Back in the mid-1990s, when Apple was unquestionably doomed,
I would joke that the near-complete lack of viruses for its computers
represented yet another example of developers unfairly ignoring the Mac
in favor of Windows.
These days, nobody would get that joke. Apple is printing money, and the Mac now has its share of malware. The latest case: A bit of ransomware, discovered last weekend, which used a form of identity theft to fool OS X’s security system.
How this happened
This crime had two victims. One was the well-regarded BitTorrent client Transmission,
which was hijacked by some still-unknown attackers. The other:
Transmission users who downloaded what they thought was a minor update
and instead saw their files encrypted by its malicious code until they
paid a ransom of 1 bitcoin (about $411 at current exchange rates).
Windows users are all too familiar with the ransomware routine,
in which malicious code silently encrypts files on your computer and
its attached drives and then gives you a few days to pay for a key to
unlock them. If you don’t knuckle under in time, the attackers delete
the key, and your data’s gone.
The
ransom often “only” costs from one to three bitcoin. But this winter,
the Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of 40 bitcoin — about $17,000 — after unspecified ransomware infected its network.
In the Transmission case (which was first reported by Palo Alto Networks),
the attackers hacked the developers’ site and posted a compromised
version of that app containing code that Palo Alto christened
“KeRanger.”
By default, OS X’s Gatekeeper security
only allows apps signed by their developers with digital certificates
issued by Apple to run. (It’s possible for users to circumvent that
system with a right-click, which is both easy and sometimes necessary in order to run apps from small shops.) But whoever posted the poisoned version of Transmission was able to sign it anyway by using another developer’s certificate.
“We’re
not commenting on the avenue the attackers used to compromise the Web
server, but to be clear: the certificate used to sign the compromised
binary was not our certificate,” Transmission’s John Clay said in an
e-mail. “It was a certificate obtained through Apple by another party,
perhaps fraudulently.”
After
Palo Alto Networks informed Transmission and Apple, the former removed
the KeRanger-infected download and the latter revoked that certificate.
(Apple PR declined to answer an e-mail sent Monday asking for comment.)
Why it will probably happen again
An
attack like this works because it takes advantage of a key rule for
staying safe online: Don’t talk to strangers. Because we don’t have time
to run a background check on every app developer, we count on systems
like Gatekeeper to filter out the evil ones. (Historically, Google’s
Android worked in a similar way, but in the last couple of years it’s added automated and human malware screening.)
If that line of defense leaks, good luck spotting anything awry.
“The
only way for a user to notice this is to notice something fishy about
the owner of the certificate when they install,” wrote Steve Kelly,
president of the Mac-security firm Intego. “That’s quite likely to squeak by a lot of users.”
(Ryan Olson, director of threat intelligence at Palo Alto Networks, said a firewall configured to block the anonymous and encrypted Tor network that KeRanger employed to get its encryption key would also have worked. We all totally know how to do that, right?)
Online
thieves will keep trying this tactic because it works. As Olson wrote
in an e-mail: “Attackers know that being embedded in legitimate software
helps them infect more people.”
For
example, a few weeks ago attackers uploaded a compromised download of
an entire operating system — Linux Mint, a beginner-friendly version of
the open-source Linux software — and hacked the real thing’s site to point to the poisoned version.
The
way anybody can inspect and edit the code of open-source projects like
Transmission and Linux Mint may make them easier targets, Intego’s Kelly
said. As somebody who frequently uses and endorses open-source software
— I rely on one such tool to encrypt and decrypt some e-mail messages — I did not find that comforting.
But last September, hundreds of iOS apps were compromised with malware when attackers somehow got developers to use an infected version of Apple’s XCode software-development toolkit.
As
that example should illustrate, retreating inside the walls of app
stores cannot guarantee security either. And in OS X, Apple’s Mac App
Store makes an even less likely refuge.
As my colleague Dan Miller wrote in December,
the limits Apple imposes on other people’s apps but not its own,
combined with a slow and arbitrary review process that holds up even bug
fixes, is pushing developers away from that outlet.
You
can, I guess, wait to install each app’s latest update until other
people have vouched for it as safe. But what if that update’s advertised
feature is itself a security fix that will close a critical
vulnerability in the current version?
I don’t have a good answer for that — and I don’t like that at all.
