The Mac Security Blog
Two blogs are talking about a potential Mac ransomware threat: ZDNet’s Zero Day blog, and Threat Researcher. It turns out that there is a proof-of-concept ransomware floating around in cyberspace, which, while not yet a danger to Macs, raises a number of questions.
First, if you’re not familiar with the term ransomware, it’s a type of malware that has proven very lucrative on Windows PCs. Delivered by a Trojan horse, the ransomware “locks” files, usually by encrypting them with password protection, then informs the infected user that if they want access to their files, they must pay up; hence the term “ransom”. Ransomware has been around for the past five years or so (though proof-of-concept forms of this type of malware are much older), and has turned into a serious problem for Windows users.
So the question here is whether this Mac threat is serious or not. So far, it is simply a proof-of-concept of the actual encryption part of the malware; it still needs to be bundled with a well-disguised Trojan horse that will effectively deliver the payload. We know that many Mac users have been taken in by Trojan horses in the past couple of years, so the threat is certainly real, but there is no reason to fear this new malware as of yet.
Here’s an example of a dialog from this proof-of-concept, asking users to enter a code to unlock their Mac:
When Intego’s Virus Monitoring Center took a close look at this code, its researchers discovered something interesting. The actual code used for this proof-of-concept is something that Apple provides as part of its developer software. Apple has an API that developers can use to create kiosks. A kiosk is a software tool that allows one:
to lock the user into a certain application or disable certain functionality normally available in the operating system.
Apple describes this system in a technical note. What the proof-of-concept is showing is nothing more than a front-end to this kiosk feature. No files are being encrypted, nothing is done to the actual operating system other than launching an application that implements this kiosk system. This does not exclude, of course, that a future version of this ransomware may exist using this kiosk tool in conjunction with other code that could, say, encrypt files. But for now, this proof-of-concept is simply a clever tool by a developer who’s read Apple’s developer documentation.
Nevertheless, the fact that this issue is being discussed is a serious reminder that Macs will eventually be targeted by such threats. As we have seen in recent years, malware writers port some of their threats from Windows to Mac. Ransomware is something that we have not seen in the wild yet, but with the current discussions on certain forums it is highly likely that we see some in the near future.
Ransomware is a particularly dangerous form of malware. It is not something that infects for fun, or that hides in the background, but rather pure extortion. Intego’s Virus Monitoring Center is following this closely to make sure that, should any Mac ransomware be found in the wild, VirusBarrier X6 will be updated immediately to protect from this type of threat.
Note: Intego has known about this proof-of-concept for a while. We didn’t talk about it when we discovered it because there was no real threat. However, the blog posts linked above have brought this out into the public eye, so we felt it was best to explain exactly what is happening.
A Dutch hacker has come up with a novel way to make a few euros. Realizing that jailbroken iPhones are generally accessible via ssh, he “breaks into” them, then sends an SMS alert to their owners, telling them the phones are insecure. For 5 euros, he’ll be happy to tell them how to secure their phones.
A bit of background. For those unfamiliar with the term “jailbreak”, it simply means exploiting a weakness in the iPhone so users can install unapproved applications. (Read Wikipedia’s explanation.) Many users do this to get access to iPhone apps that Apple won’t approve. When an iPhone is jailbroken, ssh, or secure shell, access is available over a network. However, this access uses a default password that most users don’t change. Since this password is easy to find (Google is your friend), it’s a cinch for anyone to hack into a jailbroken iPhone, if they can find it.
So this Dutch hacker “used port scanning to identify jailbroken iPhones on T-mobile Netherlands with SSH running,” according to an Ars Technica article that links to a forum thread in Dutch explaining the trick. In other words, the hacker just scanned as many phones as he could find, and, in so doing, found those that were jailbroken.
He then directs users, by sending them an SMS, to a web page, where he asks 5 euros for instructions on how to make the phone more secure. This is not technically “ransomware” – malware that usually encrypts files, then asks a user to pay to get a password to get access to the files again – but it’s close.
This is not a complicated task. As Ars Technica says:
security researchers have done similar port scanning in the past, and downloaded users’ SMS databases as a “proof of concept.” However, this is the first time that it seems the technique has been used in the wild. It’s worth noting that the technique is fairly trivial and could be done by anyone with even a modicum of networking know-how.
So, if you have jailbroken your iPhone, you would do well to change the default ssh password. Again, Google will help you perform this simple operation. If you don’t, any enterprising hacker can get access to everything your phone contains. You don’t want that to happen…