “HTML object element fallback content”, “XML documents”, and “incorrectly nested HTML tags” among others.

Full information is available here, and users can download the new version of Safari using Software Update, or from the Safari download page.

Intego Releases Virusbarrier X6 Dual Protection: A Mac Antivirus and a Windows Antivirus in One Box

Intego has announced the release of VirusBarrier X6 Dual Protection, featuring the latest version of its acclaimed anti-malware and network security software together with BitDefender Antivirus 2010 so Mac users can protect their Windows installations. VirusBarrier X6 now provides comprehensive protection from both malware and network threats.

VirusBarrier X6, the latest version of Intego’s anti-malware and network security program, includes new threat-detection techniques, improved methods of detection, combined detection protocols, proactive behavioral analysis, and a full range of defensive functions. VirusBarrier X6 includes more than 100 new features, and is the only antivirus program for Mac that includes full antivirus and anti-malware protection together with a two-way firewall, network protection, anti-phishing, anti-spyware features and more.

For Mac users who run Windows on their Mac, using either Apple’s Boot Camp or virtualization software, VirusBarrier X6 Dual Protection provides security for both Mac OS X and Windows, ensuring that Mac users running Windows will have total protection for both operating systems. BitDefender Antivirus 2010 provides advanced proactive protection against viruses, spyware, phishing attacks and identity theft, and is the top-rated antivirus for Windows.

Find out more about VirusBarrier X6 Dual Protection.

Microsoft Updates Office 2004 and 2008

Microsoft has released updates for Office 2004 and 2008, which include security fixes for “vulnerabilities that an attacker can use to overwrite the contents of your computer’s memory with malicious code.”

The Microsoft Office 2004 11.5.8 update is a mere 9.7 MB, and the Microsoft Office 2008 12.2.4 update is 221.5 MB.

If you use Office, it’s a good idea to keep up with these updates, as they not only provide security fixes, but also improve performance and stability. If you haven’t kept up with Office updates, you cannot, unfortunately, apply the latest update without applying previous updates. (Microsoft does not make any combo updates like Apple does.) So you can find previous updaters for your software on this page.

Intego Personal Backup: Save Space with Multiple Backups

When you want to make multiple backups of your files – to keep a number of versions, for example – you may worry about these backups filling up your hard disk. With Personal Backup, there’s a useful feature that lets you make multiple backups without using much space at all. It’s not voodoo, but it relies on an interesting technical trick.

Lets say you want to keep ten backups of your important work files. You back them up several times a day, and you want to make sure that, if something happens, you can go back to an earlier version. Set up your backup script in Personal Backup with the Backup Options like this:

When Personal Backup runs the first time, it will copy all your files. The second time around, it will create a new folder, and all your files will be in that folder (including those changed since the first backup, but without those deleted since then). However, it won’t take up much more space than the first backup: in fact, the only difference will be those files that you changed or added.

Let’s be even clearer: the first backup is, say, 100 MB. The second, because of some new files, is 105 MB. However, the second backup actually only takes up an additional 5 MB on your hard disk.

The trick that Personal Backup uses is called “hard links.” A hard link is similar to an alias on Mac OS X, but it is, in some ways, the original file. In other words, if you were to delete the first version of a file, the hard link that is the second version of the file will still be there, and it will be the file itself. You can create as many hard links as you want to a file, and as long as one remains, the file is not deleted.

Hard links take up no space, but they appear to take up space. In the above example, you’ll find that the first backup folder is 100 MB and the second 105 MB, but that’s only because the Mac OS X Finder interprets hard links as actual files when calculating disk space used. However, you’ll find that you still have free space; more than you should if you add up all of your backup folders.

This is a hard concept to grasp, but what it means is that you can keep many backups of your files, and they will only take up more space when you add or change files. Personal Backup even includes an option to keep as many copies as possible until the destination disk is full: in that case, Personal Backup will keep adding new backups until there’s no more room, at which time it will delete the oldest backup(s) so new ones can be added. In this manner, you can keep dozens, even hundreds of backups of your most important files on a hard disk without worrying about filling up the disk.

Personal Backup is available as part of Intego Internet Security Barrier.

Security Threats Are More than Just Malware

An InfoWorld article, Underrated computing threats that you need to know about, looks at a number of threats to your computer’s security that don’t come directly from malware. Traditionally, malware is considered to be viruses, worms, or Trojan horses, all types of malicious code that either duplicates itself (viruses and worms) or inserts code, and often executables, onto your computer (Trojan horses).

But with the rise in attacking techniques, malware writers have been looking at new ways to attack your computer. Some of these methods take advantage of vulnerabilities in software such as Adobe Flash or Acrobat, two programs that have shown a number of weakness in recent times. These are especially dangerous, because you can just visit a web site and get hit.

One common manifestation [. . .] comes when the user visits a Web site with a Flash-powered banner ad. No clicking required: as soon as the ad comes up, it delivers its payload. Sometimes it also comes in the form of one of Adobe’s other products — for example, an infected .PDF document, which opens spontaneously upon visiting an ad.

While attacks of this type are not yet targeting Macs, it is highly possible that they will in the future.

Threats also come from Firefox plug-ins, QuickTime flaws, and weaknesses in other applications. There are also risks in following short URLs, the kind used on Twitter posts, because you can’t see where they lead until you get there.

Finally, DNS poisoning is a way of hijacking routers so their DNS servers take users to bogus web sites; a highly sophisticated form of phishing.

It’s worth keeping in mind that the threats to your computer are more than just malware, and especially more than simply viruses. Because of these new threats, Intego added a whole range of new defensive features in its VirusBarrier X6. From a two-way firewall to web threat protection, VirusBarrier X6 protects Macs from network threats as well as malware.